View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 10, 2022

Bigger and more business-savvy: How ransomware will evolve in 2022

Under pressure from law enforcement, ransomware groups are consolidating and shifting their aim towards corporate targets.

By Claudia Glover

Ransomware groups have terrorised businesses and public sector organisations since 2019, but last year the tide began to turn. Collaboration among law enforcement agencies led to high-profile arrests, and the business of ransomware has become riskier for the criminals. But the game is not over yet. This year, experts expect the ransomware industry to consolidate around the most sophisticated groups, to automate more of its attacks, and to shift its focus away from critical infrastructure onto corporate targets.

ransomware in 2022

Ransomware groups are hiring people with knowledge of business and law to better exploit their victims, researchers say. (Image by Tero Vesalainen / iStock)

Last year marked a turning point in the fight against ransomware. Acknowledging the scale of the threat, Western law enforcement agencies formed dedicated units, such as Europol’s Joint Cybercrime Action Task Force or the FBI’s National Cyber Investigative Joint Task Force. This led to breakthrough arrests and the seizure of millions of dollars in cryptocurrency.

In November, for example, the US Justice Department seized $6.1m in funds traceable to ransomware payments linked to the infamous attack on managed service provider Kesaya. One arrest was made and charges were filed against Russian national Yvgeniy Polyanin, believed to be a senior member of the REvil gang. The FBI has offered a $10m bounty for any information on his whereabouts.

Ransomware in 2022: survival of the fittest

This crackdown is forcing the ransomware ecosystem to change, explains Yelisey Boguslavskiy, head of research at security firm Advanced Intelligence. But instead of weakening the ecosystem, it may be simply clearing out the less sophisticated groups. “The arrests are clearing the weaker ones, and those who are smart enough not to get arrested, they will keep growing,” says Boguslavskiy.

This could give rise to a few, highly sophisticated groups that dominate the ransomware business, agrees Jon DiMaggio, chief security strategist at threat intelligence vendor Analyst1. “The big players are going to become almost like big companies that suck up all of the good people in the field,” he says. “I think we’ll see bigger players having a larger impact as opposed to having a lot of medium-sized groups.”

We’ll see bigger players having a larger impact as opposed to having a lot of medium-sized groups.
Jon DiMaggio, Analyst1

Meanwhile, Analyst1 has witnessed ransomware groups forming a cartel, sharing tactics, command and control infrastructure, and data from their victims. Attackers then appear to be “reinvesting profits made from ransom operations to advance both tactics and malware to increase their success and revenue,” the company says.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

The bigger these groups become, however, the more of a target they are for law enforcement. As a result, they are diversifying their methods to avoid detection. This includes using a wider variety of attack vectors, beyond the traditional email-borne attacks. “We just saw Log4j, a major CVE, now being exploited by ransomware groups,” explains Boguslavskiy. Using zero-day exploits as well as botnets and initial access brokers can also help groups evade detection.

To further reduce the risk of detection, some ransomware groups are automating their attacks. “Several gangs have added the ability for their ransomware to self-spread, often via taking advantage of [server message block] protocol and other networking technologies,” explains DiMaggio. “Previously, a human would use admin tools like psExec and scripts to turn off security features and spread the malware manually, one system at a time.” Analyst1 expects fully automated ransomware attacks to become commonplace in the next two years.

The crackdown on ransomware is leading some groups to reduce their reliance on affiliates, partner organisations that help identify and infect targets with their malware. The more affiliates involved in a ransomware attack, the higher the risk of disruption by law enforcement, and the larger groups appear to be minimising their criminal networks to make supply chains shorter and more integrated, says Boguslavskiy. “If a group is not focusing on one supply chain, it’s easier for them to survive a potential takedown.”

Ransomware in 2022: ransomware groups go corporate

DiMaggio expects that as ransomware groups grow, they will shift their focus away from critical infrastructure – attacks which draw media coverage and public outcry –towards less high-profile corporate targets. “They don’t want to go loud, they don’t want to be in the media,” he says. ” I think we’ll see more law firms [being targeted], banks, places that are financially stable.”

Meanwhile, ransomware groups such as Conti, Dopplemeyer and LockBit are hiring team members who understand the inner workings of the corporate world. “They’re hiring people with legal degrees, they’re hiring people who understand the corporate world,” explains Boguslavskiy.

They’re hiring people with legal degrees, they’re hiring people who understand the corporate world.
Yelisey Boguslavskiy, Advanced Intelligence

This is giving rise to new forms of extortion. Last November, the FBI warned that ransomware groups have threatened to sabotage a targets’ stock valuation by leaking critical data. Business-savvy attacks such as this will become more prevalent as the groups become more sophisticated. “Sometimes they get into the network and they have classified market data,” explains Boguslavskiy. “At this point, they don’t really have the capabilities to read it properly and to actually weaponise it … but considering the number of people they are hiring with corporate knowledge,” they soon will, he says.

Looking forward into 2022, the concentration of ransomware gangs into fewer, more powerful cartels means that companies in the private sector should remain on their guard. Well-funded and eager to survive, ransomware gangs are incorporating technology and business model innovations from the legitimate economy into their operations, Boguslavskiy warns, with potentially disastrous effect.

Topics in this article : ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.