Currently, ransomware creators include individuals, cyber criminal gangs and state-supported groups. Out of these individuals and groups, cyber criminal gangs are the most proactive in ransomware development, while individuals and state-supported groups are less so. Privately developed ransomware is most often for research purposes with the intention of destroying data. Some state-sponsored threat groups also develop ransomware. The purpose of these cases is not for financial gain either but for data destruction, and Wipers, which do not allow recovery, are created disguised as ransomware.
Some ransomware gangs do not attack medical institutes or social infrastructures. This could be due to social criticism and to avoid drawing attention from legal authorities. To avoid the surveillance of regional law enforcement, these threat actors also design ransomware to not function in systems in specific regions.
As the ransomware industry grew, cyber criminal gangs could not undertake all the tasks by themselves. So, they operate via Ransomware-as-a-Service (RaaS) and invite affiliates to distribute the ransomware. These affiliated organizations are called initial access brokers (IABs), and they are responsible for infecting systems with ransomware.
Ransomware is the most popular and profitable method for cyber criminal gangs. To maximize their profits, people involved often attempt attacks tailored to local environments. These organizations also tend to spread ransomware in familiar areas. The language, programs, and cultures differ by location, so this process often requires attack methods suitable for specific regions. Also, there are ransomware gangs that started their activities locally. These organizations first conduct activities in regions familiar to themselves before branching out to other locations.
Currently, there are signs of localized ransomware attacks in some areas, but it cannot yet be said that localized ransomware attacks are the mainstream.