2021 Annual Crimeware Report: From Tailwinds to Headwinds

Over the past few years, cybercriminals have safely launched campaigns from the comfort of their home offices. Save for a few
large-scale takedowns — for example, the dismantling of Slilpp, the largest marketplace for stolen credentials, and the arrests of
REvil and Cl0p affiliates — this trend held steady throughout most of 2021.

Towards the end of the year, after law enforcement agencies — most remarkably, those in previously indifferent nation states, such
as Russia and Belarus — became more aggressive in targeting criminal operations, some threat actors began to vocalize the need
to stop conducting campaigns or operating forums. And while Russian and Belarusian motivations are unclear, their actions will
likely spell change for where and how threat actors operate in Eastern Bloc locales.

This heightened government focus may not stop ransomware, but it will likely help ensure the shakeup of existing Ransomware-as-a-Service (RaaS) operating models. Some threat actors may choose to launch extortion-only campaigns to minimize “disruption” to their own operations, while others may explore new ways to improve their tradecraft to avoid identification. Those actors that do not adapt, however, will become easy targets for law enforcement. This extends to legitimate businesses that turn a blind eye to or do not follow internationally accepted know-your-customer practices.