Ransomware gangs are shaking up their tactics in the hopes of applying increasing pressure on companies and boosting their payday. Typically, ransomware attacks involved infiltrating corporate networks with malicious software that would infect individual endpoints. The ransomware would then try to identify folders with sensitive files and encrypt as many as it could before being detected. To avoid having their precious data deleted forever, companies would have to pay gangs for the decryption keys before the timer runs out.
One of the newest adaptations involves stealing and exfiltrating corporate information. These gangs then notify the victim or media with threats of publishing the data on “leak sites.” They may release the information bit-by-bit until the victim pays the ransom. Furthermore, gangs usually leave up data from past successes to show they’re serious. This new strategy is particularly effective against entities in sensitive or secretive sectors, such as aeronautical, military, or governmental organizations. However, it may be equally damaging to industries where the protection of intellectual property is of the utmost importance.
With that in mind, here are some of the most notorious ransomware gangs to be aware of:
Sodinokibi, AKA REvil
REvil usually demands a apayment of $2,500 which doubles to $5,000 if the victim does not pay within 2 days. This malware mostly relies on a scattershot approach and infects unwitting victims while downloading torrents, opening suspicious emails, or clicking ads.
However, the group is also known to directly launch brute force attacks against RDP (Remote Desktop Protocol) endpoints as illustrated by a recent encounter between LIFARS and REvil.
Clop was one of the first ransomware gangs to also start explicitly targeting executives on a personal level. In these cases, they blackmailed them with information either of a personal nature or with regards to ongoing litigation. They were relying on the premise that the risk posed to the individual or the company’s reputation would be enough to force them to pay.
Most recently, Clop made headlines for largely shutting down the operations of the Korean retail group, E-Land. Previously, they also held German group AG Software’s data ransom to the tune of $20 million.
LockBit attacks began in September 2019. It operates on a RaaS (Ransomware as a Service) whereby affiliates put down a deposit to initiate the attack and then receive a share of the profits. Adversaries typically target this RaaS at government and large corporate entities.
LockBit is somewhat unique for being highly targeted at specific organizations. It makes use of CrackMapExec for self-spreading laterally across a network, and its automated self-replicating abilities.
Maze was probably the first known ransomware gang to start publishing leaked information online. On a December 11, 2020 press release, they claimed the Maze team is retiring. However they did claim to make a return in the future.
Maze first made headlines for using this technique against victims Allied Universal in 2019.
While no new victims found their information on the Maze website, security experts don’t think that Maze went away forever. Furthermore, they suspect that some members of Maze joined the Egregor group or simply laying low until search efforts die down.
RagnarLocker’s ransomware mainly affects Microsoft Windows systems and was first identified in December of 2019. RagnarLocker is more sophisticated ransomware than most. The gang deploys it manually after an initial process of network compromise, reconnaissance, and pre-deployed tasks.
Ragnar Locker software also makes use of more extensive obfuscation techniques than most ransomware gangs to avoid detection as long as possible. Some of their most notable recent victims include Energias de Portugal, Campari, and Capcom.