Technology Unwrapped

The most important technology concepts, strategies and actions uncovered for your business.

Ransomware Gangs: What Are They & How Do They Operate?

Close-up dark keyboard with cyber security concept-1Ransomware is known to be one of the most potent cyber attacks that affect businesses of all sizes. While corporate networks and government organizations maintain stringent cybersecurity policies to discourage ransomware attacks, the attackers, ransomware gangs, have shifted their focus to small and medium-sized businesses. According to Ransomware Trends 2023, Q2 Report from Cyberint, there has been a significant surge in ransomware incidents in Q2 of 2023, a staggering 67% increase in comparison to Q2 of 2022. Oftentimes cybercriminals work alone and under the radar. However, ransomware gangs are the new way cybercriminals collaborate and continue to increase their profits.  

What is Ransomware? And What are Ransomware Gangs? 

Ransomware is a harmful computer program or malicious software (malware) that locks or encrypts files or the victims' networks. These files become inaccessible until the victim pays a ransom demand. The inserted virus is usually spread through phishing emails, malicious downloads, or by taking advantage of vulnerabilities in critical infrastructure such as the system software. 

Ransomware gangs are groups of hackers (or cybercriminal organizations) who develop and distribute ransomware viruses to carry out malicious activities. These gangs specialize in developing and deploying sophisticated ransomware programs, executing ransomware attacks, and often targeting individuals, businesses, or government organizations. They also sell pay-for-use subscription models, called ransomware-as-a-service or RaaS, which allow other parties to deploy ransomware attacks. 

Ransomware Gangs vs. Individual Hackers 

With the definitions of ransomware and ransomware gangs explained, let us see what the key differences are between an individual hacker and ransomware gangs: 

Characteristics of Ransomware Gangs 

Ransomware gangs are organized cybercrime groups where each member has clearly defined roles and responsibilities. Here are some of the characteristics of ransomware gangs that separate them from individual hackers. 

  1. Share victim data and leaked sites: Since ransomware gangs work in groups, they share everything, including victim data and leak site information, with each other to be more effective and impactful in their operations.
  2. Share infrastructure: As a team they share resources to overcome costs and other constraints, making them well organized.
  3. Share & swap tactics: Besides physical assets, ransomware gangs share tactics to launch combined attacks on unsuspecting networks. The organized ransomware gang mafia also swap tactics to better understand their weaknesses and strengths.
  4. Share profits: Since ransomware gangs operate and launch cyberattacks as a group, they share the spoils amongst each other in specific pre-decided proportions. They are part of an alliance bound by contractual agreements that every gang member follows strictly.

Characteristics of Individual Hackers 

Unlike ransomware gangs, individual hackers work in silos and may have personal motives. Since they work alone, sharing information, infrastructure, or resources with anyone is unnecessary. Similarly, an individual hacker works independently and may not divulge trade secrets or tactics to third parties in most cases. However, due to the anonymity the dark web provides, individual hackers might be more inclined to sell the stolen information from data breaches to others in order to make quick money. The most significant difference between ransomware gangs and individual hackers is that individual hackers pocket 100% of the profits. 

How Do Ransomware Gangs Operate? 

Ransomware gangs operate as an organized syndicate and may have dedicated advertising, escrow services, and customer support. 

While most ransomware gangs work on the dark web, they have a significant presence and function like traditional software companies. They maintain a developer, infrastructure, and system administrators, malware analyzers, etc. They have ulterior motives to disrupt network systems to fill their coffers.  

  • The most noticeable aspect of ransomware gangs is that they have well-organized PR and advertising networks that promote the company's activities by highlighting their past accomplishments. 
  • Ransomware gangs have reconnaissance brokers to scour criminal markets, gather sensitive information, and cut deals with ransomware groups. Furthermore, they employ subcontractors to gain illegal access to company network systems and sell access to the gangs. 
  • Ransomware gangs use escrow services as intermediaries between trading parties to hold the victim's ransomware payments until their team confirms everything is in order. Criminals providing RaaS depend on ransomware gangs for their support. The subcontractors act independently of the gangs, whereby they do not go out of business even if the enforcement agencies zero in on a specific ransomware gang. 
  • These gangs work like any other business to gain trust among other chain members. Administrators vet other gang members' credibility before inducting them into their network.  

