When it comes to the top 10 ransomware gangs, LockBit maintains a hefty first position, according to cybersecurity researcher Dominic Alvieri.
With a staggering 1,716 public victims to their name, LockBit has been averaging over one company per day since their initial formation as ABCD, he noted in his list of top 10 ransomware gangs.
Vice Society, Royal, Everest, BianLian, Ragnar Locker, and BlackByte follow in his list of top 10 ransomware gangs. All of them have been active in cybersecurity news for their big-ticket ransomware attacks.
“Conti members are still around but this list comprises of active groups with quantifiable active leak sites,” Alvieri explained.
These numbers only include posts that are somewhat quantifiable. So, incidents like the recent LockBit Dark Trace-Dark Tracer fiasco or their goofy post that was removed are not included, he explained.
Similarly, ongoing incidents like the BlackCat NCR flash cyber incident are not included either.
Fresh threats: Beyond the top 10 ransomware gangs
Alvieri notes that there are some up and coming groups to watch out for.
“The top groups to watch gaining traction are Royal and Play Ransomware. Play will be among the top 10 ransomware gangs within the next month if current trends continue. Royal should be in the top five by summer,” he wrote
Several new groups have arrived on the scene in 2023, including Trigona Ransomware, Cipher Locker, Akira Ransomware, Cross Lock Ransomware, and Dunghill Leak. Money Message is another new group to watch out for, he added.
When it comes to the most dangerous groups, Alphv/BlackCat Ransomware and LockBit are neck and neck, noted Alvieri.
“BlackCat has the ability to pivot quickly once in a network and LockBit is always trying to improve to stay on top, but they have been getting sloppy while Alphv looks like it added another producing affiliate,” he wrote.
Other groups like Black Basta, BlackByte, Royal, and Play Ransomware also deserve mention, he added.
Top 10 ransomware gangs, explained
The Cyber Express have been tracking the victims of all the ransomware gangs noted by Dominic Alvieri. We went through our database of cybersecurity advisories to curate the details of the top 10 ransomware gangs.
“LockBit 3.0, also known as “LockBit Black,” is more modular and evasive than its previous versions and shares similarities with Blackmatter and Blackcat ransomware,” warned an advisory by the Cybersecurity and Infrastructure Security Agency, USA.
The ransomware is configured with multiple options during compilation, which determine how it will behave when executed.
LockBit 3.0 also requires a password during execution, which is a cryptographic key that decodes the ransomware. This makes it harder to detect and analyze as the code is encrypted and unreadable in its encrypted form.
In addition, LockBit 3.0 will not infect machines that have language settings matching a defined exclusion list, which includes languages such as Romanian (Moldova), Arabic (Syria), and Tatar (Russia).
However, the runtime language check is determined by a configuration flag set at compilation time. If LockBit 3.0 detects a language on the exclusion list, it will stop execution without infecting the system.
“ALPHV emerged in November 2021 as a ransomware-as-a-service that some researchers have claimed is the successor to BLACKMATTER and DARKSIDE ransomware,” noted an advisory by cybersecurity company Mandiant.
“While some ransomware operators enacted rules to avoid impacting critical infrastructure and health entities, ALPHV has continued to target these sensitive industries.”
The BlackCat/ALPHV ransomware gains access to victim systems by exploiting previously compromised user credentials, said a Flash report issued by the FBI.
Once access is established, the malware compromises user and administrator accounts in Active Directory. To deploy the ransomware, the malware creates malicious Group Policy Objects (GPOs) using Windows Task Scheduler.
PowerShell scripts and Cobalt Strike are used during the initial deployment, which disables security features in the victim’s network. Additionally, BlackCat/ALPHV ransomware uses Windows administrative and Microsoft Sysinternals tools in the compromise process.
“Clop is a variant of CryptoMix Ransomware that encrypts data, renaming each file by appending the . clop extension to encrypted files. Its name comes from the Russian word “klop” meaning bed bug,” said a threat assessment report by cybersecurity company Mimecast.
