Ransomware from Turkey and Brazil and...
What Easy Access to Code and Victims Means for the Future of Ransomware
The Record has a new story out about a threat group, operating out of Turkey, deploying Mimic Ransomware against Microsoft SQL Servers. First and foremost, if you have an MS SQL exposed to the Internet make sure it is fully patched and only administratively accessible through a VPN and secured with MFA.
But, I think this article highlights something that is a growing pattern: The move away from Russia as a locus of control for ransomware groups.
Don’t get me wrong, for years, there have been ransomware affiliates from around the world. We’ve seen affiliates arrested in Romania, South Korea, India, Canada and the United States. But, much of the core leadership of typical cybercriminal ransomware groups resided in Russia or Ukraine (Iran, North Korea and China were more nation state or hybrid models).
But, that is starting to change. The big ransomware groups are still, largely, based in Russia. But, now that ransomware code is largely available and, with the increased initial access broker activity, so are victims we are seeing smaller ransomware groups pop up with leadership based in other parts of the world.
One of the challenges in tracking these groups (aside from attribution is hard) is that they tend to be smaller and not as well organized as the more established Russian threat actors, so getting a handle on how big this problem really is is going to be a challenge in 2024. But, as long as ransomware remains profitable, we can expect to see more cybercriminal ransomware groups wholly operating from places outside of Russia. Which means we can look forward to even more attacks.
Welcome to 2024, it will look a lot like 2023, but worse.