The success of ransomware gangs has spurred a significant trend of professionalisation amongst cyber criminals where different groups develop specialised services to offer one another, according to a new report from WithSecure (formerly known as F-Secure Business).

Ransomware has been around for decades, but the threat has continuously adapted to improvements in defenses through the years. One notable development is the current dominance of multi-point extortion ransomware groups, which employ several extortion strategies at once (usually both encryption to prevent access to data and stealing data to leak publicly) to pressure victims for payments.

According to an analysis of over 3 000 data leaks by multi-point extortion ransomware groups, organisations in the US were the most common victims of these attacks, followed by Canada, the UK, Germany, France, and Australia. Taken together, organisations in these countries accounted for three-quarters of the leaks included in the analysis.

The construction industry seemed to be the most impacted and accounted for 19% of the data leaks. Automotive companies, on the other hand, only accounted for about 6%. A number of other industries sat between the two due to ransomware groups having different victim distributions, with some families targeting one or more industry disproportionately to others.

While the threat of ransomware has inflicted considerable pain on organizations in different countries and industries, its transformative impact on the cybercrime industry cannot be overstated.

“In pursuit of a bigger slice of the huge revenues of the ransomware industry, ransomware groups purchase capabilities from specialist e-crime suppliers, in much the same way that legitimate businesses outsource functions to increase their profits,” explains senior threat intelligence analyst Stephen Robinson. “This ready supply of capabilities and information is being taken advantage of by more and more cyber threat actors, ranging from lone, low-skilled operators, right up to nation state APTs. Ransomware didn’t create the cybercrime industry, but it has really thrown fuel on the fire.”

In one notable example highlighted in the report, WithSecure investigated an incident that involved a single organisation compromised by five different threat actors, each with different objectives and representing a different type of cybercrime service:

* The Monti ransomware group;

* Qakbot malware-as-a-service;

* A cryptojacking group known as the 8220 Gang (also tracked as Returned Libra);

* An unnamed initial access broker (IAB); and

* A subset of Lazarus Group, an advanced persistent threat associated with North Korea’s Foreign Intelligence and Reconnaissance General Bureau.

According to the report, this professionalization trend makes the expertise and resources to attack organizations accessible to lesser-skilled or poorly resourced threat actors. The report predicts that it is likely that the number of attackers and size of the cybercrime industry will both grow in the coming years.

“We often talk about the damage ransomware attacks cause to the victims. Less attention is paid to how ransom payments provide additional resources to attackers, which has encouraged the professionalisation trend described in the report. Near-term, we’re likely to see this changing ecosystem shape the resources and type of attacks facing defenders,” says WithSecure head of threat intelligence Tim West.