Ransomware groups have relentlessly targeted businesses and infrastructure, causing colossal damages worth billions of dollars annually. Shockingly, some of these groups even offer ransomware-as-a-service, luring affiliates and other threat actors to contribute to the rise in attack statistics and generate more revenue. This article dives deep into the infamous ransomware groups, most of which offer ransomware-as-a-service, highlighting their tactics, victims, and the massive financial losses incurred.
Additionally, we examine various approaches, real-life instances, and the economic impact of these ransomware gangs, emphasising the dire need for robust cybersecurity. In this article, we present the top 7 most dangerous ransomware groups. Taking immediate action and implementing strong cybersecurity measures is crucial as these ransomware groups pose a significant threat to businesses and infrastructure.
Cylance: Precision and Stealth
Global ransomware group Cylance is well-organised, fanning attacks on Windows and Linux-driven computers and networks. They have compromised enterprises of all sizes and industries using modern approaches. They plot their attacks to extort victims for large sums.
In our newest quarterly threat landscape report, K7 Cyber Threat Monitor Q1-2023-24, we included a case study on how Cylance infiltrated one of our enterprise customers by abusing internet-facing services on default ports.
Diverse Approaches:
Cylance uses various methods to infiltrate and launch ransomware attacks:
- Phishing Emails: They convince people to click harmful links or download dangerous attachments.
- Exploiting Vulnerabilities: The gang uses software weaknesses to access networks and deploy ransomware.
- Remote Desktop Protocol (RDP) Attacks use weakly protected RDP connections to take over machines and conduct ransomware assaults.
Real-Life Instances:
- Atlanta: In 2018, the Cylance gang encrypted critical data, disrupted services, and demanded $51,000. The catastrophe caused massive financial losses, system disruptions, and reputational damage.
- Healthcare Institutions: The gang exploits healthcare institutions’ reliance on sensitive patient data. These attacks disrupted patient care, jeopardised medical data, and caused considerable financial losses.
- The Cylance gang has also targeted colleges and universities. Educational attacks have disrupted online learning, compromised student records, and damaged reputations.
Financial Impact:
The Cylance gang’s exploits are financially devastating. Security assessments say their hacks cost global organisations millions of dollars. Ransom payments, system restoration, legal fees, and potential revenue loss during downtime significantly impact targeted organisations and the economy.
Read More: Things You Should Know About Ransomware As A Service (RaaS)
Conti: The Proficient Extortionists
Conti became famous for its ransomware-as-a-service activities and services offered in late 2019. The “double extortion” method of encrypting and exfiltrating victims’ data to force ransom payments is the gang’s main tactic. They target corporations, hospitals, universities, and government bodies.
Conti is known for its successful extortion. They painstakingly infiltrate networks and exfiltrate important material, threatening to release it publicly if the ransom is not reached. This method has crippled healthcare, finance, and manufacturing.
A Ukrainian researcher disclosed this Russia-based RaaS group’s encryptor, decryptor, and builder source code on Twitter. Later, another researcher cracked the encrypted source code for numerous other ransomware variations, including Linux and Windows-compatible AKIRA. Our K7 Labs blog {Link here} has more information about this latest variation.
Different Approaches:
The Conti ransomware gang compromises networks in several ways:
- Initial Access: Conti gains unauthorised access using spear-phishing emails, exploit kits, vulnerable remote desktop protocols, and MSPs.
- Lateral Movement: Conti uses advanced lateral movement technologies to find vital data systems and escalate privileges to obtain more influence once within a network.
- Conti encrypts and exfiltrates victims’ data. They steal sensitive data and force corporations to pay the ransom.
Notable Victims and Real-life Instances:
Conti malware has targeted many high-profile victims worldwide. Examples include:
- In February 2022, they hacked a terminal operator which manages 24 European and African seaports. This cyberattack disrupted operations at all 24 ports.
- They Demanded $40 million after infiltrating Broward County Public Schools. The gang posted the stolen data on its website when the school district refused to pay.
- The RaaS gang requested millions of dollars from the Scottish Environment Protection Agency (SEPA) in 2020.
- The 2021 UHNJ attack disrupted patient treatment and demanded a hefty ransom.
Read More: Top Tips To Stay Safe From Ransomware
Vice Society Ransomware Gang
The Vice Society ransomware gang is a prominent organised cybercrime outfit. They encrypt files using complex methods and demand money to release infected systems or sensitive data.
Approaches
The Vice Society gang exploits victims’ systems through numerous methods. Examples include phishing emails, malware attachments, exploit kits, RDP attacks, and software glitches.
Victims
Their opportunistic attacks target individuals, small to large organisations, government agencies, healthcare institutions, financial institutions, and educational institutions.
Real-Life Instances:
A high-profile Vice Society attack on a large healthcare organisation knocked down crucial systems, disrupted operations, delayed patient care, and compromised sensitive patient data. They also attacked local governments, causing major service disruptions.
Rise of the Clop Ransomware Gang
The Clop ransomware-as-a-service group emerged in 2019. They’ve ramped up since then. The gang recruits affiliates to spread ransomware. This model improves their impact and victim reach.
Advanced Techniques
Clop ransomware employs sophisticated techniques, including abusing vulnerabilities and executing phishing campaigns.
Wide Range of Victims:
The Clop gang targets finance, healthcare, education, manufacturing, and retail. They assault every industry. Their adaptability makes it difficult for enterprises to defend their systems.
Real-Life Instances:
- They ransom-demanded Mexico’s leading energy firm in early 2020.
