Flexible, industrialized and political: Ransomware gangs take on a new face in 2022


21 May 2022… Ransomware operations have come a long way – from somewhat clandestine and amateur beginnings to fully-fledged businesses with distinctive brands and styles that rival each other on the dark web. Overall, they continue to develop and succeed despite big shutdowns of some of the most notorious gangs. They find unusual ways to attack their victims or resort to newsjacking to make their attacks more relevant. Kaspersky experts are always keeping an eye on ransomware groups’ activities and, ahead of Anti-Ransomware Day, have released a report covering new ransomware trends spotted in 2022.

The first trend of note is the prolific use of cross-platform capabilities by groups. These days, they aim to damage as many systems as possible with the same malware by writing code that can be executed on several operating systems at once. Conti, one of the most active ransomware groups, has developed a variant, which is distributed through selected affiliates and targets Linux. During late 2021, Rust and Golang, cross-platform programming languages, became more widespread. BlackCat, a self-proclaimed “next-generation” malware gang that has reportedly attacked more than 60 organizations since December 2021, wrote its malware in Rust. Golang was used in ransomware by DeadBolt, a group infamous for its attacks on QNAP.

Additionally, throughout late 2021 and early 2022, ransomware groups have continued activities to facilitate their business processes, including regular rebranding to divert attention from the authorities and updating exfiltration tools. Some groups developed and implemented complete toolkits that resembled ones from benign software companies. Lockbit stands out as a remarkable example of a ransomware gang’s evolution. The organization boasts an array of improvements compared to its rivals, including regular updates and repairs to its infrastructure. It also first introduced StealBIT, a custom ransomware exfiltration tool that enables data exfiltration at the highest speeds ever – a sign of the group’s hard work put towards malware acceleration processes.


The third trend Kaspersky experts have witnessed is a result of the geopolitical situation, referring to the conflict in Ukraine, which has heavily impacted the landscape. Although such attacks are usually associated with advanced persistent threat (APT) actors, Kaspersky detected some major activities on cybercrime forums and actions by ransomware groups in response to the situation. Shortly after the conflict began, ransomware groups took sides, which led to politically motivated attacks by some ransomware gangs in support of Russia or Ukraine. One of the malwares that was freshly discovered during the conflict is the Freeud, developed by the Ukranian supporters. Freeud features wiping functionality. If the malware contains a list of files, instead of encrypting, the malware wipes them from the system.

“If last year we said it is flourishing, this year it’s in full bloom. Although major ransomware groups from last year were forced to quit, new actors have popped up with never before seen techniques,” comments Dmitry Galov, senior security researcher at Kaspersky’s Global Research and Analysis Team. “Nevertheless, as ransomware threats evolve and expand, both technologically and geographically, they become more predictable, which helps us to better detect and defend against them.”