Despite REvil and other most notorious ransomware gangs shutting down this year, the cybercriminals behind them continued to develop and succeed with new cross-platform features, updated business processes and more.
In the past few years, ransomware operations have grown from a secret and amateurish start to a full-fledged business with distinct brands and styles competing with each other on the Dark Web. To raise awareness ahead of Anti-Ransomware Day, cybersecurity firm Kaspersky released a new report this year highlighting some of the new ransomware trends discovered so far.
The first trend to note is the rich use of cross-platform features that allow ransomware groups to use the same malware to harm as many systems as possible by writing code that can run concurrently on multiple platforms. Conti has been one of the most active groups this year and has developed a variant of the ransomware that can be distributed through some affiliates, targeting devices running Linux distributions and Windows systems.
At the same time, the ransomware group continued its activities to facilitate business processes. These activities include rebranding and updating leak tools to divert law enforcement attention. Meanwhile, some groups have developed and implemented their own custom and complete toolkits similar to those provided by legitimate software companies. The Lockbit ransomware group stands out in this regard as organizations provide regular updates to their toolkits and often apply repairs to their infrastructure.
Since Russia’s invasion of neighboring Ukraine began on February 24, it has led businesses, governments and individuals to take sides in the conflict.
The same was true of ransomware groups that started to take sides with cybercrime forums, according to Kaspersky. As a result, there were a number of politically motivated attacks carried out by cybercriminals in the first quarter of this year to support Russia or Ukraine.
One of the new malware variants discovered during the crash was developed by Ukrainian supporters under the name of Freeud. Rather than encrypting the target system, Freud provides a delete function, and if the target contains an item in the file list, the malware deletes the item from the victim system.
Dmitry Galov, a senior security researcher on Kaspersky’s global research and analytics team, said the company’s New Ransomware Trends in 2022 The press release reports:
“If you said ransomware flourished last year, it is in full bloom this year. Last year’s major ransomware group was force shut down, but a new technology never seen before has emerged. Nevertheless, as ransomware threats evolve and expand, both technically and geographically, they become more predictable, helping to better detect and defend against them.”