Business Ransomware: ongoing reorganisation

Following the attack on Colonial Pipeline by a DarkSide ransomware operator and subsequent attention from United States national security authorities, a reorganization of criminal groups and underground dynamics connected to the RaaS (Ransomware-as-a-Service) business appears to have been initiated.

PROMETHEUS: Ransomware Operator

Notable is the case of a new criminal group initially self-identified as “PROMETHEUS: Group of REvil”, subsequently changing to a more generic “GROUP OF COMPANIES”.

BABUK Locker Ransomware

The developers of BABUK Locker have announced their intention to establish a dedicated leak site, recently publishing “payload.bin“. It remains unclear whether the group has decided to rebrand or whether this platform will be used exclusively as a resale marketplace for exfiltrated data. Our Cyber Threat Intelligence operations continue monitoring this infrastructure for operational indicators and victim attribution patterns.

GRIEF: New Criminal Group

These organizational shifts within the ransomware-as-a-service ecosystem reflect broader operational security adaptations following heightened law enforcement scrutiny of high-profile infrastructure targeting campaigns.