Nine new ransomware groups have been identified in a key update shared by TRM Labs. And all of them are said to be a part of one evolving ecosystem. In their latest blog post, the team at TRM Labs examines the operations behind these emerging ransomware groups — including how they are focused on scaling their operations with artificial intelligence and what their behavior looks like on-chain.
Some key observations in the TRM Labs report are as follows:
- AI is enabling faster, more scalable ransomware operations
- Some groups are moving away from encryption — instead relying on reputational damage, regulatory pressure, and data leaks to extort victims
- The line between state-linked and financially motivated groups is becoming increasingly blurred
- On-chain laundering is evolving
- Ransomware campaigns are becoming more coercive and opportunistic
As machine learning-enabled ransomware that better evades detection and RaaS models continues “to democratize the cybercrime landscape, the ransomware ecosystem is becoming more fragmented — but no less dangerous.”
Opportunistic actors operate alongside experienced threat groups, adapting quickly “to law enforcement disruptions and shifting laundering tactics through cross-chain swaps and high-risk exchanges.”
TRM assesses that ransomware will move beyond simple file encryption, pivoting to extortion campaigns that intend to “target reputational, regulatory, and operational pressure points — tactics that offer higher leverage with less technical overhead.”
According to the report, the increasingly “blurred distinction between financially motivated attackers, nation-state proxies, and hacktivists will further complicate attribution and responses.”
Blockchain intelligence companies like TRM Labs aim to serve a critical role in helping to combat these types of threat actors.
By being focused on tracing ransomware payments on-chain, identifying laundering patterns, and supporting law enforcement and investigative teams with actionable intelligence, TRM Labs notes that it helps with disrupting illicit financial flows and accelerate response.
Ransomware groups leverage crypto to demand and receive cross-border payments anonymously.
Bitcoin is said to be the most common crypto that is being requested by ransomware operators, however, Monero is also used by certain groups because of its purported iprivacy features.
Former and active ransomware groups — like BlackSuit, DragonForce, and Akira — convert these illicit proceeds from BTC into other virtual currencies such as Ethereum, Tron, Binance Smart Chain, and Arbitrum during the laundering process.