Gadget

Know your ransomware gangs

people hacking a computer system

Photo by Tima Miroshnichenko on Pexels.com

Ransomware gangs have really upped their game in the last few years, generating billions in paid ransoms from public and private sector organisations. The gangs have increased attacks on critical infrastructure operators, hospitals, manufacturing companies and pharma companies. Ransom demand amounts have gone up as well, with victims such as CNA Financial paying out a record $40-million.

So, is this still just the same old ransomware we are talking about? Well, sort of. Once the niche of spray-and-pay spam and drive-by campaigns, you’re now more likely to find ransomware tacked on to the tail-end of an highly crafted attack sequence we define as RansomOps – ransomware in its most pernicious, pervasive and professional form.

RansomOps are less like the old “spray and pay” methods and a lot more like stealthy nation-state APTs. What sets them apart is their technical sophistication, data exfiltration for double extortion, specialised players and attraction to big-name targets.

RansomOps purveyors often leverage the stolen data by threatening to leak it publicly in order to further pressure victims into paying – and when they’re asked to pay, it’s usually an astronomical demand.

“Ransomware operations have transformed dramatically over the last few years from a small cottage industry conducting largely nuisance attacks to a highly complex business model … with an increasing level of innovation and technical sophistication,” according to a recent report titled RansomOps: Inside Complex Ransomware Operations and the Ransomware Economy.

Gartner noted that the threat of new ransomware models was a top concern among executives last year, and when you look at the stakes, the evolving landscape, and the publicised RansomOps attacks this far, you can see why.

 

The Five Most Advanced RansomOps Attackers

 

Black Basta Ransomware Gang

The Black Basta gang emerged in April 2022 and has victimised nearly 50 companies in the United States, United Kingdom, Australia, New Zealand and Canada. Organisations in English speaking countries appear to be targets. Cybereason assesses the threat level of Black Basta attacks against global organisations as Highly Severe.

Since Black Basta is relatively new, not a lot is known about the group. And due to their rapid ascension and the precision of their attacks, Black Basta is likely operated by former members of the defunct Conti and REvil, the two most profitable ransomware gangs since 2021.

 

BlackCat Ransomware Gang

Cybereason researchers have been tracking BlackCat since its emergence in 2021. Having attacked the “telecommunication, commercial services, insurance, retail, machinery, pharmaceuticals, transportation, and construction industries” among at least six countries, it was called 2021’s most sophisticated ransomware.

Interestingly, it is built in Rust (an unusual language for ransomware) and is not above triple-extortion techniques.  Believed to be a descendent of BlackMatter and targeting no less than 60 organisations in March alone, BlackCat caused enough trouble to warrant its own FBI flash alert.

 

Conti Ransomware Gang

The Conti ransomware group has caused a great deal of damage in a relatively short period of time—making headlines around the world. It didn’t come from nowhere, though. Ransomware gangs constantly shift and evolve and rebrand over time, and Conti is identified as a successor to Ryuk ransomware.

The FBI released an alert around Conti in February of this year, warning that “attacks against U.S. and international organisations have risen to more than 1,000.” This prodigious gang is known for not only infecting machines, but spreading through the network via SMB and encrypting remote files as well. 

 

NetWalker Ransomware Gang

Raking in over $25 million since 2020, NetWalker earned a global remediation attempt by the US Department of Justice. Per court papers, the group operates a “so-called ransomware-as-a-service model,” or RaaS, in which developers write the malicious code, affiliates find and attack victims, and the two parties split the proceeds.

According to the Cybereason threat research team Nocturnus, “NetWalker encrypts shared network drives of adjacent machines on the network” and presents a HIGH threat, already having been “employed in attacks across a variety of industries around the world.”

 

Darkside Ransomware Gang

The Darkside Gang was responsible for the infamous 2021 Colonial Pipeline attack that boldly targeted America’s critical national infrastructure and disrupted the East Coast oil supply for several days. Believed to be “likely former affiliates of the REvil RaaS [ransomware-as-a-service] group,” so much pressure was put on Darkside after the attack by the U.S. government, the group disbanded with members forming new gangs or catching on with other gangs such as Black Basta, LockBit, BlackCat and others.

DarkSide targeted organisations in English-speaking countries while avoiding those in countries associated with former Soviet Bloc nations. This gang appeared to have a code of conduct that prohibits attacks against hospitals, hospices, schools, universities, non-profit organisations and government agencies.

Defending Against Ransomware

It’s possible for organisations to defend themselves at each stage of a ransomware attack. In the delivery stage, for instance, they can use malicious links or malicious macros attached documents to block suspicious emails. Installation gives security teams the opportunity to detect files that are attempting to create new registry values and to spot suspicious activity on endpoint devices.

When the ransomware attempts to establish command and control, security teams can block outbound connection attempts to known malicious infrastructure. They can then use threat indicators to tie account compromise and credential access attempts to familiar attack campaigns, investigate network mapping and discovery attempts launched from unexpected accounts and devices.

Prevention always costs less than the cure, and that is particularly applicable when it comes to ransomware. An effective ransomware prevention plan includes actions like:

Remember, the actual ransomware payload is the tail end of a RansomOps attack, and there are weeks or even months’ worth of detectable activity prior where an attack can be arrested before there is serious impact to the targeted organisation.

Exit mobile version