Deep within the mysterious underbelly of the internet, evildoers gather to join forces and plan their dark deeds. In a hidden corner of cyberspace called the Dark Web, that’s inaccessible from regular browsers and IP addresses that haven’t been obfuscated, the wickedest criminals share code, stolen data, and the secrets of their trade. They’re cunning and vigilant. And they’re always seeking to grow their power and influence — as well as the profits of their thievery.
Does this sound like the start of yet another Halloween story — one written to capture the scary spirit of the season? Unfortunately, it’s not. Instead, this frightening tale is all too true.
In fact, security research suggests that 2020-21 is likely to have been the most profitable year in history for ransomware operators. Researchers at Covewave, for instance, found that the average ransom payment increased 43% from Q4 of 2020 to Q1 of 2021, while cybersecurity firm Group-1B estimates that the average number of ransomware attacks grew by 150% over the course of 2020, and payment demands more than doubled.
Ransomware operators aren’t apparitions. They’re very real. Although they’re criminal organizations, they often operate more like a traditional company with a business plan and structure, than a swarm of zombies. They’re highly professionalized, taking advantage of practices like DevOps to accelerate the development of new malware variants, and leveraging outsourcing to gain specialized capabilities. And, they continue to innovate their operating model to improve cash flow. For example, Ransomware-as-a-Service, which involves selling subscriptions to existing ransomware tools, makes these attacks more accessible and easier to launch.
Keeping track of the complex network of relationships between botnet operators and the ransomware variants they make use of isn’t for the faint of heart. Not only are ransomware gangs constantly growing, but new groups like to claim that they have ties to older, more-established ones to increase their clout (and chances of extorting a big payment). Of course, the established ransomware operators are eager to exploit this trend by peddling access to affiliate programs, or re-selling customized malware, often for a percentage of the ransom gained.
To help you make sense of this creepy trend, we’ve put together this quick guide to four of today’s most dangerous ransomware groups and families.
First detected in Asia early in 2019, the REvil ransomware family is thought to be related to GandCrab, an earlier variant that targeted consumers. GandCrab was among the inventors of the Ransomware-as-a-Service (RaaS) business model, and famously targeted victims who visited porn sites. The malware would turn on victims’ webcams, record footage, and use the resulting images for blackmail. Like GandCrab, REvil checks to see what language region a would-be victim’s computer is set to before proceeding with the attack. Systems located in Russia, Kazakhstan and other CIS nations are usually not targeted.
REvil is known for its authors’ technical prowess: the software cleverly makes use of legitimate CPU functions to bypass security protections. REvil’s also known for being the current record-holder for the largest-ever ransom demand: a whopping $50 million from the Taiwanese electronics manufacturer Acer in March 2021.
Most recently, REvil appears to have experienced a pumpkin-sized setback. Critical REvil infrastructure went offline, seemingly involuntarily, in what was later reported to be a “hack back” operation by international Law Enforcement supported by the USA. Though with a strong history of returning from beyond the grave, it’s likely we haven’t seen the last of REvil.
DarkSide was a relatively new ransomware group that quickly gained notoriety because of its success in targeting multiple large, high-revenue organizations. Most notably, DarkSide is believed to have been behind the attack on the Colonial Pipeline that cut off nearly half of the fuel supply to the U.S. east coast for several days in the spring of 2021. Because DarkSide operated according to the RaaS model, it’s thought that as many as three different affiliate groups were involved in the Colonial Pipeline attack.
Not only did DarkSide encrypt victims’ data, the group also exfiltrated it, asking for money to prevent the stolen corporate data from being published on the Dark Web. DarkSide in fact became one of the first groups to launch what experts call “quadruple extortion” attacks, which includes data encryption, exfiltration, and a distributed denial-of-service (DDoS) attack on the victim’s website. If none of these tactics are successful, the group will begin emailing the victim’s customers directly or will contract with a call center to contact them by telephone. DarkSide is said to have shut down after the Colonial Pipeline attacks, but it’s likely that its operators (and their malware) will pop up again.
Though Conti was first observed in the wild in December 2019, its operators appear to have a long and storied history. Security researchers believe that the same group is behind Ryuk malware, which is known for the speed at which attack timelines progress from initial access to organization-wide infection. The software relies on a multi-threaded approach that makes execution much faster than malware from other families. As a result, it’s often true that by the time a Conti infection has been detected on one computer, it’s far too late to contain the spread.
Like the tactics employed by DarkSide, the Conti malware not only encrypts files but also exfiltrates them. The criminals threaten to publish victims’ sensitive data, but, in an interesting twist, also offer free vulnerability management advice. Victims are told that if they pay up, they’ll get “instructions on how to close the hole in security and how to avoid such problems in the future.”
Maze ransomware was first spotted in 2019, but the group behind it quickly distinguished itself for being exceptionally innovative. They were among the first ransomware operators to perpetrate “double extortion” attacks in which data is stolen before its encryption. This tactic’s success soon attracted numerous imitators, including most of the groups described above.
The Maze group was also among the first ransomware operators to publicize their exploits in mainstream media outlets. In late 2019, the Maze group boasted to Bleeping Computer of its attack upon the company Allied Universal. They attached a few of the stolen files as evidence.
Maze announced retirement in November 2020, but many of the group’s affiliates continue to operate using Egregor ransomware, which first appeared around the time that Maze was said to have retired. Egregor leverages commodity malware to penetrate victims’ environments, and its operators seem to be especially fond of targeting healthcare organizations.
We hope these spooky cybersecurity stories won’t keep you awake all night on Halloween.
Just in case they do, we’ll be back next week with a guide to preparing your organization to face a ransomware attack. In the meantime, check out our blog for more security best practices and helpful tips.