Ransomware variants continue to evolve as crooks chase bigger paydays

Two new families of ransomware have risen up to join some of the most dangerous over the last few months as cyber criminals turn the screw to make attacks more effective.
Written by Danny Palmer, Senior Writer

The number of ransomware attacks which threaten to leak stolen data if the victim doesn't pay a ransom to get their encrypted files and servers back is growing – and this is being reflected in the changing nature of the cyber criminal market.

Analysis by cybersecurity researchers at Digital Shadows found that over the last three months – between July and September - 80 percent of ransomware attacks combined with data dumps were associated with four families of ransomware – Maze, Sodinokibi, Conti and Netwalker.

The period from April to June saw just three ransomware families account for 80 percent of alerts – DoppelPaymer, Maze and Sodinokibi.

The way DoppelPayer has dropped off and how Conti and NetWalker have suddenly emerged some of the most prolific threats shows how the ransomware space continues to evolve, partly because of how successful it has already become for the crooks behind it.

Maze was the first major family of ransomware to add threats of data breaches to their ransom demands and other ransomware operators have taken note – and stolen the additional extortion tactic.

"There is an inherent competitive nature that has befallen the ransomware landscape. The saturated ransomware market pushes ransomware developers to cut through the noise and gain the best ransomware title," Alec Alvarado, cyber threat intelligence analyst at Digital Shadows told ZDNet.

"This title drives more affiliates to carry out their work and, thus, more successful attacks to reach their goal: to make as much money as possible".

Indeed, DoppelPaymer's activity has dropped over the last few months – although it still remains active - enabling Conti and NetWalker to grab a larger slice of the pie.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 

The evolution of NetWalker in itself provides a good summary of how ransomware has been changing. The ransomware first emerged in April 2019 when it began operating a ransomware-as-a-service model for cyber criminals who had to be vetted before being given access to the tools.

Then in March 2020 the operations of NetWalker shifted from the mass-distribution of ransomware to a more clinical approach which targeted specific large organisations. So notorious did the cyber crime group become, the FBI issued a warning on NetWalker ransomware and the Covid-19 themed phishing emails it used to gain a foothold in networks.

NetWalker's potency has seen it rise up the ranks to become one of the most effective forms of ransomware – with the hackers making off with an average of around $175,000 in bitcoin following each successful campaign.

But despite the continued success of ransomware, a few relatively simple cybersecurity measures can prevent an organisation from becoming yet another victim of this kind of attack.

"Phishing is still a favored tactic of ransomware groups, so the common phishing mitigations apply here. Employee awareness and dedicated training around phishing that encapsulates exercises using simulated phishing emails help organizations reduce this threat," said Alvarado.

Organisations should also ensure that security patches are regularly applied across the network so that cyber criminals can't exploit known vulnerabilities. In addition to this, regularly making backups of corporate data is helpful because in the event of a ransomware attack, it's possible to relatively swiftly restore the network without giving into ransom demands.


Editorial standards