FBI Found 100 Active Ransomware Groups

JAKARTA - The FBI has tracked more than 100 active ransomware groups. The figure was reported by Bryan Vorndran, assistant director of the agency's cyber division, during a Senate Judiciary Committee hearing on ransomware.

The hearing highlighted the major problems the United States faces in trying to mitigate the effects of ransomware clusters that attack businesses, schools, and other organizations.

Several ransomware groups have gone silent in recent months after carrying out major attacks that caught the world's attention. DarkSide, for example, the group that hacked the Colonial Pipeline in May, disappeared from the internet a few days later.

There's also REvil, one of the most active ransomware groups to date, but mysteriously disappeared earlier this month after a widespread attack that infected more than 1.500 organizations worldwide. The disappearance of that ransomware group pales in comparison to how widespread the ransomware underworld is.

"It seems like new groups are popping up all the time. In some cases, they're affiliated with other operations. In some cases, they're rebranding", Brett Callow, an analyst at cybersecurity firm Emsisoft, told NBCNews, Wednesday, July 28.

Researchers have looked at more than 1.000 ransomware clusters, although most appear to have disappeared. "In a serious, newly named group, you might get one or two per month", Callow said.

Tracking down the cybercriminals behind ransomware is a difficult task. The hackers who create and maintain ransomware software are often different from those who spread it, with both parties sharing the profits.

The Ransomware group is often identified by the name given to it by the software maker. But the members are unclear who and what their goals are, as hackers who hire well-known types of ransomware for certain attacks may not have had any prior affiliation with the malware designers.

While many ransomware hackers claim to be Russian, and the administration of US President Joe Biden has made no attempt to stop such hacks, ransomware operations are often multinational endeavors.

"While the developer may be based in Russia, the affiliate that spreads the ransomware may or may not be based in Russia", Vorndran said.

Vorndran said mapping out a comprehensive look at a particular ransomware operation is extremely difficult, as the hackers behind them are often good at hiding traces.

"It's very challenging to get attribution to the keyboard or the actors behind the keyboard. I would estimate about half of our cases don't have accurate attributions because of the complexity involved", concluded Vorndran.