As ransomware teams increasingly move to simply encrypting victims' files and demanding a payment to unlock them, instead of extracting sensitive information directly, some of the more mature criminal organizations are developing custom malware for their data theft.
How Ransomware gangs steal money and get away with it
In a report published Wednesday by Cisco Talos, the threat intelligence unit reviewed the top 14 ransomware groups and analyzed their tactics, techniques and procedures (TTP). Talos selected the 14 based on volume and impact of attacks and "atypical threat actor behavior," using data from the criminals' leaks, internal tracking and other open source reporting.
The 14, listed here by number of victims on their respective shaming sites, are the ones you'd probably expect: LockBit, ALPHV, Play, 8base, BlackBasta, BianLian, CLOP, Cactus, Medusa, Royal/Blacksuit, Rhysida, Hunters International, Akira and Trigona.
"Over the past year, we've seen major changes in the ransomware space with the emergence of several new ransomware groups, each exhibiting unique targets, operational structures, and victimology," the report's authors note.
