Corporation hunters: Top 5 ransomware groups

[harlan4096]

The most active groups targeting companies, encrypting data, and demanding ransom.

Over the past five years, ransomware has evolved from being a threat to individual computers to posing a serious danger to corporate networks.

Cybercriminals have stopped simply trying to infect as many computers as possible and are now targeting big victims instead. Attacks on commercial organizations and government agencies require careful planning but can potentially lead to rewards in the tens of millions of dollars.

Ransomware gangs exploit companies’ financial clout, which tends to be far greater than that of ordinary users. What’s more, many modern ransomware groups steal data prior to encryption, adding the threat of publication as further leverage. For the affected company, that adds all kinds of risks, from reputational damage to problems with shareholders to fines from regulators, which often add up to more than the ransom.

According to our data, 2016 was a watershed year. In just a few months, the number of ransomware cyberattacks on organizations tripled: Whereas in January 2016 we recorded one incident every 2 minutes on average, by late September the interval had shrunk to 40 seconds.

Since 2019, experts have regularly observed targeted campaigns from a series of so-called big-game-hunting ransomware. The malware operators’ own sites show attack statistics. We used this data to compile a ranking of the most active cybercriminal groups.

1. Maze (aka ChaCha ransomware)

Maze ransomware, first spotted in 2019, quickly rose to the top of its malware class. Of the total number of victims, this ransomware accounted for more than a third of attacks. The group behind Maze was one of the first to steal data before encryption. If the victim refused to pay the ransom, the cybercriminals threatened to publish the stolen files. The technique proved effective and was later adopted by many other ransomware operations, including REvil and DoppelPaymer, which we discuss below.

In another innovation, the cybercriminals began reporting their attacks to the media. In late 2019, the Maze group told Bleeping Computer about its hack of the company Allied Universal, attaching a few of the stolen files as evidence. In its e-mail conversations with the website’s editors, the group threatened to send spam from Allied Universal’s servers, and it later published the hacked company’s confidential data on the Bleeping Computer forum.

The Maze attacks continued until September 2020, when the group began winding down its operations, although not before several international corporations, a state bank in Latin America, and a US city’s information system had already suffered from its activities. In each of those cases, Maze operators demanded several million dollars from the victims.

2. Conti (aka IOCP ransomware)

Conti appeared in late 2019 and was very active throughout 2020, accounting for more than 13% of all ransomware victims during this period. Its creators remain active.

An interesting detail about Conti attacks is that the cybercriminals offer the target company help with security in exchange for agreeing to pay, saying “You will get instructions how to close the hole in security and how to avoid such problems in the future + we will recommend you special software that makes the most problems to hackers.”

As with Maze, the ransomware not only encrypts, but also sends copies of files from hacked systems to ransomware operators. The cybercriminals then threaten to publish the information online if the victim fails to comply with their demands. Among the most high-profile Conti attacks was the hack of a school in the United States, followed by a $40 million ransom demand. (The administration said it had been ready to pay $500,000 but would not negotiate 80 times that amount.)

3. REvil (aka Sodin, Sodinokibi ransomware)

The first attacks by REvil ransomware were detected in early 2019 in Asia. The malware quickly attracted the attention of experts for its technical prowess, such as its use of legitimate CPU functions to bypass security systems. In addition, its code contained characteristic signs of having been created for lease.

In the total statistics, REvil victims make up 11%. The malware affected almost 20 business sectors. The largest share of victims falls to Engineering & Manufacturing (30%), followed by Finance (14%), Professional & Consumer Services (9%), Legal (7%), and IT & Telecommunications (7%). The latter category accounted for one of the most high-profile ransomware attacks of 2019, when cybercriminals hacked several MSPs and distributed Sodinokibi among their customers.

The group currently holds the record for the largest ever known ransom demand: $50 million from Acer in March 2021.
...

Continue Reading