- Their attacks have caused service failures, data breaches, and notable financial losses to universities, hospitals, and government institutions.
Financial Impact:
The Clop ransomware gang’s operations are financially devastating. In 2020, the group reportedly received $500 million in ransom payments. Companies hit by Clop assaults must pay the ransom or risk data loss, operational disruption, reputational damage, and legal issues.
DarkSide: Balancing Profit with Public Relations
DarkSide is a well-organised ransomware organisation. DarkSide’s rigorous reconnaissance and unique negotiation skills set them apart from other ransomware gangs.
They produce and distribute “ransomware-as-a-service” (RaaS) software to affiliates that launch assaults. DarkSide facilitates the ransom, collecting a share.
Exploring DarkSide’s Victims:
DarkSide has targeted many companies across industries. They target banking, healthcare, energy, manufacturing, and logistics companies, from huge organisations to SMEs. These assaults can jeopardise critical infrastructure, intellectual property, and customer data.
Real-Life Instances:
- 2020: DarkSide attacked a technology company from a large Japanese tech conglomerate and demanded a $11 million ransom.
- 2020: The DarkSide gang demanded 4 Bitcoins from a Canadian hotel’s computer systems. Hotel owners had to pay the ransom to restore their systems after the attack.
- 2021: DarkSide’s most significant attack was on a major US gasoline pipeline operator. The attack caused East Coast fuel shortages and panic buying.
Financial Impact and Extortion Practices:
DarkSide’s operations are costly. When paid, their millions-dollar ransom demands motivate the group to continue their illegal activities. DarkSide has even offered a bonus programme to speed payment and deter law enforcement. Their operations are systematic and profit-driven.
REvil: The Extortion Empire
A sophisticated cybercriminal group controls REvil, also known as Sodinokibi, a potent ransomware strain. They offer “ransomware-as-a-service” (RaaS) to numerous actors. Evil creators sell ransomware to associates, who attack and share revenues with the group.
Targeted Victims:
REvil RaaS targets healthcare, banking, legal, manufacturing, and technology. Small and medium-sized enterprises (SMEs) often find themselves particularly vulnerable due to the need for robust cybersecurity measures. Notably, in 2020, REvil targeted companies providing IT services, exploiting their remote access tools to gain unauthorised access to victim networks.
Real-Life Instances:
- 2019: REvil hit a US-based foreign exchange company in December 2019. The group breached the company’s network, encrypted data and demanded $6 million. The enterprise later paid $2.3 million in Bitcoin for system control.
- 2021: REvil targeted a leading computer and peripheral maker in March 2021. The group sought $50 million, one of the most enormous ransoms. The corporation’s condition and ransom status are unknown.
- REvil compromised a New Mexico defence contractor in May 2021. The group took confidential U.S. military technological data. The event highlighted ransomware’s national security implications.
- The group targeted two critical organisations: the most significant global meatpacking enterprise and a software group. Both attacks forced a temporary shutdown of operations, and the meatpacker company paid an estimated $11 million ransom to prevent data leakage. In contrast, the ransom amount claimed from the software group remained undisclosed.
Financial Impact:
REvil’s operations cost victim organisations a lot. Victims must pay the ransom and cover incident response, investigation, and system restoration. Reputational harm and short-term disruptions can also hurt revenue and market value. To avoid reputational damage, victims may pay the ransom, encouraging REvil.
LockBit: Evolution in Ransomware
Lockbit Group uses cutting-edge methods to boost success rates. They attack RDP vulnerabilities, spear-phishing emails, and IT service providers. These methods enable them to install ransomware on networks without authorisation.
Targeted Victims:
The Lockbit gang has targeted government, healthcare, educational, financial, and corporate groups. They capitalise on these industries’ urgency and criticality to get significant payouts.
Real-Life Instances:
- Lockbit attacked a Finnish forest sector business in August 2021. They breached the company’s computers, encrypted its contents, and demanded Bitcoin ransom.
- Lockbit attacked a massive software group in July 2021. They encrypted the company’s sensitive data using a hacked VPN profile.
The Consequences of Ransomware Attacks:
The impact of ransomware attacks extends beyond financial losses. Victims may experience reputational damage due to compromised customer data, not to mention the potential legal ramifications. For businesses, such attacks can result in significant downtime, lost productivity, and damage to customer trust. Critical infrastructure sectors like healthcare, energy, and transportation are also at risk, as ransomware can disrupt essential services that impact public safety and well-being.
The Importance of Prevention Measures:
Prevention is the key to mitigating ransomware attacks. Implementing the following measures is crucial for safeguarding against this ever-present threat:
- Regular Data Backup: Critical data must be backed up in 3.2.1 or any other proven backup strategy and stored offline or in secure locations. It assures that systems and data may be restored without paying the ransom.
- Robust Security Software: Antivirus and anti-malware software on all devices adds another layer of protection. Updating these security tools helps detect and stop new malware.
- User Awareness and Training: Employees must learn email, web browsing, and downloading best practices. To avoid ransomware, warn people about phishing, dodgy URLs, and email attachments. K7 Academy could be a great help in this matter.
- Regular Security Updates: Cybersecurity specialists often repair vulnerabilities in software and systems, so keeping them updated is vital.
- Network Segmentation: Segregate networks. By segmenting networks, attackers can’t move laterally across an organisation’s systems and steal plenty of data.
- Verify your ransomware protections and security procedures. You may find this technology at www.k7computing.com.