Although REvil and some of the other most notorious ransomware gangs were shut down this year, the cybercriminals behind them have continued to grow and succeed with new cross-platform capabilities, updated business processes and more.
Over the past few years, ransomware operations have grown from clandestine, hobbyist beginnings into full-fledged businesses with distinctive brands and styles that compete on the dark web. To raise awareness ahead of Anti-Ransomware Day, cybersecurity firm Kaspersky has released a new report highlighting some of the new ransomware trends spotted so far this year.
The first trend to note is the extensive use of cross-platform capabilities by ransomware groups that allow them to damage as many systems as possible using the same malware by writing code that can be run on multiple systems at once. Conti has been one of the most active groups this year and has developed a variant of its ransomware that can be distributed through certain affiliates and targets devices running Linux distributions as well as Windows machines.
At the same time, ransomware groups continued their activities to facilitate their business processes. These activities include rebranding to distract law enforcement as well as updating exfiltration tools. Meanwhile, some groups have developed and implemented their own custom, comprehensive toolkits that resemble those offered by legitimate software vendors. The Lockbit ransomware group stands out for this because the organization provides regular updates for its toolkits and often applies fixes to its infrastructure.
To take part
Since the Russian invasion of neighboring Ukraine began on February 24, it has led to companies, governments and individuals taking sides in the conflict.
According to Kaspersky, this was also the case on cybercrime forums and with ransomware groups that began to take sides. As a result, there were a number of politically motivated attacks in the first quarter of this year that cybercriminals carried out either in support of Russia or Ukraine.
One of the new strains of malware discovered during the conflict is called Freeud and was developed by supporters of Ukraine. Instead of encrypting its targets’ systems, Freud offers a wipe feature and if a target contains items from a list of files, the malware erases them from the victim’s system.
A Senior Security Researcher with Kaspersky’s Global Research and Analytics team, Dmitry Galov provided additional insight into the company’s New Ransomware Trends in 2022 report in a press release, saying:
“If last year we said ransomware was booming, this year it’s booming. Although major ransomware groups over the past year have been forced out of business, new players have emerged with never-before-seen techniques. However, as ransomware threats evolve and expand, both technologically and geographically, they become more predictable, helping us better detect and defend against them.”