Ransomware Groups are Rebranding — As ‘Services’

Why Trust Techopedia

Ransomware groups are rebranding and making friends with businesses. This was one of the key points made by cybersecurity expert Lisa Forte, partner at Red Goat Cybersecurity, when she mounted the stage to discuss Risk: From Mountain Top to Board Rooms at this year’s Qualys EMEA Security Conference, London.

In her opening remark, Forte highlighted that for business leaders to make key cybersecurity decisions toward de-risking their business operations, they need to factor in these elements: identifying and understanding risk, detecting vulnerability, and ‘prioritize and remediate,’ ‘respond and monitor.’

But the above elements are marred by a new trend playing out in the domain, where ransomware teams are rebranding themslves from villains to heroes.

According to Forte, rebranding along this line may allow businesses have an easy way out when hit with a ransomware attack. But for how long would such romance last?

Techopedia sat with Forte in London to contextualize this from an expert standpoint. She also touched on what businesses should do to avoid playing into the hands of these groups.

Key Takeaways

  • Ransomware groups are expanding their targets to companies in developing economies with rapid digitalization and lighter security measures.
  • The total revenue received by ransomware groups dropped in 2022 but spiked again in 2023, potentially due to the effectiveness of their rebranding tactics.
  • Organizations need to plan for worst-case scenarios, such as being attacked during critical business periods like Black Friday or tax season.
  • The financial resources available to ransomware groups, untaxed and laundered through cryptocurrency, give them a significant advantage over organizations’ cybersecurity budgets.
  • The perception of paying ransoms is becoming more acceptable in business circles, further enabling and emboldening ransomware operations.

How Ransomware Rebranding Plays Out

For years, ransomware gangs have operated like digital muggers, strong-arming organizations with aggressive tactics and hostile communication. However Forte told Techopedia that these tactics are proving less effective.


“Traditionally, ransomware groups were very aggressive. They’d steal your data, lock your systems, and basically put a big gun to your head.


“However, the problem with this strategy is that panicked victims often refused to pay, leaving the criminals empty-handed.”

Forte reveals that this has caused a shift in the dynamics of ransomware operations in recent times, forcing them to rebrand as business partners. She cites cases of ransomware attacks on Colonial Pipeline and CNA Financial Corporation, where ransomware groups went as far as offering discounts if they paid early.

“They realized that if they were flexible with their terms, maybe, suggest to the victims to put a deposit down and pay the rest in installments or whatever; or offer the victims an opportunity to determine the rate at which to pay up, they paid the ransom quicker.”

The facade extends beyond payment structures. Forte describes instances where ransomware groups offer “free” security audits, detailing how they breached the company’s systems and how to remediate the situation.

“They would quite happily chat with legal counsel within the victim company and agree terms and conditions of paying the ransom. For example, we won’t attack you again for two years,” she says.

Moreso, Forte notes that these groups tend to stay true to their word, as “the moment they breach the agreement, word would get around. And then all this rebrand that they’ve gone through to look like someone you can trust despite the fact they’ve just attacked you, becomes null and void.”

Money Still the Key Motivation Behind the Rebranding Tactics

One would think that for a hacker group to take this approach, there could be more to their motivations.

However, Forte maintains the driving force behind ransomware groups is as simple as it gets: money. “There’s very little evidence that they’re politically motivated at all. It’s just about the money,” she explains.

The financial rewards are substantial, and the target audience is expanding.

Forte said:

“They’re attacking companies in the global south. These developing economies, with their rapid digitalization and lighter security measures, are a prime target for ransomware groups. They’re spending a lot of money in rapid digitalization, which leaves them very vulnerable.”

Data from Chainanalysis shows that the total revenue received by ransomware groups dropped to $567 billion in 2022 but peaked again in 2023 to $1.1 trillion — and that there could be a connection between this rise in ransomware revenue and rebranding tactics.

Forte predicts that with this current tactic, it is only going to get worse in 2024.

“We saw more ransomware payments than ever before last year. This year’s up on last year already.”

Franklin Okeke and Lisa Forte at the Qualys conference.
Franklin Okeke and Lisa Forte at the Qualys conference.

Ransomware’s Evolving Tactics: Weighing Impossible Choices

The evolution of ransomware tactics has left organizations grappling with difficult decisions in risk management, according to Forte. Whereas companies could rely on backups to circumvent ransomware demands in the past, the landscape has shifted dramatically.

“So now what they do is they get into the company, they’ll steal all the data from the company, they’ll then encrypt the systems, and then they’ll say, look, you pay the ransom, we will release your systems back to you, and we promise we won’t publish the data online.”

In this situation, decision-making becomes much harder, Forte told Techopedia.

