More than 2,000 ransomware attacks were identified by security companies worldwide in , using around 30 different types of encryptors. The US was the region most affected by these attacks, with the industrial goods and services sector being the most targeted.
Of the 16 U.S. critical infrastructure sectors, 14 have been targeted and suffered immense losses due to ransomware attacks. Other countries such as Australia, and the United Kingdom also suffered in 2022 faced similar strike rate.
There has been a rise in data extortion attacks that are politically motivated, with some suspected to be carried out by state-sponsored individuals. Here are the six ransomware groups flagged across the year by the Cybersecurity & Infrastructure Security Agency (CISA) as the upstarts to watch out for.
Cuba ransomware
Cuba ransomware has largely been used to target five U.S. critical infrastructures including healthcare and public health, information technology, financial services, government systems, and critical manufacturing. Cuba ransomware actors find access to systems by exploiting known vulnerabilities, sending phishing links, using stolen credentials, etc. This group has been linked to RomCom RAT actors and Industrial Spy ransomware actors.
Some emails used by this group were:
- [email protected][.]com
- [email protected][.]com
- [email protected][.]im (Jabber)
Read further: New NetSupport RAT Campaign Distributed Via Browser Updates
Hive ransomware
The Hive ransomware actors have exploited over 1,300 companies worldwide and walked away with over $100 million through ransoms. The group using this ransomware is known to have used the ransomware-as-a-service model to find the most updated version of the malicious software. The groups using this ransomware also targeted critical infrastructure extensively to increase their impact. They find access to systems often using single-factor logins through the remote desktop protocol, and VPNs. They also send phishing emails with malware in its attachment.
The groups leave a ransom note after successfully launching the attack. They have bypassed multifactor authentication in several cases. Following as few of its IOCs events:
- Deleting system, security, and application Windows event logs
- Disabling Microsoft Windows Defender AntiSpyware protection
- Preventing the normal boot process
Read further: Hive Ransomware Gang Extorts Over 100 Million Dollar In One Year
Daixin Team
The Daixin team targets businesses often catering to the healthcare sector amounting to nearly 25% of its overall complainants. The group gains access to systems exploiting VPN servers by exploiting vulnerabilities in the VPN servers, using stolen credentials to log in to the legacy VPN servers, and so on. They find VPN credentials by sending malicious phishing emails and stealing data first. They have gained access to the servers of healthcare professionals and encrypt system data.
They have hacked patient health information and demanded ransom against it from the concerned organizations. They employ ngrok Secure Tunnels, which allows to easily access remote systems without making any changes to network settings or router, to steal data. They keep reusing stored credentials and target other devices using the same.
Read further: Daixin Group Launches Ransomware Attack on AirAsia
Vice Society
Vice Society often targets the education sector serving kindergarten through twelfth. In the attack, besides restricting access to networks, the group had been impacting conducting of exams and regular classes. Moreover, Vice Society has stolen the personal data of both students and staff. The group does not use its own ransomware however shares the one used by others including Zeppelin ransomware.
Some of its emails are:
- [email protected][.]org
- [email protected][.]org
- OnionMail email accounts in the format of [First Name][Last Name]@onionmail[.]org
The group exploits Windows Management Instrumentation (WMI) to execute malicious commands. Most of its targets have been from the U.S., the U.K., Spain, Italy, Germany, France, and Brazil.
Read further: Vice Society: A Growing Threat to Schools, Warns the FBI
Zeppelin ransomware
The Zeppelin ransomware is a type of malware that belongs to the Vega family, which is developed using Delphi. It operates as a Ransomware as a Service (RaaS). The group using this malware seeks ransom in Bitcoin and gain access by exploiting the remote desktop protocol (RDP), SonicWall firewall vulnerabilities and sending phishing emails. Because the groups using Zeppelin have been known to launch the malware several times, the systems have observed as many IDs and file extensions on the infected systems.
The investigation and counterintelligence operations team of Unit 221B rose to action after seeing the malicious ransomware attacks on the shelter for the homeless and charitable organizations. The flaws in the ransomware itself were used by experts and it was cracked in six hours by entering it through the RSA-512 key of Zeppelin.
Read further: Operation Dream Job Continues, Uses Trojanized PuTTY SSH Client
MedusaLocker
The ransomware group using MedusaLocker have targeted defense industrial bases, government facilities, information technology sectors, emergency services, and food and agriculture. They also use vulnerabilities in the RDP, and a combination of spam and phishing emails to gain unauthorized access to systems with MedusaLocker attached to the email. Their ransom note details the target to deposit the ransom on the specified Bitcoin wallet address.
Since it operates as a ransomware-as-a-service, the ransom is observed to be divided between the affiliate and the developer. The affiliate is paid 55 to 60% and the rest is paid to its developers. This ransomware uses the AES-256 encryption algorithm with the derived key being encrypted by employing the RSA-2048 public key. It deletes local backups and shadow copies to prevent standard recovery mechanism. MedusaLocker developers focus on constantly increase its evading capacity especially on legacy detection solutions.
Read further: Mexico Government Confirms Hacking of Military Data
