CYBERCRIME EVOLUTION: 5 RANSOMWARE GANGS TO WATCH OUT IN 2021
2020 has proven to be a challenging year for cybersecurity.
While the world was in turmoil, cybercrime was on the rise – with hacker groups particularly targeting companies in insecure transitions to digital operations.
BlackFog’s recent investigation into the state of ransomware revealed shocking statistics – with the most-targeted industry being government sectors worldwide, closely followed by the education sector and the service industry.
The average of high-profile attacks reported each month is 20 – and the tempo of global cybercrime shows no signs of slowing down.
According to BlackFog’s report, the top five threats for this year so far are:
- REvil
- Conti
- DarkSide
- Clop
- Egregor
In today’s blog, we’ll introduce you to these ransomware groups, their past targets and methods of operation.
1. REVIL (AKA SODINOKIBI)
REvil first appeared in 2018, working with another cybercrime group – GandCrab. At the time, the organization was focused on distributing ransomware through malicious ads and tools that infect systems through drive-by downloads.
They have since consolidated into an elite ransomware group that is notorious for harvesting enormous quantities of data and targeting large conglomerates in order to demand multimillion ransoms.
Short for “Ransomware Evil”, the REvil ransomware gang is the current record holder for the biggest ransom demand yet – requesting $50 million from Acer in March of 2021!
Other REvil cases include: attack on U.S. meat processing enterprise JBS Foods (which brought them a $11M profit) and, most recently, using IT management software Kaseya to distribute devastating attacks on more than 1000 businesses just ahead of July 4th weekend.
The group relies on tried-and-true tactics of attack that include phishing and exploitation of Remote Desktop Protocol (RDP). Several other unique methods of entry have also been observed, such as:
- Malicious email attachments
- Malicious ZIP files
- Appliance vulnerability exploitation
- Server vulnerability & user privilege exploitation
Once any of these methods has been successfully administered, a foothold within the network is established by using a Cobalt Strike beacon. With the help of a multitude of other tools, like TCP View, Bloodhound or ProcessHacker, to name a few, the actors are enabled to achieve insight into the company’s inner workings, and use the gathered information to their own benefit.
2. CONTI (AKA WIZARDSPIDER)
Contrary to the lofty ideals of DarkSide, Conti takes the complete opposite approach in their target selection.
The group has spent 2020 attacking crucial public sector structures – healthcare centers, emergency medical services and 911 dispatch carriers – prompting Palo Alto Networks to name them one of the most ruthless currently operating ransomware gangs.
Their most notorious attack to date was the infiltration of Irish Health Service Executive (HSE) in May this year, which caused numerous serious service disruptions such as blocking hospital staff from accessing their emails, cancelling x-ray appointments, and slowing down processes of medical card and GP visit card applications.
Another high-profile Conti case was hacking into the Broward County Public Schools (Florida) system, and requesting a $40 million ransom.
Conti also subscribes to the RaaS model of operation – with their means of distribution remaining largely unchanged since they first appeared on the scene.
The first step is a phishing email, that contains a link that will send the victim to a Google Drive document, which contains the payload. Once the document is downloaded, the malware within connects the unsuspecting victim’s device to Conti’s command-and-control server. Using a multithreading technique allows Conti’s malware to spread quickly within the infiltrated network, compromising as much critical information as it can.
Conti relies on a double-extortion technique, in which they offer compromised data to be decrypted in exchange for ransom. However, if the ransom isn’t paid promptly, threats to publish sensitive data will ensue.
3. DARKSIDE
While they’re a relatively new group, initially appearing on the scene in August 2020, DarkSide quickly made a name for themselves with the Colonial Pipeline attack earlier this year.
Like Egregor, this ransomware group (related to Russia according to Varonis’ investigations) also functions according to the RaaS model. Again, this means that their weaponization and deployment tactics vary, and can therefore be hard to predict and block.
