Ransomware metamorphosis: Exploring the reasons behind group rebrandings and evanescences

In the ever-evolving world of cybersecurity, understanding the mindset and tactics of ransomware actors has become crucial for security professionals. Each ransomware group employs unique tactics, techniques, and procedures (TTPs), making it challenging to keep up with their constant evolution.

One of the most notorious groups, REvil/Sodinokibi, based in Russia, has been a constant source of guesswork for the security community due to its resourceful approach to constant evolution. The group rebounded in early September, restoring its infrastructure through backups, after a brief hiatus. However, its operator, known as "Unknown," was believed to have disappeared in July, only to resume operations after someone discovered a hidden landing and blog with the same keys as REvil's.

Another significant player, Ryuk, has seen a resurgence in 2021 following a period of decline. Believed to be driven by the operators adapting their tactics to target larger, more lucrative victims with improved evasion techniques, Ryuk has been active again, albeit less so compared to Conti, another active group.

The security community has been intrigued by the sudden drop in Ryuk operator activity between April and August of 2020, with Conti ransomware emerging using similar malware code to the second version of Ryuk. This has led to speculation that Conti could be a splinter group of Ryuk or that the two groups are separate entities with coincidental timing.

Ransomware groups often retreat when their ransomware is reverse engineered or a flaw is found. For instance, Avaddon operators released decryption keys for more than 2,900 victims in June, but only 180 victims were leaked on Avaddon's darknet leak site.

The ransomware ecosystem is not just a collection of isolated entities. CrowdStrike's tracking of "eCrime enablers" who work with a variety of criminal actors shows the overlap in this world. One such enabler is Wizard Spider, the operator behind Ryuk, Conti, BazarLoader, Anchor, Sidoh, MagneticScraper, and likely involved in Maze, Egregor, and other ransomware activities.

The evolution of ransomware from a criminal nuisance to a national security threat over the last three years is a testament to the adaptability and resilience of these groups. As the security community continues to monitor and respond to these threats, it's clear that staying vigilant and informed is key to staying ahead of these ever-evolving adversaries.