There’s no doubt that ransomware attacks are a significant threat to organisations around the world today. Both the number of attacks attempted and the amount of money demanded has increased in the past few years, with criminals, who are mostly motivated by money, becoming greedier and more confident of succeeding without being caught.

A survey by analyst company International Data Corporation (IDC) revealed that “more than a third of organisations worldwide experienced a ransomware attack or breach that blocked access to systems or data” in the 12 months to August 2021, and many industry observers report that figures across the board have gone up since then.

A brief history of ransomware

Only ten or so years ago, ransomware attacks were mostly automated. Cybercriminals looked for potential targets, developed the tools to break in, and infiltrated organisations’ networks to deploy the ransomware payload that they had also most likely built themselves. They would typically attack one system of one company at a time.

This required many different skills, so their success rate was moderate, as was the ransom amount they demanded. They typically communicated by SMS and wanted payment via e-wallets. Their actions left a trail of evidence for security researchers to analyse, and they built up a good picture of the distinct methods different groups used to more easily identify them at the next crime scene.

Roll on a few years and the cybercriminals switched to encrypted messaging platforms, ramped up their demands and, of course: they wanted to be paid in hard-to-trace bitcoin.

Fast forward to 2022 and the cybercriminal world has evolved into an ecosystem made up of three different types of groups:

  • The access broker focuses on finding organisations with vulnerabilities, compromising networks and probing for the easiest way into them – all to sell this as a package to other groups
  • The developers build the ransomware-as-a-service (RaaS) tools to hire out
  • After purchasing the access information and hiring the RaaS tools, a third group will move into the network, steal or encrypt data, execute the ransomware payload and make the ransom demand.

In short, it’s become an industry. Groups have taken on different specialist roles, splitting the profits depending on their skillsets and the risks involved in completing their part of the deal. This business model makes it harder for researchers to identify precisely which cybercriminal gangs were involved in each cybercrime.

Another consequence of this industrialisation is that the groups that deploy the ransomware payload are not as sophisticated as they might have been years ago – there’s a lower barrier to entry because their part is now simpler and requires less skill than ever before. However, on the whole the entire ecosystem is more advanced because each group needs to concentrate only on its part of the cyber-attack.

With huge amounts of money at stake, there’s also competition for talent, just like in any other industry. It’s been reported that some cybercriminal gangs even have HR and recruitment managers. And RaaS groups might well be marketing their services in competition with rivals.