However, recent deductions by McAfee based on other RaaS campaigns, suggested that DarkSide uses a four-point strategy in their attacks:
- Examine potential vulnerabilities on servers or RDP
- Establish a beachhead in the infiltrated network
- Use tools such as Empire, Mimikatz, or IE/FireFox password dumper to gain even more access
- Identify the most critical parts of the system and exploit them
Like with all other ransomware groups, the key is, most often, the initial point of entry – after which it becomes increasingly easy to gain access privilege and harvest data.
DarkSide’s early intentions were to style themselves as a “Robin Hood” outlier amongst their peers, declaring in their opening statements that they’d prefer not to attack critical infrastructures of public importance such as hospitals, schools and non-profit organizations.
In this effort to present itself as a socially conscious cybercrime group, DarkSide has donated to charity several times, releases PR statements declaring their newest ambitions, and also has a “customer service” division, which assists their victims once they’ve paid the ransom.
4. CLOP (AKA FANCYCAT)
The attacks by this Ukraine-based group began back in 2019 when it targeted four Korean companies and encrypted over 800 internal services and personal computers. The more recent high profile cases associated with Clop – or Cl0p, as you can sometimes see it said – include the U.S. pharmaceutical company ExecuPharm and the Korean e-commerce enterprise E-Land.
Clop also targeted the German tech giant Software AG. This case became history because the group demanded a ransom of over $20 million – which Software AG refused to pay. Their determination did not pay off, as Clop’s affiliates retribution by publishing the company’s confidential information on the dark web.
Clop’s activities show no signs of stopping – instead, they seem to be accelerating. Out of their total of 53 victims, 35 have been just this year!
Even with several members of this ransomware gang arrested in Kiev in June, the group continued activities just a week after, leaking more sensitive data on their website. Adding on to the extent of their operations, the latest news on Clop is the discovery of their $500 million money laundering scheme.
5. EGREGOR
Egregor is rumoured to have partially developed from a now-disbanded notorious ransomware group Maze, which shut down in October of 2020.
The timing of Egregor’s appearance and Maze’s disappearance does seem to match, as Egregor first appeared on the FBI’s radar in September 2020.
They have since targeted over 71 companies – with some of their higher-profile targets including U.S. retailer chain Kmart, as well as bookstore conglomerate Barnes & Noble and even video game developers Crytek and Ubisoft.
Egregor, like a number of other groups on this list, operates on Ransomware as a Service (RaaS) model.
This type of operation represents an adaptation of the Software as a Service (SaaS) model. This means that the group can essentially sell subscriptions to their service as any other provider, allowing those with malicious intent – but no hacking expertise – to launch developed ransomware attacks with minimal effort. The group providing the ransomware simply charges a percentage of the ransom fee from each victim extorted. provision fee to the
The details of how Egregor ransomware precisely operates still remain unclear – as they have multiple affiliates, their tactics vary.
Malwarebytes argues that Egregor’s primary distribution method is Cobalt Strike. This tactic relies on primary and secondary rounds of infiltration; the targeted network is first probed and weakened in different ways before the Cobalt Strike beacon payload can be used to transfer and activate the Egregor payloads.
Once inside the network, the attackers will look to servers that seem to hold the most sensitive information possible – giving them plenty of leverage in their ransom negotiations.
BEST DEFENCE MECHANISMS
As we’ve seen, what all of these ransomware groups have in common is exploiting weak points to entry. These weak points of entry are most often connected to unsecured connections, devices, or simply – human error.
The first line of defence against ransomware should therefore start with enforcing good employee etiquette when it comes to unknown email attachments and/or links.
Should human error still enable the attackers – and that happens more often than you’d think – the next step should be top-of-the-line protection solutions, that can step up to the task of quickly spotting, isolating and eliminating the intruder in your system:
- Next Generation Firewalls
- Intrusion Prevention Systems (IPS)
- Network Behavior Analysis
- Network Access Control (NAC)
- Email Security Gateways
- Web Security Gateways.