Ransomware becomes more and more popular. Emerging Ransomware Groups groups are quickly adopting a double extortion model (Babyk, Egregor, Nefilim). This means that they not only encrypt the data, they also exfiltrate it and threaten to expose it if they do not get the ransom money.
However, there has also been good news – some emerging ransomware groups decided to shut down their operations (Maze) and even release decryption keys (Fonix). In this article, you can read about the recent and rather wide-spread ransomware groups spotted in 2020-2021.
Babyk ransomware emerged in January 2021. It is one of the first ransomwares that we noticed in early 2021. It is programmed on a rather amateurish level but uses strong encryption. The onion website used for ransom negotiations hosts only a simple chat.
Babyk has an interesting modus operandi as it strictly defined what kinds of organizations the operators do not target. The list of excluded targets goes like this:
- Hospitals (exception: private plastic surgery clinics, private dental clinics)
- Non-profit (exception: charities supporting LGBT and BLM)
- Schools (exception: major universities)
- Small business (exception: companies with annual revenue more than $4.000.000)
Hello Kitty ransomware emerged in November 2020. It is named after a HelloKittyMutex mutex it leaves behind. It has hit some interesting targets, like Brazilian power company called CEMIG or CD Project Red which is a game development company that created Witcher and Cyberpunk.
Egregor emerged in September 2020. It is believed to be a continuation of the recently shut-down Maze ransomware. Maze was shut down only short time before Egregor has emerged. Egregor also shares many common traits with Maze. Egregor is spread through Qakbot, IcedID and Ursnif.
It has hit more than 70 companies so far. It uses double extortion model – they have a section called Hall of Shame on their website where they publish the leaked data.
Fonix emerged in June 2020. That particular ransomware is an honorable mention in this list. It is relatively new, however in February 2021, Fonix operators announced their plans to shut down their activity. They made a public announcement on Twitter that they want to use their abilities in positive ways and help others. They also released the decryption key (RSA master key) along with a sample decryptor and offered help with decryption to security researchers.
However, they made it clear that there were some internal disagreements within the group of Fonix operators as some members desired to continue with the business and advertised fake Fonix source code to scam other people.
Nefilim emerged in March 2020 and started targeting big companies – even giants like Orange or Whirlpool fell victim for this ransomware. It exploits either a Citrix or an RDP vulnerability, uses Mimikatz and exfiltrates the data using MegaSync. Afterwards it encrypts the infected machines. It also uses the double extortion method or – they have a section called Corporate Leaks on their website where they publish the leaked data.
Ransomware groups are evolving and are becoming more dangerous every year. Today, they do not only encrypt the data. In addition, they threaten to leak exfiltrated sensitive information which is dangerous for companies that protect their intellectual property. Therefore, it is important for companies to know which ransomware groups might target them and prepare against their TTPs.