Ransomware groups – who are they, what do they want and how do they do it?

Cybercrime + Ransomware Csaba Krasznay todayDecember 5, 2023 137

share close

Ransomware – a cybersecurity term that is now familiar to the general public, and for good reason, as it has a detrimental impact on all areas of the economy.

The biggest challenge to cybersecurity today is clearly the threat of ransomware. Whatever the source, whether it is the press, conferences aimed at a professional audience or even informal conversations, this threat is almost unanimously identified as the biggest problem. This is not surprising in light of the professional manner in which the organised criminal groups behind this malicious code type have constructed and execute their operations. Moreover, their success can be taken for granted,

since their operations are perfect for finding victims who are almost completely unprepared to detect and repel attacks from cyberspace.

But who are these groups?

Industry surveys are not consistent in their assessment of which groups are currently the most significant, but it is clear that the Lockbit group (https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a) stands out from the field. This Russia-linked group has built up an excellent methodology for operating its network in a virtually franchise-like manner. Currently using the Lockbit 3.0 malicious code version (https://www.cyber.gov.au/about-us/advisories/2023-03-asdacsc-ransomware-profile-lockbit-3.0), the group’s business approach is very subcontractor-friendly. This means that affiliates wishing to use the group’s infrastructure and know-how are not only offered a technical backing, but are guaranteed that the affiliate benefits first after successful attacks, only then does the ransomware group take its own profit. And this assurance is a strong temptation for cybercriminals who would be unable to carry out a sophisticated attack on their own, but have the information about the target where the malicious code can carry out its “blessing”. Sources such as the ENISA Threat Landscape 2023 (https://www.enisa.europa.eu/publications/enisa-threat-landscape-2023) suggest that

the Lockbit group is behind about half of successful ransomware attacks.

The competition for the second place in the imaginary ransomware ranking is already fierce, but ALPHV, also known as BlackCat, is probably the strongest candidate for this position. While in the case of Lockbit it is relatively easy to identify where they come from and who they are, in the case of BlackCat it is a rather messy search for their origin. There are some sources where BlackCat is the name of the malicious code, and others where the cybercriminal group is called by that name. It may be a descendant of the DarkSide group, or it may be a branch of REvil (https://en.wikipedia.org/wiki/BlackCat_(cyber_gang)). Neither is a minor one, the former being linked to the attack on the Colonial Pipeline, the latter to the shutdown of several service providers via the Kaseya vulnerability, for example. The most recent CISA report (https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a) links a group called Scattered Spider to BlackCat, noting that they are probably an affiliate group. Sometimes it appears around Russian-speaking criminal groups, at other times it enriches the toolbox of Anglo-Saxon cyber attackers. It is therefore a typical example of Ransomware-as-a-Service (RaaS), whose business model is perhaps less attractive than Lockbit’s, but still worth using by many. TrendMicro reports (https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-blackcat-and-clop-prevail-as-top-raas-groups-for-1h-2023) that

in the first half of 2023, there were 522 successful attacks related to Lockbit and 212 successful attacks related to BlackCat.

This group was also the first to publish samples of data stolen after successful attacks, touting their own success.

Third place is hard to come by, but the Cl0p ransomware group (https://en.wikipedia.org/wiki/Clop_(cyber_gang)) is a common feature on the lists, and has been reliably destroying the infrastructure of large and small companies since 2019. This group, also linked to Russia, typically uses mass phishing attacks or zero-day vulnerabilities to deliver malicious code to gain widespread access to the network, from which they have been proven to steal data since 2020, so in addition to the “usual” method of encrypting data, they also blackmail victims into disclosing the stolen data if they don’t pay (https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a). This is known as double-extortion. According to the TrendMicro survey cited above,

202 successful attacks were linked to this group in the first half of 2023.

What these groups have in common is that they all operate affiliate programs that open the way to cybercrime for smaller-scale criminals, following the patterns of the organised underworld. They also have in common that they learn from each other and continuously improve their tools and methods of operation. Perhaps the most striking development is that double-extortion is now widely used alongside triple-extortion. Already in 2022, Lockbit innovated the extortion element by launching a distributed denial of service (DDoS) attack against victims if the organisation does not pay for encrypted data or does not disclose the stolen data. This may be behind the spectacular increase in DDoS attacks around the world from 2022, using some very novel techniques. However, ENISA’s report this year already uses the term quadruple-extortion. This is where the attacker threatens to disable the victim’s customers and business partners during the ransomware attack.

This highlights more than anything else the supply chain vulnerability that is still painfully under-addressed by organisations.

Attackers are therefore constantly innovating and this innovation needs to be followed in defence as well. Defending against ransomware is difficult, but not impossible. Early detection is one of the key elements, and a managed security operation centre such as White Hat IT Security can be an excellent partner.

Do you want to prepare your company for ransomware attacks but don’t know where to start? Contact us via the form:

    Written by: Csaba Krasznay

    Tagged as: , .

    Rate it
    Previous post

    Similar posts