Even though REvil and some of the other more notorious ransomware gangs were shut down this year, the cybercriminals behind them continued to develop and succeed with new cross-platform capabilities, updated business processes, and more.
In recent years, ransomware operations have grown from their clandestine and amateurish beginnings into full-fledged businesses with distinctive brands and styles that rival one another on the dark web. To raise awareness ahead of Anti-Ransomware Day, cybersecurity firm Kaspersky has released a new report highlighting some of the new ransomware trends spotted so far this year.
The first trend to note is the extensive use of cross-platform capabilities by ransomware groups that allow them to damage as many systems as possible using the same malware by writing code that can be executed on multiple systems at once. Conti has been one of the most active groups this year and has developed a variant of its ransomware that can be distributed via selected affiliates and target devices running Linux distributions and Windows machines.
At the same time, ransomware groups have continued their activities to facilitate their business processes. These activities include rebranding to divert attention from law enforcement, as well as updating exfiltration tools. In the meantime, some groups have developed and implemented their own full-fledged custom toolsets that resemble those offered by legitimate software companies. The Lockbit ransomware group is notable for this, as the organization provides regular updates to its toolkits and often applies fixes to its infrastructure.
Since Russia’s invasion of neighboring Ukraine began on February 24, it has prompted businesses, governments and individuals to take sides in the conflict.
However, according to Kaspersky, this was also the case in cybercrime forums and with ransomware groups starting to take sides. As a result, there were a number of politically motivated attacks during the first quarter of this year that cybercriminals carried out in support of Russia or Ukraine.
One of the new strains of malware that was discovered during the conflict is called Freeud and was developed by Ukrainian supporters. Instead of encrypting its targets’ systems, Freud introduces a wipe function, and if a target contains items from a list of files, the malware deletes them from the victim’s system.
Dmitry Galov, Senior Security Researcher at Kaspersky’s global research and analysis team, provided more information about the company’s New Ransomware Trends in 2022 report in a press release, saying:
“If last year we said that ransomware is flourishing, this year it is in full bloom. Although the major ransomware groups of the past year were forced to quit, new players with never-before-seen techniques have emerged. However, as ransomware threats evolve and expand, both technologically and geographically, they become more predictable, which helps us better detect and defend against them.”