Organizations warned of ransomware risk from smaller operators
They may not have the financial muscle, but small-time cyber crooks can cause havoc for critical systems


The risk from small-scale ransomware cyber criminals is not to be underestimated, according to new research by McAfee.
Thibault Seret, a security researcher on the McAfee Advanced Threat Research team, said that while big ransomware attacks make the headlines, there are many smaller actors without access to the latest ransomware samples.
These small-time hackers are “getting creative and looking out for the latest malware and builder leaks they can be just as devastating to their victims.”
Seret said that away from the gaze of researchers who typically focus on the larger ransomware groups, many individuals and smaller groups are “toiling in the background, attempting to evolve their own operations any way they can.”
He said one small-scale threat actor has evolved from deploying homemade ransomware to using major ransomware. They made the transition by leveraging publicly leaked builders to create their versions of Babuk and Chaos.
Seret said there are two distinct types of cyber criminals taking advantage of leaks such as this. One less tech-savvy group merely copied and pasted the builder, substituting the Bitcoin address in the ransom note with their own. The second group has gone further, using the source material to iterate their versions of Babuk, complete with additional features and new packers.
Seret’s team followed one small-scale hacker and noted how they moved from simplistic ransomware and demands in the hundreds of dollars to toying with at least two builder leaks and ransom amounts in the thousands of dollars.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
“While their activity to date suggests a low level of technical skill, the profits of their cyber crime may well prove large enough for them to make another level jump in the future,” he said.
“Even if they stick with copy-pasting builders and crafting ‘stagers’, they will have the means at their disposal to create an efficient attack chain with which to compromise a company, extort money and improve their income to the point of becoming a bigger fish in a small pond, just like the larger RaaS crews.”
John Fokker, head of Cyber Investigations for McAfee Enterprise's Advanced Threat Research team, told IT Pro that even though REvil accounted for 73% of ransomware detections in Q2 of 2021, cyber criminals are resourceful, and large groups are no longer the only players making a profit.
RELATED RESOURCE
The best defence against ransomware
How ransomware is evolving and how to defend against it
“The threat for businesses is intensifying as smaller-scale ransomware actors build on the work of these larger groups,” he said.
Fokker added that enterprises should use this warning as an opportunity to get ahead of adversaries and figure out how they could tighten up their defenses against future attacks.
“This could include the use of threat intelligence, which helps organizations to predict and prioritize potential threats before pre-emptively adapting their defensive countermeasures, ensuring optimized security and future business resilience,” he added.
Fokker said that organizations should also deploy a security strategy that blends zero trust and SASE approaches so enterprises can protect entry and data at every control point.
“This approach is particularly important as opportunistic actors evolve their tactics and will help to ensure organizations have the necessary barriers to protect against attacks of any size,” he said.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.
-
Hybrid cloud has hit the mainstream – but firms are still confused about costs
News How do you know if it's a good investment if you don't have full spending visibility?
-
An executive suggested laid off staff use AI for counseling – I think that's ludicrous
Opinion In the aftermath of Microsoft layoffs, promoting AI career advice feels supremely cold
-
Everything we know about the Ingram Micro cyber attack so far
News A cyber attack on Ingram Micro severely disrupted operations and has been claimed by the SafePay ransomware group.
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabs
News An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
It's been a bad week for ransomware operators
News A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
Everything we know about the Peter Green Chilled cyber attack
News A ransomware attack on the chilled food distributor highlights the supply chain risks within the retail sector