The 10 most dangerous ransomware groups right now
In a matter of seconds, ransomware can devastate a company, preventing access to data, reducing revenue, and damaging a well-built reputation.
An attempted ransomware assault affected 1 out of every 34 businesses globally on a weekly average in 2023, up 4% from the same time the previous year.
Frequently, a small number of "ransomware families" or gangs are the ones who continue to produce, distribute, and spread ransomware.
Discover who is responsible for the most recent ransomware attacks, how ransomware groups function, and what to look out for in your environment in this article.
Then, using this information, decisions about how to strengthen digital infrastructure can be made. Learn where and how to concentrate your efforts on digital innovation and change. Develop the most effective program for preventing ransomware.
- Lockbit3. Between January and June of 2023, Lockbit3 proven to be the most active ransomware gang.
Lockbit3's actions resulted in 24 percent of all victims that were reported. Over 500 different organizations were targeted by the group in an attempt to disrupt and publicly extort them; this is a 20% increase in victims over H1 2022.
LockBit mostly targets large organizations and government agencies and uses a ransomware-as-a-service strategy. With the exception of organizations in Russia and other Commonwealth of Independent States, LockBit targets organizations all over the world.
The list of suggested mitigations is lengthy. Implementing email filters, sandboxed browsers, and requirements for accounts to adhere to NIST password management and policy standards are possible places to start for your firm.
- Clop Ransomware. Having spearheaded over 100 attacks in the first five months of the year alone, Clop is one of the most active ransomware gangs that have been seen this year.
Clop targets businesses in a variety of industries, including multinational oil firms and healthcare institutions, but it appears to have a special fondness for businesses with annual revenue of more than $5 million.
It is estimated that Clop has demanded ransom payments totaling more than $500 million from companies to far.
The United States State Department's Incentives for Justice program announced incentives of up to $10 million for information establishing a connection between Clop and foreign governments following Clop's alleged exploitation of a zero-day issue in the MOVEit Transfer app in the spring of last year.
- MalasLocker. April 2023 saw the first appearance of this group. It has targeted more than 170 people in its relatively short existence, causing a great deal of damage.
Attacks on targets that were formerly part of the Soviet Union are often avoided, hence it is quite unusual that over 30% of the victims in this case were Russian companies.
The group primarily targets users of Zimbra, an online platform for cooperation designed with organizational personnel in mind. The group is most recognized for its apparent opposition to capitalism, as evidenced by its requests that victims give "charitable donations" to any non-profit organization of their choosing.
Although the group has first targeted smaller businesses, as the weeks and months go by, it may try to wreak havoc on larger organizations as well.
- BlackCat, or ALPHV. The notorious "crazy" and inventive ideas of this ransomware gang are well-known. Its usage of the rust programming language, for example, makes deciphering ransomware assaults far more difficult than it was in the past.
ALPHV, also known as BlackCat, has carried out a number of noteworthy breaches this year. Airports, oil refineries, and other essential infrastructure suppliers have been commended by the group for their compromise.
The cybercriminals implicated may have started a rebranding effort for the Darkside gang, or they may have only a tenuous affiliation with it. It's also important to note that BlackCat hackers might have had prior ties to the REvil cartel.
The list of suggested mitigations is lengthy. Assessing domain controllers, servers, workstations, and active directories for new or unfamiliar user accounts, backing up data, and checking Task Scheduler for unfamiliar accounts are some suggested mitigations.
- Bianlian. This group has been developing, deploying, and extorting data using ransomware since June 2022, and it has targeted companies in the infrastructural sectors of the United States. The Australian infrastructure, professional services, and real estate development businesses have also been compromised by the group.
Bianlian uses open-source tools, command-line scripting (for credential harvesting and discovery), and legitimate Remote Desktop Protocol (RDP) credentials in an effort to obtain system access. Next, the organization uses Rclone, Mega, or File Transfer Protocol (FTP) to exfiltrate victim data. After finishing, the group wants payment and threatens to post personal information online if it is not received.
Organizations should strictly restrict the use of RDP and other remote desktop services, disable scripting and command-line activities and rights, minimize the usage of PowerShell, upgrade Windows or PowerShell, and minimize their exposure to Bianlian threats.
- Royal. Several important infrastructural sectors, such as those in manufacturing, education, communications, and public health, have been targeted by this organization.
Usually, the Royal ransomware group disables antivirus software and steals a significant amount of data. The attackers then encrypt systems and use ransomware.
Criminals affiliated with the Royal Organization have previously demanded ransom payments totaling between $1 million and $11 million USD.
Defenders are advised to keep numerous copies of confidential or proprietary data and servers in physically isolated, safe locations in order to guard against Royal.
In addition, mandate multi-factor authentication for all accounts, patch systems (including software and firmware) when needed, and divide networks into segments.
- Play. In June of 2022, this ransomware group first surfaced. It got its name from the one-word ransom letter that targets see, "PLAY," and the ".play" file extension that is appended after files have been encrypted.
The team makes use of unique instruments. This method is thought to shorten dwell times, lessen the possibility that third parties will reverse-engineer or modify the tooling, and possibly offer more stringent operational control than is now possible.
The group's first concentration was on Latin America, particularly Brazil. The group's interests have grown, though. The organization imposed a state of emergency in Oakland, California, in recent months.
- Akira. This group uses known software vulnerabilities, multi-factor authentication flaws, and public-facing services or applications as means of exploitation. Attackers using the Akira ransomware specifically target financial organizations, educational institutions, manufacturing companies, real estate companies, and medical companies.
Akira has already published victim data on their leak website. The data that has been released has varied in size from 5.9 GB to 259 GB. Demands for ransom payments have fluctuated between $200,000 and several million dollars.
- NoEscape. Earlier this year, these hackers became a severe menace very quickly. NoEscape claims to have created both their malware and the infrastructure that supports it from the ground up.
It seems that NoEscape operators steer clear of attacking Commonwealth of Independent States (CIS) organizations when it comes to targets.
As of this writing, the NoEscape organization offers its affiliates tools for managing payloads on Linux and Windows as well as for creating their own payloads. Use a multi-layered strategy to thwart the ransomware attackers.
- Other. A variety of ransomware gangs are responsible for about 34% of ransomware attacks.
These include a slew of additional organizations, some of which constantly alter their names in an attempt to "rebrand," such as BlackBasta, Hive, and Conti.
Source: CyberTalk.org
