Researchers from Cisco Talos classified a new type of ransomware syndicates, named Privateers. These syndicates fall between financially motivated criminals and state-sponsored threat actors that are prosecuted and hunted by law enforcement, however, do not possess the same status as state-sponsored APT groups.


As per the report, Privateers are not specifically sponsored and directed by any government, but they do have some sort of global government shield over them.
  • The nation-state backing up these groups does not necessarily receive a direct advantage from such groups. However, the support reaches out to them while targeting geopolitical rivals of the protecting state.
  • Such unofficial state protection usually exhibits a lack of law enforcement action, even when demanded via normal channels by other countries.
  • The DarkSide ransomware group is one such example, which recently attacked Colonial Pipeline. Another example is Lockbit, which is known for skipping Russia or its allied country while choosing its targets.

Three tiers of cybercrime groups

Researchers have categorized international cybercrime groups into three categories or tiers:
  • First-tier threat actors include the Lazarus APT group, the North Korean state-sponsored actor. 
  • The second tier includes groups such as Gamaredon and PROMETHIUM. Gamaredon is not a part of traditional Russian intelligence agencies, however, it is believed that the intelligence collected by the group is often passed to Russian interests.
  • Privateers are the third tier of cybercrime groups and usually target government organizations and large enterprises. Lastly, privateer group’s malicious activities can potentially cause social disturbances.


Privateers are becoming prevalent and are likely to change the threat landscape in upcoming years. Though these groups fall a tier below the APT groups sponsored by governments, they have the potential to cause huge damage both in terms of financial and cyberespionage attacks.

Cyware Publisher