Ranking ransomware: The gangs, the malware and the ever-present risks
On March 4, a ransomware crew that calls itself Royal attacked the city of Dallas, hobbling services and triggering issues that have persisted for the past week. In February, the PLAY ransomware group took credit for attacking the city of Oakland, eventually dumping as many as 600 gigabytes of internal city files on the internet.
These are just two of the known ransomware attacks that occur daily around the world targeting small and large businesses, government organizations, nonprofits and medical facilities. Names like Royal and PLAY apply to both the strain of malware used in the attacks and the groups that create and operate the platforms behind them, but those names may signify little else to executives and other decision-makers on the frontlines of defending against ransomware.
A new effort is taking on something of a daunting challenge of ranking ransomware outfits to give organizations greater awareness about the criminal cyber operations they’re fighting on a daily basis. The Ransomware Malicious Quadrant, published Wednesday ransomware-focused cybersecurity firm Halcyon and first shared with CyberScoop, takes a range of the most consequential and effective ransomware groups over the past year and gathers the most critical datapoints on each, and categorizes them.
“There’s so much information out there, but there’s not a lot of consistent information,” said Anthony Freed, Halcyon’s director of threat intelligence. Various cybersecurity firms track ransomware groups, but their public products often give the businesses little useable information.
“You’ll get a nice report, and the next year, they may have kind of moved on to the next shiny thing, or the data that they collect isn’t apples to apples to what they had before, or other organizations producing bits and pieces [on various groups],” Freed said.
Those interested in a given ransomware group’s history can get a detailed view of the group’s attacks, the industries they’ve has targeted and where they are most active, giving executives and others a starting point to understand threats relevant to them.
Halcyon’s system is designed to give business leaders and other decision-makers a compact but thorough overview of the plethora of ransomware variants and crews operating at any moment. Data about ransomware operators and their victims is inherently limited to a subset of the full scope of activity, given that what’s known publicly is usually based on what the criminal gangs choose to share publicly.
Nevertheless, based on Halcyon’s research and information published by other firms and government sources, enough information about the groups is known to allow the groups to get sorted on a range of factors. Each group is plotted along the quadrant’s x-y axes — ability to execute and completeness of vision — and the quadrants further characterize each group as either challengers, leaders, niche players or visionaries.
Written entries for each group track a range of factors, including effectiveness in disrupting targeted networks, ability to evade detection, as well as continued development of its platform, target selection and the availability of technical support for affiliates.
LockBit, one of the most active groups at the moment based on publicly known data, is predictably ranked highest in terms of execution and vision. Royal, the group associated with the attack on Dallas, “has quickly become one of the more concerning ransomware operations,” the report notes, given its prolific attack rate since emerging in September 2022.
Freed says Halcyon is trying to determine how often to update the quadrant given the incredibly fluid nature of the ransomware space. But for now, the company hopes that it can be a resource for decision-makers who aren’t necessarily technical but need to know what’s happening.
“What’s happening in my space? Who are the threat actors that target my industry more, who’s super active? What victims, that these ransomware operators hit kind of look like me? And what lessons can be can be learned from those attacks?” Freed said. “These organizations have to plan not just to prevent a ransomware attack, but to respond to a ransomware attack and be resilient.”