When the average ransomware payment is over $900k, one might expect a degree of organization among cybercriminals to handle that kind of cash. What might not be expected: an arrangement that resembles your office—complete with HR and an employee-of-the-month award.
A March 2022 report from the cybersecurity services provider Check Point revealed the inner workings of the Conti ransomware group. Leaks showed that Conti—an active crew in the first half of 2022—handled their affairs with familiar corporate features, including a hiring process, salaries, and bonuses.
The office-like approach demonstrates that ransomware has become a professional, team-coordinated enterprise—one that supports malicious hackers with easier-than-ever ways of deploying attacks.
“They kind of have gone through their startup culture, and 2022 was where the bigger groups...the successful groups were able to start scaling out and expanding their operations, and making them a little bit more official and robust,” said Keegan Keplinger, research and reporting lead at the managed detection and response company eSentire.
A dark ‘top 5.’ Before shutting down their servers, Conti operators racked up 145 victims in the first half of 2022, according to analysis from LookingGlass. (LookingGlass suggests that Conti has rebranded as Black Basta, rather than disbanded, to avoid detection.)
Other groups that appeared to be very active in the fast half of 2022:
- LockBit, which hit the automotive giant Continental in November.
- Vice Society (known for its attack on educational institutions, including the Los Angeles Unified School District).
- Black Basta, which emerged in April.
- ALPHVl, a group that both encrypts and corrupts data.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
According to the LookingGlass findings, Conti, LockBit, Vice Society, Black Basta and ALPHV had over 800 victims in Q1 and Q2 of 2022. The report cited 1,133 total ransomware attacks during that time period.
While Conti is the only gang to have confirmation of office-like business practices, the LookingGlass researchers say it stands to reason that other big players have a comparable setup.
“It would be highly unlikely for successful groups, like LockBit and others, to have not organized themselves similarly,” read the report.
At your service. Groups like LockBit and Conti use ransomware-as-a-service (RaaS) models, which can be peddled on the dark web and often offer extortion support, including leak-site hosting and crypto transaction services.
The service lowers the ransomware barrier to entry, said Tony Lauro, director of security technology and strategy at security services provider Akamai Technologies.
“You’ve now commoditized the ransomware process. You’re giving more people access to tools that they may not necessarily have had access to before,” Lauro told IT Brew.
RaaS and extortion groups grew by 63.2% in the first quarter of 2022, according to a report from Trend Micro.
Stay organized. An organized group can keep an eye on security research, collect money, and skillfully reinvest it much more effectively than a single actor, said Keplinger—perhaps a sign that ransomware will still thrive in 2023.
“It’s a general principle in arms races, that the better resourced group is typically going to win,” Keplinger told IT Brew.—BH
Do you work in IT or have information about your IT department you want to share? Email [email protected].