“So the problem that you have from a risk management perspective is you’ve got to think about how you avoid getting yourself into that situation to begin with. Because if they hit you, they have your data, and they’ve disabled your key systems, you don’t have options. You only have bad options to choose from.”

With data theft hanging in the balance, organizations face an agonizing choice: risk catastrophic losses by refusing to pay the ransom or acquiesce to criminal demands, which in essence means encouraging future attacks.

Building Options, Not Walls: How Organizations Can Harden Themselves Against Ransomware

In the face of these evolving ransomware tactics, Forte recommends measures on how organizations can build a robust defense strategy against ransomware attacks.

“The key is to avoid getting into a situation where your only options are paying criminals or risking your business,” says Forte.

“This means going beyond basic defense measures like vulnerability management.”

Key strategies include:

Data Encryption:  Forte emphasizes the importance of data encryption. “Encrypting stored data renders it useless even if stolen,” she explains. This crucial step takes away a bargaining chip from ransomware attackers.

Backups and Recovery: Reliable backups are no longer enough. Regular backups and recovery testing are essential. This disaster recovery plan ensures a swift restoration of systems in case of an attack.

Employee Training:  Phishing emails remain a common entry point for ransomware. Invest in employee training to identify and avoid phishing attempts. Empowering employees with this knowledge strengthens the organization’s first line of defense.

Planning for the Worst: Here’s a critical, often overlooked step – planning for the worst-case scenario.  “Imagine the absolute worst possible time for your business to be hit,” says Forte.  “Black Friday for a retailer, tax season for an accounting firm – these are times of maximum vulnerability.”

By anticipating these critical periods, organizations can develop contingency plans and answer critical cyber resilience questions: Can you operate some functions manually? Can you utilize backup systems? These alternative measures, according to Forte, can buy valuable time for resolving the situation.

The Murky Future of Ransomware: More Money, Less Shame

Forte paints a concerning picture of the future shaped by the evolving ransomware landscape.  Fueled by the ease of laundering money through cryptocurrency, these criminal groups are becoming financial powerhouses.

“The problem that you’re seeing is that they have the ability to wash and launder such a huge amount of money through cryptocurrency without law enforcement being able to touch it,” Forte explains. This influx of untraceable funds empowers ransomware gangs, creating a dangerous imbalance.

“So you have groups of individuals who have so much money that is coming in obviously tax-free. This financial disparity puts organizations at a severe disadvantage. And so what you have is a situation where you’re hugely outgunned because our organizations, organizations don’t have that kind of money that we can invest in cybersecurity.”

Further complicating the issue is the lack of proactive government action.

“Until governments start taking some more proactive action here, it’s just going to keep swinging more and more towards the ransomware groups.”

Perhaps the most troubling trend is the changing perception of ransom payments, Forte says.

“Because so many people are being hit, and so many no longer see paying the ransom as bad anymore.

“And I think companies now are like, well, our competitors pay this, so why wouldn’t we pay? We just pay. And it’s almost becoming acceptable, like a business risk that you’ve just paid for,” she explains.

According to Forte, the combined effect of these factors is a perfect storm for the proliferation of ransomware.

“So I think the problem is that actually it’s become less toxic to pay than it ever has before,” she says.

This, coupled with the financial resources at their disposal, allows ransomware groups to operate with impunity. “They don’t have to invest in sophisticated tactics. They don’t have to innovate because we’re not making their life hard,” she notes.

The Bottom Line

Ransomware’s rebrand from brute force to a service-oriented model raises a terrifying prospect: cybercrime as a subscription service. Imagine a future where businesses, fearing downtime and data leaks, pay a monthly “protection fee” to ransomware gangs. This dystopian scenario may seem far-fetched, but the trends outlined here paint a worrying picture.

This rebrand, fueled by easy crypto-laundering, grants them a financial edge. Lax government intervention and the normalization of ransom payments further empower them.

This situation makes the future look grim and primes ransomware gangs for explosive growth. Unless governments, organizations, and the public unite, the consequences will be dire.


Related Reading

Related Terms

Franklin Okeke
Technology Journalist
Franklin Okeke
Technology Journalist

Franklin Okeke is an author and tech journalist with over seven years of IT experience. Coming from a software development background, his writing spans cybersecurity, AI, cloud computing, IoT, and software development. In addition to pursuing a Master's degree in Cybersecurity & Human Factors from Bournemouth University, Franklin has two published books and four academic papers to his name. His writing has been featured in tech publications such as TechRepublic, The Register, Computing, TechInformed, Moonlock and other top technology publications. When he is not reading or writing, Franklin trains at a boxing gym and plays the piano.