Important stages of ransomware evolution

RaaS platforms had plenty of bells and whistles under the hood, including affiliate dashboards reflecting real-time contamination statistics, turnkey spreading mechanisms such as exploit kits, and features allowing the "partners" to generate custom payloads.

This new principle caused the ransomware epidemic to skyrocket. Disastrous strains like Cerber and Locky surfaced in the wake of RaaS adoption. The boom reached its peak in 2017 with the WannaCry and NotPetya global outbreaks that raided hundreds of thousands of computers via leaked NSA exploitscodenamed DoublePulsar and EternalBlue.

Data breaches added to the mix

As the price of Bitcoin – the primary ransom payment channel – took a nosedive in 2018, ransomware gangs tried to survive the crisis by zeroing in on enterprise networks rather than individuals. These are juicier targets that can afford to pay large ransoms. This shift has been the driving force of ransomware evolution ever since.

In 2019, extortionists enhanced their tactics with another revolting quirk. They started stealing companies' data as part of the attack. The operators of a ransomware specimen called Maze were the first to implement this technique.

The fact that attackers possess a victimized organization's files gives them an extra advantage in the ransom negotiations. If the target refuses to pay for data decryption, crooks threaten to publish the pilfered files on special leak sites or hacker forums.

The double-blackmail approach is currently gaining traction in cybercriminal circles. At least 20 ransomware groups have already taken this route, and the number is growing. A few ill-famed samples from this category are REvil (also referred to as Sodinokibi), DoppelPaymer, LockBit, and Nemty.

Ransomware cartels are the new black

Cybercrooks in charge of three independent ransomware operations (Maze, LockBit, and Ragnar Locker) joined their efforts and created a syndicate in June 2020. They use a single site called "Maze News" to leak files stolen from non-paying organizations.

This dodgy partnership is not restricted to sharing the same data leak service, though. The gangs also benefit from the collaboration by exchanging expertise accumulated over the years and accessing unique network infiltration instruments used by fellow-extortionists.

Phony ransomware incursions

Not every extortion attack is a real call to action. In April 2020, con artists claiming to be ransomware distributors sent blackmail notesto numerous WordPress site owners. Their narrative was as follows: the sites had been compromised, and copies of their databases had been dumped to servers under the attackers' control.