ransomware gang

When the DarkSide ransomware group disappeared after its high-profile disruption of the Colonial Pipeline, several of its “member affiliates” (criminals using DarkSide’s ransomware as a service tools) lodged complaints against the criminal enterprise.

Yes, even hackers have a legal jurisprudence system. “[U]nder the terms of the DarkSide affiliate program 80% of the ransom in my direction [sic]… the target paid, but I did not receive my share,” posted one affiliate to XSS.is, a well-known cybercrime forum that includes a “People’s Court.”

While there’s a certain irony in cybercriminals turned plaintiffs in hacker court airing their grievances and insisting on the fulfillment of contractual obligations, ransomware is more lucrative than ever and criminal networks have kept apace by developing sophisticated and sometimes well-organized infrastructures to maximize profits.

Here are three ways ransomware gangs have become a bigger, more organized threat.

#1 Ransomware as a Service (RaaS)

While ransomware has been in circulation since at least 1989, it didn’t become a major cyber threat until the mid-2010s. In 2015, estimated annual damages were about $325 million. The damage in 2021 is predicted to hit $20 billion. 

The reason for this increase? Ransomware developers sell access to their services and the right to use their code in exchange for a piece of the action.

The payment structure and the supporting infrastructure bears more than a passing resemblance to software-as-a-Service (SaaS). Cybercriminals are get tech support and can review stats on their campaign’s performance. There are even regular feature and software updates. 

Most importantly, this development lowers the barrier for entry into the ransomware world since cyberthieves no longer need advanced skills to compromise a target and profit handsomely.

RaaS hasn’t fully put independent ransomware gangs out of business, but nearly two thirds of ransomware attacks in 2020 used it.

#2 Triple Extortion

Early ransomware attacks followed a straightforward pattern for extortion: Files on a computer or network would be encrypted, freezing individuals and organizations alike till they paid for the decryption key. 

The method works so long as the target doesn’t have any backups, security software, or access to publicly accessible decryptors.

Double extortion entered the scene not long after, with the encrypted data also being exfiltrated with the threat of releasing the data through dark web forums or to other interested buyers. Where a victim of a single extortion attack is compelled to pay once for getting their data unlocked, this new method added a powerful incentive for victims to pay two ransoms, one for a decryptor and a second to prevent the dissemination of their data.

The 2020 hack of law firm Grubman Shire Meiselas & Sacks by the Sodinkibi/REvil crime syndicate was an example of double extortion. The thieves threatened to release the personal data of celebrity clients including Lady Gaga, Madonna, Elton John, and others. 

Threat actors have pushed the envelope even further with triple extortion. This method involves targeting and subjecting third parties associated with a hack–one example being the 40,000 patients of a Finnish psychotherapy clinic who were threatened with the release of their patient notes. 

#3 Targeting Vital Infrastructure

The earlier days of ransomware was, in a roundabout way, egalitarian. Individuals, businesses, government agencies were all commonly targeted for payouts ranging from a few hundred to several million dollars. As the profits have increased and ransomware gangs have become increasingly competitive, a new pattern has emerged where organizations providing critical services are targeted.

Cybercrminals wasted little time in the wake of the Covid-19 pandemic to target hospitals, healthcare providers and vaccine research facilities. The result was a loss of an estimated $20.8 billion in downtime for the healthcare industry as a whole in 2020, a figure nearly twice the 2019 figure. Similarly, at least 90 healthcare facilities in the U.S. were targeted by ransomware gangs in 2020 compared to 50 the year before. 

A ransomware attack halted operations of the largest fuel pipeline in the US in May, leading to widespread shortages and price increases along the Eastern Seaboard. This was followed by an attack that disrupted operations of the world’s largest provider and distributor of meat, threatening widespread shortages and increased food prices in the US, Canada, and Australia.

Many companies, organizations and government agencies still seem willing to pay a ransom, discreetly or otherwise, to prevent the widespread disruption introduced by having critical medical, industrial and commercial networks taken offline. The Colonial Pipeline hack netted the ransomware group responsible for close to a $5 million bounty within hours of their attack, despite initially denying doing so. 


  • As ransomware has become increasingly lucrative, the cybercrime organizations responsible for their development have evolved. 
  • We can expect to see new and more insidious methods for extortion, data exfiltration, and disruption as attacks grow in frequency and profitability. 
  • Ransomware as a service (RaaS) has expanded the threat matrix by lowering the barrier for entry to cybercriminals, who no longer need to be particularly expert or cyber-savvy to launch an attack.  
  • Every part of the supply chain is part of the problem as ransomware continues to proliferate. 
  • Cybersecurity precautions and strategies that could fend off ransomware attacks are still not widely implemented.