BlueVoyant Launches New Ransomware Attack Playbook

January 27, 2022

The "Unintended Consequences of Ransomware” details exploits from known ransomware gangs and cyber criminals, such as Canadian Sébastien Vachon-Desjardins, who reportedly earned $27M USD as an affiliate for Netwalker ransomware.

NEW YORK, January 27, 2022 – BlueVoyant, the industry’s leading integrated, end-to-end internal and external cyber defense platform, today announced its 2022 ransomware attack playbook series, comprising five mini reports that shed light on how ransomware attacks happen, why and what happens when they do, as well as the impact they have on various different stakeholders.

Following a series of major ransomware incidents in 2021, BlueVoyant sought to demystify and explain some of the basic questions around ransomware attacks and the actors involved.

The BlueVoyant ransomware series launches on January 27 and kicks off with an introduction before diving into "Ransomware Gangs," charting how this form of attack started and then has become so prevalent in the cybercriminal economy. It traces the evolution of leak sites, ransomware-as-a service (RaaS) while exploring how this has fueled growth and how gangs and ransomware such as REvil, Maze, Darkside, Avaddon, Ryuk, WastedLocker and Netwalker have evolved in the underground economy.

Thomas Lind, Co-Head of Strategic Intelligence at BlueVoyant, said: “It is fascinating how those early ransomware innovations have now spawned a whole industry whereby gangs have structured themselves into businesses, creating their own ecosystem of partners and vendors who develop marketing campaigns and other initiatives, just like any other legitimate business.

“Now, the availability of RaaS has opened the market up to less skilled attackers, but we have also seen a shift away from unsophisticated tactics to longer-term approaches designed to deliver a far more substantial payoff. Attackers are identifying lucrative targets and devoting considerable effort to gaining undetected access to the network, exfiltrating data and gaining persistence sometimes months before they encrypt the organization’s systems and demand a ransom.”

Ransomware attacks have increased dramatically in the past couple of years, doubling and – in some instances – quadrupling in frequency. The playbook series highlights that according to the U.S. Department of Justice, approximately 4,000 ransomware attacks occur daily, and that number has grown annually over the past few years.

The surge in attacks has been fueled in part by the rise of the “triple extortion” ransomware technique, whereby attackers not only steal sensitive data from organizations but threaten to release it publicly unless a payment is made, while also targeting the organizations’ customers, vendors and business partners. But it is more than just a criminal enterprise of holding individuals and companies to ransom; it has become a tool for geopolitics, an issue for policymakers and a threat to the health and safety of citizens.

Today, authorities are ratcheting up pressure on organizations not to pay ransoms in a bid to try and cut off the attackers’ incentive. In 2021 the U.S. Department of the Treasury issued an advisory notice announcing that firms that engage with ransomware victims to facilitate ransom payments may be liable for prosecution if they pay groups that are subject to U.S. sanctions. However, so far this has had little success in slowing the onslaught since many of the attackers are not covered by sanctions.

Following this first installment are four more playbooks that cover different perspectives in equal depth: “Victim Organizations, Victim Individuals, Insurance Companies, and Policymakers.” “Victim Organizations” examines the way impacted organizations respond to attacks, analyzing in detail one of the worst-case scenarios: Colonial Pipeline. It covers the technical and legal challenges affected organizations face, detailing the bigger picture around how incidents play out from immediate triage to longer-term business recovery. Impacted firms face reputational damage, litigation costs, regulatory compliance, security restructuring, loss of production and productivity.

“Victim Individuals” investigates how attacks affect individuals and citizens on a scale ranging from minor inconvenience and financial losses to life-threatening emergencies. It cites the consequences of attacks on personal fitness tracking service Garmin and its related social platform Strava, and explores the potentially devastating impact of attacks on healthcare facilities and hospitals.

The last two playbooks review how the insurance industry has reacted to rampant cybercrime. The “Insurance Companies” playbook explores the evolution of cyber insurance and how the industry balances protecting the interest of its clients while mandating baseline security requirements to justify insurance payouts. Meanwhile, “Policymakers” delves into what policies are necessary on a national and international level to reduce cybercrime and protect citizens, and what challenges governments and policymakers are up against.

Jim Rosenthal, CEO, BlueVoyant concluded: “Since the pandemic broke 20 months ago, ransomware attacks have become prolific and plagued multiple industries. The ransomware threat is difficult to understand and face down because at its heart is a series of complex dynamics between attacker and victim, state and citizen, private and public sector, policymaker and geopolitical maneuvering. However, as pressure on victims increases, attackers will continue to evolve their tactics to gain the maximum payoff. Therefore, it was important for us to launch this playbook series to help inform and clarify for our audience how attacks occur, and what happens after they do.”

About BlueVoyant

At BlueVoyant, we recognize that effective cybersecurity requires active prevention and defense across both your organization and supply chain. Our proprietary data, analytics and technology, coupled with deep expertise, works as a force multiplier to secure your full ecosystem.

Accuracy. Actionability. Timeliness. Scalability.

Founded in 2017 by former Fortune 500 and former government cyber officials, BlueVoyant is headquartered in New York City and has personnel in Maryland, Tel Aviv, San Francisco, Manila, Toronto, London, Madrid, Melbourne, Budapest and Latin America among other locations. Visit

BlueVoyant Press Contacts

Danielle Ostrovsky
Hi-Touch PR (North America)
T: 001 410-302-9459
E: [email protected]

Jim Pople
C8 Consulting (EMEA & APAC)
T: +44 7955 030191
E: [email protected]