The November 14th return of Emotet correlates with two long-term developments in the ransomware ecosystem, including unfulfilled loader commodity demand and the decline of the decentralized RaaS (Ransomware-as-a-Service) model, plus the return of the monopoly of organized crime syndicates such as Conti. Researchers at AdvIntel confirmed that it was former Ryuk members who were able to convince former Emotet operators to set up a backend and a malware builder from the existing repository project to return to business in order to restore the TrickBot-Emotet-Ryuk triad. This partnership enables the Conti syndicate to answer the unfulfilled demand for initial accesses on an industrial scale, while competitor groups such as LockBit or HIVE will need to rely on individual low-quality access brokers. As a result, Conti can further advance their goal of becoming a ransomware monopolist.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased