New Report Warns of Ransomware Actors Building Organizational Structure For Complex Attacks | #ransomware | #cybercrime

[ad_1]

New Report Warns of Ransomware Actors Building Organizational Structure For Complex Attacks

A new report by Coveware reveals a significant shift in the ransomware landscape, with threat actors evolving their organizational structures to execute increasingly complex attacks.

As we approach the one-year anniversary of the collapse of prominent ransomware groups LockBit and BlackCat/ALPHV, the ransomware ecosystem remains fractured and uncertain, yet simultaneously more sophisticated in its operational approach.

The report highlights that the previously dominant Ransomware-as-a-Service (RaaS) model has become “irreversibly tarnished” following exposures of infighting, deception, lost profits, and compromised anonymity for affiliates.

This has led to a restructuring of the ransomware landscape, which is now characterized by three distinct organizational models: unaffiliated lone operator extortionists, newer ransomware brands blurring the lines between financial cybercrime and espionage, and traditional groups following established playbooks.

Coveware researchers identified a troubling trend where these evolving organizational structures are enabling more sophisticated attack methodologies despite the fractured ecosystem.

The report notes that joint law enforcement actions have systematically impaired numerous ransomware operations, even putting several threat actors behind bars, yet adaptation continues at an alarming pace.

Q1 2025 was marked by several telling events that demonstrate this evolution, including Clop’s data theft campaign targeting Cleo managed file transfer platforms, phantom extortion schemes involving physical ransom notes purportedly from BianLian, and the public breach announcement of Oracle Cloud Single Sign-On environments.

Perhaps most revealing was the February 2025 leak of Black Basta Matrix chat logs, which offered unprecedented insight into how ransomware groups are structuring their operations to assess risk and navigate regulatory climates.

Average and Median Ransom Payment in Q1 2025 (Source – Coveware)

The sophisticated defense evasion techniques employed by these restructured groups represent a particularly concerning development.

Present in 60% of analyzed cases, these techniques demonstrate the organizational maturity of modern ransomware operations.

Threat actors are systematically disabling security software, clearing Windows event logs, and using custom obfuscated scripts to avoid detection.

More alarmingly, they’re employing Bring Your Own Vulnerable Driver (BYOVD) techniques, as shown in this command sequence often found in attack logs:-

sc stop "Sense"
reg add "HKLM\System\CurrentControlSet\Services\Sense" /v Start /t REG_DWORD /d 4 /f
sc stop "WinDefend"
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v Start /t REG_DWORD /d 4 /f

These commands systematically disable Windows Defender services before leveraging legitimate but vulnerable drivers to elevate privileges and further compromise defenses.

The shifting organizational landscape of ransomware groups appears to be creating new challenges for defenders.

While smaller organizations (median size just 228 employees) remain primary targets, Coveware analysts warn that we may see a resurgence of attacks against large enterprises as state-sponsored actors from China and North Korea increasingly enter the ransomware space, potentially using these attacks to fund regime activities or mask their true intrusion motives.

Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

[ad_2]

Source link

.........................

National Cyber Security

FREE
VIEW