Fraud Management & Cybercrime , Ransomware , Video

Is Ransomware Finally in Decline? Groups Are 'Struggling'

Researchers See Waning Mystique, Use of Ghost Groups, Breach Tricks, Trauma of War
Yelisey Bohuslavskiy, chief research officer, RedSense; Marley Smith, principal threat researcher, RedSense

Could ransomware finally be in decline? While overall ransomware profits might remain high, many of the remaining or rebooted top-tier groups are "really struggling" to adapt to upheavals in the cybercrime business. Contributing factors include scarce talent, trauma from the Russia-Ukraine war and repeated disruptions by law enforcement, said researchers from threat intelligence firm RedSense.

See Also: Corelight's Brian Dye on NDR's Role in Defeating Ransomware

Ransomware runs on fear, and "a lot of groups are struggling to maintain a certain level of mystique and power that they need in order to continue operations," said Marley Smith, principal threat researcher at RedSense. As a result, many ransomware-as-a-service groups are turning to highly skilled contractors, aka "ghost groups," to access the deep "pen-testing" talent they need to carry out attacks against large targets and make everything look like business as normal, "even though things are just getting increasingly complex and almost desperate in terms of the ability to continue operations."

Other signs of desperation include more groups trying to pass off small amounts of data or data purchased from third parties as evidence of a major breach, as well as further doubling down on data leak sites to try and add to the pressure on victims, Smith said.

These fresh attempts at innovation have "not yielded the results they expect," resulting in groups "struggling" and being "in decline," said Yelisey Bohuslavskiy, co-founder and chief research officer at RedSense.

Geopolitics is compounding the problem, as many ransomware practitioners live "just really traumatized" lives due to the Russia-Ukraine war, he said. "The top-tier ransomware groups consist of Russians, Belarusians and Ukrainians, and half of them are now in this very strange situation when they still know each other and chat constantly. But their countries are at war, and they need to figure out how to work together while being at war."

Thanks to these and other factors, including repeat law enforcement takedowns and infiltrations that are likely to intensify in an election year, a time may come - perhaps soon - when the ecosystem "will erode to a point when it collapses, and I think it would collapse as swiftly and as situationally as it emerged in 2019," Bohuslavskiy said.

In this video interview with Information Security Media Group, Bohuslavskiy and Smith discussed:

  • How and why ransomware syndicates work with ghost groups to further their attack capabilities;
  • The impact of the Russia-Ukraine war on ransomware groups;
  • Takeaways for defenders seeking to counter or recover from ransomware attacks.

Bohuslavskiy previously served as co-founder and head of research and development at threat intelligence firm Advanced Intelligence. He also worked as a cyberthreat intelligence analyst at Flashpoint and a due diligence researcher at Kroll.

Smith works on RedSense's intelligence team, conducting in-depth investigations of ransomware syndicates, novel malware, state-affiliated threat groups and the ever-evolving dynamics of the cybercrime ecosystem.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.co.uk, you agree to our use of cookies.