Ransomware attacks against critical infrastructure organizations globally increased n 2021 with threat actors demonstrating increasing sophistication, says a joint advisory issued on Wednesday by national security agencies in the U.S., Britain and Australia.

In the U.S., the first half of the year was marked by attackers going after “big game” organizations, which are high-value or provide critical services, but U.S. efforts to disrupt the perpetrators led to some of them moving to “mid-sized victims to reduce scrutiny,” says the Joint Cybersecurity Advisory posted by the FBI, Cybersecurity and Infrastructure Security Agency, National Security Agency, the Australian Cyber Security Center, and Britain’s National Cyber Security Centre.

The U.S. agencies observed attacks against 14 of 16 U.S. critical infrastructure sectors, including the Defense Industrial Base, Emergency Services, Government Facilities, and Information Technology.

Ransomware attackers are complex disparate entities, typically a combination of actors, groups and “ransomware families” that don’t know one another, with each receiving a portion of the proceeds paid by a victim to unlock their networks or data, Sandra Joyce, the head of global intelligence and advanced practices for the cybersecurity services company Mandiant [MNDT], said on Wednesday during a cybersecurity panel discussion hosted by The Cipher Brief.

“A lot of people think that it’s one bad guy putting an implant or intruding or something like that but, in reality, it’s this big business and multiple businesses and individuals that are all working toward different pieces of this,” Joyce said. “So, what I mean by that is, if you are a victim of ransomware, it is very likely that there was one person or group that was selling the intrusion and the access first. Then there was another group that was actually doing the lateral movement, and then perhaps yet another group that was actually deploying the ransomware.”

The joint advisory pointed out that this network of ransomware actors makes conclusive identification of the perpetrators “difficult.”

Kelly Bissell, Accenture’s [ACN] lead for global cybersecurity, said during the discussion that ransomware is an area “where crime does pay, at least for now.” He also said that the ransomware organizations understand the “whole value chain” of the industry sectors they victimize, “so when they ask for ransom, they actually ask with data, if you will.”

There is a “silver lining,” of late, which is law enforcement working internationally to take down ransomware networks and work with cryptocurrency markets to recover ransom payments, he said, noting this is “slowly turning the tide but we have much, much more to do together, I think.”

Last year, within weeks of a major ransomware attack against U.S. pipeline operator Colonial Pipeline, the Justice Department seized $2.3 million of a nearly $5 million payment the company paid its attackers to be able to unlock its network from the ransomware virus.

The advisory highlighted that as long as ransom payments are made “it confirms the viability and financial attractiveness of the ransomware criminal business model.”

The joint cyber advisory said that ransomware actors have expanded their targets by going after cloud infrastructures, managed service providers, industrial processes, the software supply chain, and organizations on holidays and weekends. It also said the trends and behaviors being used by bad actors include phishing, stealing remote desktop protocols credentials or brute force, exploiting vulnerabilities, ransomware as a service, and sharing victim data.