Ransomware groups are constantly evolving their tactics and techniques to stay ahead of defenders.

Cybersecurity firm Red Sense collected some information on major ransomware groups this summer, and created this useful chart showing the main changes they made to their kill chains to stay in the top league.


Some hightlights:

  • Increased focus on IcedID: IcedID is a malware loader that has become increasingly popular with ransomware groups in recent months. It is difficult to detect and remove, and it can be used to deliver a variety of different ransomware payloads.
  • Re-weaponization of older malware: Ransomware groups are also re-weaponizing older malware, such as RedLine and Vidar. These malware families have been around for a while, but they have been updated with new features and capabilities to make them more effective.
  • Custom loaders: Ransomware groups are increasingly developing their own custom loaders. This makes it more difficult for defenders to detect and block their attacks.
  • Strategic alliances: Ransomware groups are also forming strategic alliances with each other. This allows them to share resources and expertise, and to coordinate their attacks.
  • Automated phishing and web injects: Ransomware groups are increasingly automating their phishing and web inject attacks. This makes it more difficult for defenders to keep up with their constantly evolving campaigns.
  • Voice phishing: Ransomware groups are also experimenting with voice phishing attacks. This involves calling potential victims and impersonating a trusted source, such as a bank or government agency.

Analyzing the graph is also possibile collect a detailed look at the changes in the kill chains of some of the top-tier ransomware groups:

  • BlackBasta/BlackByte: This group has focused on increasing its use of IcedID and custom loaders. It has also formed strategic alliances with other ransomware groups, such as Conti.
  • Emotet: This malware loader has been re-weaponized by a number of ransomware groups, including BlackBasta/BlackByte and Royal/BlackSuit.
  • Royal/BlackSuit: This group has re-weaponized RedLine and developed its own custom loaders. It has also rebranded itself as BlackSuit to avoid detection.
  • LockBit: This group has no set loader model and instead deploys through its alliances with other ransomware groups.
  • Zeon: This group has also focused on increasing its use of IcedID. It has also experimented with RedLine and formed a strategic alliance with Royal/BlackSuit.