The FBI is tracking more than 100 active ransomware groups, an agency official said Tuesday.
The figure, given by Bryan Vorndran, assistant director of the agency's cyber division, during a Senate Judiciary Committee hearing on ransomware, highlights the sizable problem that the United States faces in trying to mitigate the effects of ransomware gangs that attack American businesses, schools and other organizations.
Some ransomware gangs have gone quiet in recent months after conducting a major attack that caught worldwide attention. DarkSide, the group that hacked Colonial Pipeline in May, disappeared from the internet a few days later. REvil, one of the most prolific ransomware gangs to date, mysteriously went dark earlier this month after a sprawling attack that infected more than 1,500 organizations around the world.
Those disappearances mean little compared to how vast the ransomware underworld is, said Brett Callow, an analyst at the cybersecurity firm Emsisoft.
"Seemingly new groups pop up all the time," he said. "In some cases, they’re affiliates of other operations. In some, they're rebrands."
Historically, researchers have spotted more than 1,000 ransomware groups, Callow said, though most of those seem to have gone dark.
"In terms of serious, newly-named groups, you probably get one or two per month," he said.
Tracking the cybercriminals behind ransomware is a difficult task. The hackers who write and maintain ransomware software are often different from those who deploy it, with the two parties sharing the profits.
Ransomware gangs are often identified by the names that the software's authors give them. But membership gets muddy for law enforcement purposes, as a hacker who rents a famous type of ransomware for a particular attack might not have any kind of prior affiliation with the malware's designers.
While many ransomware hackers are Russian, and the Biden administration has confronted the Kremlin in particular for not stopping such hackers, ransomware operations are often multinational endeavors, Vorndran said in the hearing.
"While the developers may be Russia-based, the affiliates that deploy the ransomware may or may not be Russia-based," he said.
Mapping out a comprehensive look at a given ransomware operation is particularly difficult, Vorndran said, because the hackers behind them are often good at hiding their tracks.
"It's extremely challenging to gain attribution down to a keyboard or an actor behind a keyboard," he said. "I would estimate about half of our cases don't have accurate attribution because of the complexity involved."