Which Ransomware Gangs Pose a Threat to SMBs and Why? 

SMBs (small and midsize businesses) have smaller budgets to work with and cannot afford to have high levels of IT security solutions to protect their network from ransomware threats. Therefore, SMBs are like sitting ducks for these organized ransomware groups. Here are some of the deadliest ransomware gangs that have targeted business entities worldwide. 


Conti, a notorious ransomware gang, uses a unique way of operating, the double extortion method, to attack its victims. The attack entails withholding the decryption key and simultaneously threatening to leak sensitive information on the internet. Its major targets constitute critical public infrastructure sectors like energy, healthcare, education, IT, finance, etc., and SMBs. In December 2021, this ransomware gang targeted Indonesia's central bank and compromised sensitive data. Other prominent victims include a seaport company SEA-invest and Broward County Public Schools. 


REvil, also known as Sodinokibi, is a ruthless ransomware group linked with the Russian Federal Security Service. This gang usually targets high-profile business and government targets, with some of its reputed victims being Acer, Invenergy, JBS Foods, Kaseya, and many other corporates. Though political pressure caused a mild disruption in their activities, they continued to operate. The ransomware group REvil was responsible for around 37% of all ransomware attacks committed in 2021.  


Any discussion on ransomware gangs must include the Colonial Pipeline attack in May 2021. The ransomware gang behind this attack was Darkside, a group boasting a code of conduct. It is because they never target government institutions, healthcare centers, schools, or other infrastructure that directly affect the public. The Colonial Pipeline attack was the largest cyberattack in the US on the oil infrastructure sector. 


DoppelPaymer is another ransomware gang that specializes in the double extortion ransomware model. Notable target sectors include oil, healthcare, education, automobile, and emergency services. This group claimed responsibility for hacking and publishing voter information in Georgia. 

A double extortion method involves encrypting a victim's data but also stealing a copy of it, giving the ransomware gang extra leverage on the victim. Therefore, organizations need experts to protect their most valuable assets from encryption, have customized solutions dedicated to ransomware protection, and back up data securely and regularly. 

How Can an IT Service Provider Help Your Business? 

Small or large, your company has a unique business and IT environment, and the threats to its valuable assets may vary based on many factors such as its business domain, exposure to the internet, cybersecurity awareness levels among employees, location, etc. IT security service providers maintain the necessary experience and expertise in every cybersecurity domain. They dedicate resources and customized solutions to the security needs of each client. They help SMBs by: 

  • Educating and training employees in specific areas based on the value of information assets they are managing. 
  • Implementing strong security policies (unique passwords, regular updates, limiting admin access), procedures, and guidelines to help protect the data, applications, and networks. 
  • Performing regular vulnerability assessments, penetration testing, and risk and control assessments. 
  • Developing an effective incident response plan and performing tabletop exercises and mock drills. 
  • Validate and deploy available updates or patches before installing them to mitigate third-party risks. 

The Impact of Ransomware and The Solutions 

The proliferation of ransomware doesn’t mean IT managers need to wave the white flag and give up their company information assets to a devastating ransomware attack.  

Check out this comprehensive eBook, "Ransomware Exposed." With a staggering 67% increase in incidents this quarter alone, safeguarding your systems has become more important than ever. This book helps you uncover the inner workings of ransomware and empower yourself with expert insights and practical tips. Don't wait for an attack to strike—get your free copy of "Ransomware Exposed." now and safeguard your business today! 

Ransomware Exposed: Is your business at risk? Download our eBook!

Additional Resources 

Topics: Security Threats, Data Breach