EXECUTIVE SUMMARY:

Ransomware can ravage a business in seconds; inhibiting data access, cutting into profits, and tarnishing a carefully crafted reputation.

In 2023, every week, on average, 1 out of every 34 organizations worldwide experienced an attempted ransomware attack, representing an increase of 4% compared to the same period last year.

In many cases, it is the same handful of ‘ransomware families’ or ransomware groups that keep creating, delivering and propagating ransomware.

In this article, unpack who’s behind recent ransomware attacks, how ransomware groups operate, and what to pay attention to within your environment.

This information can then assist in determining how to fortify digital infrastructure. Get insights into where and how to focus your digital innovation and transformation initiatives. Create the best ransomware prevention program possible.

Let’s dive in:

The 10 most dangerous ransomware groups right now

1. Lockbit3. Of all the active ransomware groups, between January and June of 2023, Lockbit3 proved the most prolific.

Lockbit3’s maneuvers gave rise to 24% of all reported victims. The group attempted to disrupt and publicly extort organizations across more than 500 different instances, which represents a 20% increase in victims as compared to H1 2022.

LockBit leverages a Ransomware-as-a-Service model and typically targets large enterprises and government entities. LockBit goes after organizations worldwide, except for those in Russia or other Commonwealth of Independent States.

The recommended mitigations list is extensive. Your organization might start with implementing sandboxed browsers, requiring accounts to comply with NIST password management and policy standards, and implementing email filters.

2. Clop Ransomware. Clop is among the most active ransomware groups observed this year, having led more than 100 attacks in the first five months of the year alone.

While Clop targets organizations across industries, – from multi-national oil companies, to healthcare organizations – it seems to have a particular affinity for organizations with revenues that exceed $5 million.

To date, Clop is believed to have cumulatively extorted businesses for more than $500 million in ransom payments.

After Clop’s alleged exploitation of a zero-day flaw in the MOVEit Transfer app in the spring of last year, the U.S. State Department’s Rewards for Justice program announced rewards of up to $10 million for information establishing a connection between Clop and foreign governments.

3. MalasLocker. This group first emerged in April of 2023. In its comparatively brief existence, it has done a lot of damage, targeting over 170 victims.

Approximately 30% of said victims have been Russian entities, which is highly atypical, as attacks on former Soviet Union targets are usually avoided.

The group largely targets users of Zimbra, an online collaboration tool intended for organizational employees. The group is best known for its seeming anti-capitalist sentiment, where it demands that victims make “charitable donations” to a non-profit of the victim’s choice.

The group has started out by targeting smaller organizations, however, it may attempt to wreak havoc on larger organizations as the weeks and months progress.

4. ALPHV (BlackCat). This ransomware gang is known for its creative and “crazy” ideas. For instance, its use of the rust programming language, which makes detangling ransomware attacks much more complicated than previously.

Across this year, ALPHV a.k.a BlackCat has executed several notable breaches. The group has taken credit for compromising airports, oil refineries and other critical infrastructure providers.

The cyber criminals involved are either loosely tied to the Darkside group or may have initiated a rebrand of the Darkside gang. Also worth noting, BlackCat hackers may have previously worked with the REvil cartel.

The recommended mitigations list is extensive. Recommended mitigations include reviewing domain controllers, servers, workstations and active directories for new or unrecognized user accounts, backing up data, reviewing Task Scheduler for unrecognized scheduled tasks, and reviewing antivirus logs for any indications of tampering.

5. Bianlian. Starting in June of 2022, this ransomware developer, deployer and data extortion group has targeted organizations across U.S. infrastructure sectors. The group has also compromised Australian infrastructure, professional services and property development organizations.

Bianlian attempts to gain system access through valid Remote Desktop Protocol (RDP) credentials, open-source tools and command-line scripting (for discovery and credential harvesting). Then, the group exfiltrates victim data via File Transfer Protocol (FTP), Rclone or Mega. Once complete, the group demands payment, threatening to dump private data online if payment is not made.

To mitigate threats from Bianlian, CISA recommends that organizations strictly limit use of RDP and other remote desktop services, disable command-line and scripting activities and permissions, and reduce use of PowerShell and update Windows or PowerShell or PowerShell Core to the latest versions.

6. Royal. This group has targeted a variety of critical infrastructure sectors, including the manufacturing, education, communications, and public health sectors.

The Royal ransomware group typically disables antivirus software and exfiltrates large quantities of data. Afterwards, the attackers deploy ransomware and encrypt systems.

In the past, Royal group criminals have made ransom demands ranging from approximately $1 million to $11 million USD.

In protecting against Royal, defenders are encouraged to retain multiple copies of sensitive or proprietary data and servers in physically separate, segmented and secure locations.

Further, require all accounts to comply with password management best practices, require multi-factor authentication, patch systems (and software and firmware) as needed, and segment networks.

7. Play. This ransomware group appeared in June of 2022. It was named for the “.play” file extension added after encryption of a target’s files and the single-word ransom note “PLAY” that’s shown to victims.

The group leverages custom tools. This approach is believed to reduce dwell time, decreases the likelihood that the tooling will be reverse-engineered or adapted by other groups, and may provide tighter control over operations than is otherwise available.

Initially, the group focused on Latin America, with an emphasis on Brazil. However, the group’s interests have expanded. In recent months, the group forced a state of emergency in the city of Oakland, California.

8. Akira. This group exploits public-facing services or applications, takes advantage of weaknesses in multi-factor authentication and also exploits known vulnerabilities in software.

Akira ransomware attackers target educational institutions, financial groups, those in the manufacturing sector, real estate and medical industries.

In the past, Akira has leaked victims’ data on their leak site. The size of the leaked data has ranged from 5.9 GB to 259 GB. Ransom payment demands have ranged from $200,000 to several million dollars.

9. NoEscape. These hackers rapidly emerged as a formidable threat earlier this year. NoEscape says that they’ve built their malware and its supporting infrastructure from scratch.

In terms of targets, it appears that NoEscape operators avoid attacking organizations in the Commonwealth of Independent States (CIS).

As of this writing, the NoEscape group provides its affiliates with ways to create their own payloads and to manage payloads for Windows and Linux. Apply a multi-layered approach in order to defeat these ransomware attackers.

10. Other. Roughly 34% of ransomware attacks are executed by a diverse set of ransomware groups.

These include groups like BlackBasta, Hive, and Conti, along with a cadre of others, some of which hide behind continual name changes, in an effort to “rebrand.”

 Further thoughts

Leverage these insights to elevate your cyber security and resilience posture. For more insights into ransomware, please see CyberTalk.org’s past coverage. Lastly, to receive timely cyber security insights and cutting-edge analyses, please sign up for the cybertalk.org newsletter.