New gangs and new tactics mean more victims of ransomware

Ransomware actors have been forming affiliate gangs and using new tactics in order to lure additional victims, according to a new report.

The latest 2022 Bi-Annual Cyber Threat Report from Deep Instinct reveals changes in the world of ransomware gangs, including LockBit, Hive, BlackCat, and Conti.

Conti has formed a number splinter groups, made up of Quantum, BlackBasta, and BlackByte. These three prominent former affiliate groups to the Conti operation emerged under their own operations following the decline of Conti.

"2022 has been another record year for cyber criminals and ransomware gangs. It's no secret that these threat actors are constantly upping their game with new and improved tactics designed to evade traditional cyber defenses," says Mark Vaitzman, Threat Lab team leader at Deep Instinct. "The goal of this report is to outline the wide range of challenges that organizations and their security teams face daily. Defenders must continue to be vigilant and find new approaches to prevent these attacks from happening."

The study also finds a shift in tactics, the use of documents to deliver malware has decreased following Microsoft's move to disable macros by default in Microsoft Office files. Threat actors have already been shifting to implement other methods to deploy their malware, such as LNK, HTML, and archive email attachments.

A number of vulnerabilities have also highlighted the exploitability of both Windows and Linux systems despite efforts to enhance their security. Analysis of the CISA's published known exploited vulnerability catalog suggests that the number of exploited in-the-wild vulnerabilities spikes every three to four months and researchers expect a new spike as we get closer to the end of the year.

Attackers are also broadening their horizons to demand ransoms from third-party companies if leaked data from another target contains their sensitive information.

Looking ahead the report predicts that improvements to cybersecurity will see a rise in attackers seeking out insiders willing to sell access to their organization’s data. It also foresees a rise in so called 'protestware' -- the weaponization of software to harm users -- which has been seen in the use of wiper programs during the Ukraine conflict.

The full report is available from the Deep Instinct site.

Photo credit: Ton Snoei / Shutterstock