The cybercriminals behind Clop ransomware are known to target organizations with substantial budgets, demanding ransoms as high as $20 million. Clop is considered a “big game hunter” due to this strategy.
Clop ransomware targets valuable assets such as data backups, financial records, email lists, vouchers, and other sensitive information.
Once the ransomware gains access to the data, cybercriminals often leak portions of it to prove that they have it and threaten to release more unless the ransom is paid.
Clop ransomware has several known variants, each damaging organizations in similar ways, but with more sophisticated technical delivery methods.
One way to recognize a new variant is by the file extension names, which include “CIIp”, .Cllp”, “.C_L_O_P”, “ClopReadMe.txt”, “README_README.txt”, “Cl0pReadMe.txt”, and “READ_ME_!!!.TXT”.
Black Basta ransomware emerged in April 2022 and went on a spree breaching over 90 organizations by Sept 2022.
“The rapidity and volume of attacks prove that the actors behind Black Basta are well-organized and well-resourced, and yet there has been no indications of Black Basta attempting to recruit affiliates or advertising as a RaaS on the usual darknet forums or crimeware marketplaces,” noted a threat assessment report by SentinelOne.
According to SentinelOne, BlackBasta ransomware is likely connected to the financially motivated group FIN7, which has been active since 2012.
FIN7, also known as Carbanak, was initially known for using point of sale malware to conduct financial frauds, but since 2020 has switched to ransomware operations, affiliating with groups such as REvil, Conti, and conducting their own operations under the names of Darkside and BlackMatter.
According to the report, it is likely that FIN7 or an affiliate began writing tools from scratch to disassociate their new operations from the old, and the custom impairment tool is one such tool.
Furthermore, the developer(s) behind the tools to impair victim defenses are likely to be, or have been, developers for FIN7.
This attribution is based on PDB paths correlation between the impairment tools and a packed BIRDDOG payload, PDB paths correlation between the threat actor’s packer and a packed Cobalt Strike beacon seen in the wild, and correlation between the threat actor’s packer used for obfuscating the BIRDDOG payload and the packed Cobalt Strike beacon seen in the wild.
In recent news, the Vice Society ransomware group has been making headlines for their recent attacks on various targets.
They have been known to focus their efforts on the education and healthcare industries, but it has been revealed that the group is also targeting the manufacturing sector.
It penetrates different industries, most likely through the purchase of compromised credentials from underground channels, assessed cybersecurity company Trend Micro.
Vice Society has been detected in several countries including Brazil, Argentina, Switzerland, and Israel.
They have primarily been affecting the manufacturing industry in Brazil. The group has been known to exploit vulnerabilities such as the PrintNightmare vulnerability in their routines, and they have previously deployed ransomware variants such as Hello Kitty/Five Hands and Zeppelin.
Royal Ransomware is a highly advanced malware strain that first appeared in early 2022. Dev-0569, the group that operates Royal, is a private group of elite cyber criminals seeking financial gain by extorting large enterprise victims.
“In November 2022 alone, the Dev-0569—the ransomware gang that operates Royal—added 43 new victims, demanding between $250,000 and $2 million per compromise,” reported BlackBerry’s cybersecurity division.
Royal ransomware attacks typically involve colluding with Initial Access Brokers (IABs) to gain network access and deploying a wide range of advanced exploitation tactics and techniques once they gain a foothold in a target network.
Royal ransomware attacks have included a range of first-stage tactics and payloads such as abusing business website contact forms, trojanized malware files hosted on authentic-looking download sites, and malvertising using Google Ads.
After gaining network access, Royal operators employ advanced techniques like installing the Cobalt Strike pen-testing toolkit for command and control and harvesting credentials for lateral movement through a network.
Royal also deletes “shadow copies” of files and uses signed MSI or VHD files to download additional payloads such as ‘BATLOADER’ malware.
The final-stage encryption module used by Royal is a 64-bit executable written in C++, and its operators have recently begun using a novel encryption module called “Zeon” to encrypt victims’ files quickly.
