Metamorphosis in the criminal world: why are ransomware gangs switching to DDoS?


Law enforcement attacks ransomware gangs as fiercely as never before. Striving to survive, those groups will exploit every "business opportunity" they get to extort the money.

Ransomware attacks are a significant factor in the explosive growth of cybercrime.

"Who knows how many groups there are, but we can safely say there are probably between 100-200 active ransomware groups. It's a lot of people competing to break into your company," Roger Grimes, Data-Driven Defence Evangelist at KnowBe4, told during a webinar Nuclear Ransomware 3.0: We Thought It Was Bad, and Then It Got Even Worse.

ADVERTISEMENT

So how are ransomware gangs different now? And how dangerous are they?

"Everything is a possibility. They are just going to be doing more and more things. They are not just going to do double of quintuple extortion, and they are going to use different approaches for the victim," Grimes said.

He highlighted that ransomware groups are being attacked by law enforcement better than ever. It's only natural that the remaining gangs will try to maximize the profit and do whatever they can with the access and tools.

They sound like corporate businessmen because, the reality is, they probably are,

Grimes said.

That's how we should probably look at ransomware gangs - not as criminals who only extract, encrypt your data and ask for ransom later. They are becoming like any other company, wanting to be in and profit from every market and niche.

"We are already seeing the signs that ransomware gangs are starting to become really everything gangs. Whatever they can do, they will do to make money," Grimes said.

For example, ransomware gangs are now becoming initial access (or network access) brokers. They used to be buyers of access to compromised companies. Currently, ransomware gangs like Conti are selling access to organizations themselves.

According to Grimes, they are also often engaging in crypto mining more.

ADVERTISEMENT

Ransomware programs are dropping off other malware programs, such as Trickbot, that password-stealing Trojan.

Another avenue they explore is DDoS attacks. Previously, they launched DDoS only when a company wouldn't pay a ransom to make them suffer.

"We are starting to see multiple ransomware groups that do not exfiltrate data, do not try to encrypt it, they just DDoS. (...) You are just starting to see a trend of more and more DDoS attacks by ransomware groups, to see that this is becoming something they do as a norm," Grimes said.

With ransomware, a criminal has to put a lot of effort into breaking in, exfiltrating information, and encrypting it without being detected.

"If you make a DDoS attack, you might get paid in a day. And it's cheap to make DDoS, and it may cost you $100," Grimes said.

Where do we get from here? Everything is a possibility. "Besides selling exfiltrated data, stolen credentials, initial access, stealing money from banks and stock accounts, besides personally extorting individuals like customers and employees, they'll now be hackers for hire. Do you want to get data from a competitor? They are doing BEC scams, installing adware, launching DDoS, cryptomining, making botnets, sending spam emails. They are doing anything they can think of to generate revenue. This is the future," Grimes added.

Golden age

Cyberattacks are increasing in scale, sophistication, and scope. The last 12 months were ripe with major high-profile cyberattacks, such as the SolarWinds hack, attacks against the Colonial Pipeline, meat processing company JBS, and software firm Kaseya.

Pundits talk of a ransomware gold rush, with the number of attacks increasing over 90% in the first half of 2021 alone.

ADVERTISEMENT

The prevalence of ransomware has forced governments to take multilateral action against the threat. It's likely a combined effort allowed to push the infamous REvil and BlackMatter cartels offline and arrest the Cl0p ransomware cartel members.

Gangs, however, either rebrand or form new groups. Most recently, LockBit 2.0 was the most active ransomware group with a whopping list of 203 victims in Q3 of 2021 alone.

An average data breach costs victims $4.24 million per incident, the highest in the 17 years. For example, the average cost stood at $3.86 million per incident last year, putting recent results at a 10% increase.


More from CyberNews:

Latest in ransomware: new safe haven, old attack leaders

Cloggy access management may lead to data loss

GDPR fines topped €1 billion last year

Crypto.com CEO confirms hundreds of accounts were hacked

Cyberattack on Red Cross exposes data of 515,000 vulnerable people

Will we work in the Metaverse?

Subscribe to our newsletter

ADVERTISEMENT