Ransomware groups are getting their acts together, growing in sophistication and business acumen while monetizing ransomware beyond encryption, including double and triple extortion, as the market for ransomware-as-a-service (RaaS) matures.

In first half of 2022, LockBit, Conti, Alphv, Black Basta, and Vice Society were among the most prolific ransomware gangs, focusing their attack on US-based organizations, according to a LookingGlass report on the topic.

The report confirmed and attributed 1,133 ransomware attacks in the first six months of the year and attributed 207 data leaks across all active threat actor groups throughout the same period. Of the more than 1,300 incidents, the bulk came from the top 15 most active ransomware groups, led by LockBit, Conti, and Alphv.

Ransomware gangs have primarily targeted two sectors during the analysis period: manufacturing and industrial products, followed by engineering and construction and healthcare and life sciences, with the consumer and retail industry rounding out the top five.

Professionalization & Economies of Scale

The report highlighted the rise of sophisticated software and networks as a principal contributor to the professionalization of ransomware, with malicious actors now offering RaaS, bug bounties, sales teams, and even customer support.

"This new, more professional ransomware structure can only mean that the problem will continue to grow in the months ahead," the report noted. "We anticipate the adoption of more traditional business practices as the underground economy continues to remain robust."

LookingGlass CEO Bryan Ware says a key reason for this professionalization is for economies of scale, noting it enables ransomware gangs to make more money because they're improving operations to enable scale and growth.

"Think of it like a startup: you start with a small group of people delivering 'product.' Then, as they see success and demand growing, they add more people on to help make more money," he says. "At some point, you need operations and processes in place to enable the group to capture that demand."

For most ransomware gangs, the motivation is financial, and professionalizing is part of what enables more revenue for the threat actors.

"Beyond this, it's hard to speak to motivation," Ware says. "However, as in the analogy used above regarding startups, we might anticipate that professionalization also means they will have road maps for functionality, operating systems they support, and future-proofing, for example."

He explains one thing that IT security teams need to know is that this professionalization is going to impact the development of malware for ransomware activities.

"Malware is likely going to be better produced and maintained — and produced faster," Ware says. "This is because there are different team members who can focus on their strengths: some can be working on development, others on QA of malware, and so on."

Professionalization of RaaS Actors Likely to Continue

The report echoes findings of a Verizon DBIR report earlier this year, which found ransomware has become so efficient — and the underground economy so professional — that traditional monetization of stolen data may be on its way out.

Ware notes that, in general, the belief is that RaaS will only grow.

"Because ransomware gangs may now have departments focused on specific operations, such as a 'customer' or victim-support group," he says. "It's not absurd to think they will double-down on RaaS as a model for growth, especially by growing affiliate or 'channel' marketing capabilities and staff. There may even be developments to franchise."

Overall, the increasing professionalization of ransomware gangs increases the threat to businesses, as these groups may be better able to develop ransomware on a per-industry basis.

"This would be true especially if they keep up their current development," Ware says. "But overall, the threat remains high to businesses and will likely stay that way, if not grow."

Meanwhile, a surging and evolving ransomware sector continues to expand across the Dark Web with hundreds of thriving marketplaces — recent research by Venafi and Forensic Pathways uncovered 475 web pages filled with listings for ransomware strains, ransomware source code, build and custom-development services, and full-fledged RaaS offerings.

Earlier this year, a study by Sophos found a growing nexus between ransomware actors and initial access brokers (IABs), which offer elite access to compromised systems and slick, professional services, is raising the bar in the underground economy.

The evolution of IABs such as Genesis, which lists more than 400,000 bots (compromised systems) in more than 200 nations, also points to the "growing professionalization and specialization" of the cybercrime economy, the report noted.