Skip to main content

Flexible, industrialized and political: ransomware gangs take on a new face in 2022

May 11, 2022

Woburn, MA – May 11, 2022 – In advance of Anti-Ransomware Day, Kaspersky has released a report spotlighting new ransomware trends spotted so far in 2022. Overall, ransomware gangs have continued to develop and succeed, despite shutdowns of some of the most notorious gangs, exhibiting new cross-platform capabilities, updated business processes and more.

Ransomware operations have come a long way – from clandestine and amateur beginnings to fully-fledged businesses with distinctive brands and styles that rival each other on the dark web. They find unusual ways to attack their victims or resort to newsjacking to make their attacks more relevant.

The first trend of note is the prolific use of cross-platform capabilities by ransomware groups. Gangs are aiming to damage as many systems as possible with the same malware by writing code that can be executed on several operating systems at once. Conti, one of the most active ransomware groups, has developed a variant that is distributed through selected affiliates and targets Linux. During late 2021, cross-platform programming languages, Rust and Golang, became more widespread. BlackCat, a self-proclaimed “next-generation” malware gang that has reportedly attacked more than 60 organizations since December 2021, wrote its malware in Rust. Golang was used in ransomware by DeadBolt, a group infamous for its attacks on QNAP.

Additionally, throughout late 2021 and early 2022, ransomware groups have continued activities to facilitate their business processes, including regular rebranding to divert the attention of the authorities, as well as updating exfiltration tools. Some groups developed and implemented complete toolkits that resembled ones from benign software companies. Lockbit stands out as a remarkable example of a ransomware gang’s evolution. The organization boasts an array of improvements compared to its rivals, including regular updates and repairs to its infrastructure. It also first introduced StealBIT, a custom ransomware exfiltration tool that enables data exfiltration at the highest speeds ever – a sign of the group’s hard work put towards malware acceleration processes.

The third trend Kaspersky experts have witnessed is a result of the conflict in Ukraine, which has heavily impacted the ransomware landscape. Although such attacks are usually associated with advanced persistent threat (APT) actors, Kaspersky detected significant activity on cybercrime forums, as well as actions by ransomware groups in response to the situation. Shortly after the conflict began, ransomware groups took sides, which led to politically motivated attacks by some ransomware gangs in support of Russia or Ukraine. One of the malwares that was freshly discovered during the conflict is Freeud, developed by the Ukraine supporters. Freeud features wiping functionality. If the target contains a list of files, instead of encrypting, the malware wipes them from the system.

“If last year we said ransomware is flourishing, this year it’s in full bloom,” said Dmitry Galov, senior security researcher at Kaspersky’s Global Research and Analysis Team. “Although major ransomware groups from last year were forced to quit, new actors have popped up with never before seen techniques. Nevertheless, as ransomware threats evolve and expand, both technologically and geographically, they become more predictable, which helps us to better detect and defend against them."

Learn more about current ransomware trends in the full report on Securelist.

On May 16 at 10 AM EDT, Dmitry Galov, security researcher at Kaspersky's GReAT will discuss the latest trends in the ransomware market, focusing on new ransomware groups, their techniques and targets. Register for the webinar here: https://kas.pr/mx4e

On May 12, which is Anti-Ransomware Day, Kaspersky encourages organizations to follow these best practices that help safeguard against ransomware:

·       Always keep software updated on all the devices you use to prevent attackers from exploiting vulnerabilities and infiltrating your network.

·       Focus your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to outgoing traffic to detect cybercriminals’ connections to your network. Set up offline backups that intruders cannot tamper with. Make sure you can access them quickly when needed or in an emergency.

·       Enable ransomware protection for all endpoints. There is a free Kaspersky Anti-Ransomware Tool for Business that shields computers and servers from ransomware and other types of malware, prevents exploits and is compatible with already installed security solutions.

·       Install anti-APT and EDR solutions, enabling capabilities for advanced threat discovery and detection, investigation and timely remediation of incidents. Provide your SOC team with access to the latest threat intelligence and regularly upskill them with professional training. All of the above is available within Kaspersky Expert Security framework.

·       Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for Kaspersky’s TI, providing cyberattack data and insights gathered by our team for over 20 years. To help businesses enable effective defenses in these turbulent times, Kaspersky has announced access to independent, continuously updated and globally sourced information on ongoing cyberattacks and threats, at no charge. Request access to this offer here.

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.

Media Contact

Sawyer Van Horn

sawyer.vanhorn@Kaspersky.com

(781) 503-1866

 



Flexible, industrialized and political: ransomware gangs take on a new face in 2022

Kaspersky logo

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help over 200,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

Related Articles Press Releases