The Everest ransomware group is known for their efficiency and speed in carrying out attacks, which has allowed them to successfully target a range of organizations in various industries.
“Over the last year, NCC Group has seen threat actors emerge and adopt new tactics to achieve their aims. The Russian-speaking Everest Group is a perfect example of this, and are taking hack and leak campaigns a step further,” NCC Group reported in December 2021.
In a July 2022 report detailing their recent research into the Everest ransomware, NCC Group said the ransomware gang may have ties to the ongoing operations that are utilizing Black-Byte ransomware.
NCC Group researchers were able to determine the tactics, techniques, and procedures (TTP) used by the Everest ransomware group.
The ransomware group primarily relies on phishing emails with malicious attachments or links to deliver their ransomware payload.
Once the initial infection is established, the group uses advanced techniques to spread laterally throughout the victim’s network, including the use of stolen credentials and vulnerabilities in software and systems.
The BianLian gang has been active since at least 2019 and has been known to use multiple tactics, including phishing emails, exploit kits, and remote desktop protocol (RDP) brute-force attacks, to gain access to victims’ networks.
The group has also been linked to the distribution of other types of malware, including the banking Trojan QakBot.
Since the initial detection, BianLian ransomware gang has reportedly shifted its focus to pure data extortion, reported cybersecurity company Redacted.
“BianLian has shifted the main focus of their attacks away from ransoming encrypted files to focus more on data-leak extortion as a means to extract payments from victims,” said the report.
“Furthermore, they have been attempting to amplify the effectiveness of these extortion threats by tailoring the messages delivered to specific victims in an effort to increase the pressure felt by the organizations.”
The shift in tactics was noted when researchers found that the gang is now using a new variant of the ransomware that is designed to exfiltrate data instead of encrypting it. This new variant, dubbed “BianLian Exfiltrate,” is being distributed through phishing emails and exploit kits.
Ragnar Locker ransomware is believed to have first emerged in 2019 and has since been responsible for numerous attacks against businesses worldwide.
According to cybersecurity company Acronis, Ragnar Locker uses a sophisticated method to bypass security measures and encrypt a company’s data.
Ragnar Locker compromises a company’s network via RDP service, using brute force to guess weak passwords or with stolen credentials bought on the Dark Web.
The attacker then performs second-stage reconnaissance and exploits the CVE-2017-0213 vulnerability to elevate privileges.
To evade detection, the attacker deploys a VirtualBox virtual machine with a Windows XP image to encrypt all files, making the encryption appear to be a trusted VirtualBox process.
The ransomware operator also deletes any extant shadow copies, disables antivirus countermeasures, and steals sensitive files before launching the ransomware.
“Finally, before launching Ragnar Locker ransomware, the attacker steals sensitive files and uploads them to one or more servers to publish them if the victim refuses to pay the ransom,” the report said.
The ransomware is particularly dangerous because it is designed to target companies with a large number of employees, making it easier for the attackers to demand a higher ransom.
The attackers also use social engineering techniques to trick employees into downloading and executing the ransomware on their systems.
“BlackByte is ransomware as a service (RaaS) that first emerged in July 2021. Operators have exploited ProxyShell vulnerabilities to gain a foothold in the victim’s environment,” said a threat assessment report by Palo Alto Networks.
BlackByte ransomware is designed to encrypt a company’s data and demand a ransom payment for the decryption key. However, in addition to the encryption, BlackByte also steals the victim’s data and threatens to publish it online if the ransom is not paid.
Researchers recently found that BlackByte uses a tool called ‘RogueRobin’ to steal the victim’s data. This tool is different from other data theft tools used by ransomware groups, as it does not require administrative privileges to work. This means that even if a company’s systems are properly secured, the tool can still be used to steal sensitive data.
BlackByte is found to be distributed via phishing emails and that the ransomware is particularly dangerous because it can spread laterally through a company’s network, infecting multiple systems at once.