Ransomware gangs shift tactics, making crimes harder to track

In this photo Illustration hands type on a computer keyboard
Rather than lease computer code from bigger bad guys, small-fry ransomware gangs are writing their own code, or stealing it.
(Thomas Trutschel / Photothek via Getty Images)

Ransomware gangs increasingly use their own or stolen computer code, moving away from a leasing model that made their activities easier to monitor, new research shows.

Numerous prominent hacking groups in recent years have functioned by leasing their malicious software and computing infrastructure to other bad actors, in what’s known as ransomware-as-a-service. That model, which experts say turbocharged the number of ransomware attacks, was offered by infamous groups such as Conti, which shuttered Irish health systems, and REvil, deemed responsible for a 2021 intrusion at the IT management firm Kaseya.

But now the number of smaller hacking groups has rapidly increased, with many of them deploying their own code or stealing it from others, according to Allan Liska, a threat intelligence analyst at Recorded Future Inc. The shift has coincided with a reduction in activity by some higher-profile groups, according to research Liska presented Friday after the Cyberwarcon security conference.

The evolution is complicating efforts to track various new groups, such as Onyx, which researchers believe reuses Conti’s code and has claimed to target several victims.


“In the last year, ransomware has become a race to the bottom among ransomware groups,” Liska said. As a result, gangs are “stealing from each other, lying even more than usual to victims and creating havoc among investigators and law enforcement.”

It’s not just big companies that fall victim to ransomware attacks. Here’s the story of a small business that almost got wrecked by one.

July 27, 2022

Ransomware is a type of malware that encrypts a victim’s computers. The attackers then demand a ransom payment to unlock them. Ransomware payments have skyrocketed in recent years, U.S. government data show, as many groups have adopted a type of double extortion. In addition to encrypting files and demanding money, they also are stealing private troves of data and threatening to release it if their demands aren’t met.

The Treasury Department said that U.S. financial institutions reported nearly $1.2 billion in likely ransomware-related payments in 2021, usually in response to breaches originating with Russian criminal groups.

The payments more than doubled from 2020, underscoring the pernicious damage that ransomware continues to wreak on the private sector.

Liska said changes in tactics may be due to the groups’ fear of being targeted if they’re part of a big group. The U.S. Department of Justice on Thursday announced it had charged a dual Russian and Canadian national accused of working with the LockBit ransomware gang. Hackers associated with the Netwalker and REvil extortion groups have pleaded guilty in recent months.


This month, the U.S. hosted nearly three dozen countries for a ransomware summit in Washington. The pace and sophistication of those intrusions are increasing faster than the government’s ability to disrupt them, a senior Biden administration official has said.