EXECUTIVE SUMMARY:
Ransomware can ravage a business in seconds; inhibiting data access, cutting into profits, and tarnishing a carefully crafted reputation. In the first half of 2022, over 236.1 million ransomware attacks occurred worldwide. In the last year, 66% of organizations were hit by ransomware. In many cases, the same handful of ‘ransomware families’ or ransomware groups keep creating, delivering and propagating ransomware.
In this article, unpack who’s behind the latest ransomware attacks, how ransomware groups operate, and what to pay closer attention to within your environment. This information can then assist you in determining how to fortify digital infrastructure. Get insights into where and how to focus your innovation and digital transformation initiatives. Create the best ransomware prevention program possible. Let’s dive in:
10 of the most dangerous ransomware groups
1. Clop Ransomware
Clop is one of the most active ransomware groups that experts have observed this year, having conducted more than 100 attacks in the first five months of the year alone.
While Clop targets organizations across industries, – from multi-national oil companies, to healthcare organizations – it seems to have a particular affinity for organizations with revenues that exceed $5 million. To date, Clop is believed to have cumulatively extorted businesses for more than $500 million in ransom payments.
After Clop’s alleged exploitation of a zero-day flaw in the MOVEit Transfer app over Memorial Day weekend, the U.S. State Department’s Rewards for Justice program announced rewards of up to $10 million for information that would establish a connection between Clop and foreign governments.
2. Conti Ransomware
Another highly active ransomware group, Conti operates a ransomware-as-a-service (RaaS) enterprise, allowing less-skilled cyber criminals to deploy its malware for their own gain, provided that they give Conti a cut of the profits.
What has made Conti notorious, in its own independent ransomware pursuits, is its lack of ethical limitations when it comes to victims. The group has previously deployed ransomware attacks against major healthcare organizations, demanding millions of dollars in return for system recovery.
Conti is also known for actively leaking ransomed data. In 2020, the group flooded the internet with the private data of more than 150 companies.
Highlighting the serious damage that the group is responsible for, in 2022, the U.S. government offered a reward of up to $15 million for information about the group and $10 million for the identity or location of its leaders.
3. Darkside Ransomware
Like Conti, Darkside is also a ransomware-as-a-service (RaaS) group. However, in contrast with its rival, Darkside allegedly refuses to target any type of medical, educational or government institution. If that takes all of the anxiety around Darkside away for you, know that the group does engage in for-profit ransomware activities, and just look back at the Colonial Pipeline threat…
In May of 2021, Darkside made headlines amidst the Colonial Pipeline ransomware attack, which caused a state of emergency along much of the United States’ East Coast, and cost Colonial Pipeline more than $4 million in remediation expenses.
The vulnerabilities that Darkside is known to prey on include weak passwords, direct connection with RDP instead of VPNs, improperly configured firewalls, and lack of two-factor authentication.
4. ALPHV (BlackCat)
This ransomware gang is known for its creative and “crazy” ideas. For instance, the group uses the Rust programming language, making detangling ransomware attacks more complicated than it used to be. The group is also known for triple extortion tactics that involve DDoS attacks.
ALPHV a.k.a BlackCat had compromised at least 60 entities worldwide, as of March 2022. Across this year, the group has executed several notable breaches. The group has taken credit for compromising airports, oil refineries and other critical infrastructure providers.
This group is either loosely tied to Darkside or may be a rebrand of Darkside. Also worth noting, BlackCat hackers may have previously worked with the REvil cartel, which you’ll read more about in a second.
5. Revil a.k.a. Sodinokibi
This group managed to infect hundreds of MSPs with ransomware in July of 2021 during the Kaseya attack, and has hacked countless other individual entities, from Apple to a nuclear subcontractor for the U.S. government.
You’ve probably heard this story, as it received extensive media coverage and Cyber Talk coverage in 2022…In January of the same year, following diplomatic pressure, Russian authorities seized Revils assets, including 426 million rubles and 20 luxury cars.
However, this ‘takedown’ proved temporary. The group resumed operations in April of that year.
REvil also uses the RaaS model. The group is known for providing network access to affiliates, who execute ransomware attacks or who negotiate with victims on REvil’s behalf.
But get this – REvil’s leaders are so malicious that they’re said to have scammed their own affiliates out of their cut of profits.
6. LockBit
According to CISA, in 2022, LockBit’s ransomware was the most deployed ransomware variant around the world, and in 2023, the group has continued with its activities.
This ransomware group has been known to exploit both older vulnerabilities and newer vulnerabilities (such as the Fortra GoAnyhwere Managed File Transfer Remote Code Execution Vulnerability, listed as CVE-2023-0669, and the PaperCut MF/NG Improper Access Control Vulnerability, listed as CVE-2023-27350).
Tactics and techniques used include drive-by compromise, exploitation of public-facing applications, phishing, exploitation of RDPs to gain network access, and credential abuse, among numerous others.
This group continuously innovates and upgrades its technical capabilities, hoping to stay ahead of cyber security professionals.
7. Maze Ransomware
Maze is known for its use of double-extortion. The group has previously targeted major enterprises, including Canon, LG and Xerox. While Maze has reportedly ceased operations, the group’s prolific and devastating activities have created a template for other ransomware groups. Thus, Maze continues to have an outsized effect to this day.
8. Ryuk Ransomware
In 2020, Ryuk allegedly targeted hundreds of hospitals around the time of American elections. The group is known to have not only encrypted network drives and resources, but to have taken the time to destroy backups of victim’s data. When no external backups exist, attack recovery can be extremely difficult, if not impossible, especially for smaller organizations.
In the span of two years, Ryuk collected more than $61 million from ransomware victims, according to the U.S. FBI.
9. DoppelPaymer
The DoppelPaymer operators have typically demanded between $25,000 and $17 million from victims, which have included government organizations and corporate groups.
Earlier this year, Europol announced that law enforcement in Germany and Ukraine targeted two leaders of DoppelPaymer. Authorities are still searching for three additional DoppelPaymer members. The group is affiliated with Russia and may or may not be connected to the government.
10. Black Basta
This ransomware group consists of members from the Conti and REvil ransomware gangs, with which it maintains similar tactics, techniques and procedures.
With its highly skilled and experienced group members, Black Basta often gains access to corporations by exploiting unpatched cyber security vulnerabilities and publicly available source code.
The group first emerged in 2022 and racked up 19 well-known enterprise victims, along with more than 100 confirmed victims, during its first few months of operation alone.
Black Basta uses distinctive techniques within attacks, such as disabling a compromised system’s DNS service. This will inherently complicate the recovery process, preventing the DNS service from accessing the internet…
For insights into ransomware prevention, please see CyberTalk.org’s past coverage. Lastly, to receive timely cyber security insights and cutting-edge analyses, please sign up for the cybertalk.org newsletter.
The post 10 of the most dangerous ransomware groups right now appeared first on CyberTalk.
