Some major ransomware groups with ties to Russia rebranded their campaigns in 2022 to avoid sanctions from Western countries, blockchain intelligence firm TRM Labs has revealed.
According to a new report released recently, rebranding and other major activity indicate that the cybercrime landscape and darknet marketplaces (DNMs) have changed significantly following Russia's invasion of Ukraine. Following Russia's invasion of Ukraine, some Western law enforcement agencies imposed tougher sanctions on Russian ransomware platforms.
Likewise, sanctions imposed by the U.S. Office of Foreign Assets Control (OFAC) on popular dark web platform Hydra took a toll on ransomware projects as they struggled to gain market dominance while evading law enforcement agencies.
In an effort to enforce anonymity by changing on-chain behavior, two major ransomware groups, LockBit and Conti, reorganized their activities. Using TRM's on-chain analysis, open-source reports, and proprietary information, the intelligence firm discovered that Conti ceased its original operations and reorganized into three smaller groups named Black Basta, BlackByte, and Karakut. Before diversification, Karakut was a side project run by Conti operators.
LockBit, on the other hand, has rebranded its operations since the Ukrainian invasion last February. Four months later, the group launched LockBit 3.0, which it expects to be apolitical and focused on monetary gains. Additionally, TRM's analysis found a significant increase in the use of Russian-language darknet markets. Criminals have fled to Russian-linked platforms to evade Western law enforcement due to sanctions imposed on DNM.
Overall, Russian-language darknet markets experienced several periods of sustained growth between April-July and October-December 2022. By the end of the year, they had done more than $130 million in sales.
