8 Ransomware Groups You Should Know (And Who They’ve Targeted)
Ransomware is becoming an increasingly lucrative industry for the perpetrators who exploit companies’ vulnerabilities and hold their data for ransom. According to Cybersecurity Ventures, the annual costs of ransomware for businesses will soar over the next decade, from $20 billion in 2021 to $265 billion in 2031.
With so much money to be made in the world of cybercrime, so-called “ransomware groups” or “ransomware gangs” are surging in popularity. These digital collectives are just as organized and savvy as physical gangs but even more mysterious and elusive. Many ransomware groups are fierce but short-lived, launching a series of debilitating ransomware attacks before their members disband and join other gangs.
The landscape of ransomware threat actors is constantly shifting, which means that companies need to stay on top of the potential ransomware threats to their organizations. In this article, we’ll go over eight of the biggest and most dangerous ransomware groups that businesses should know, including some of their highest-profile targets. Each section will include a link to a deep-dive article on the given ransomware group so that you can educate yourself more fully on the topic.
The Clop ransomware group first appeared in February 2019 and is believed to operate in Russian-speaking countries. The attackers use a “double extortion” strategy, threatening to release users’ data to the Dark Web if they refuse to pay the ransom for their encrypted files. Clop is known for its attacks on targets such as the U.S. pharmaceutical company ExecuPharm, South Korean retail giant E-Land, and the Singaporean offshore marine services company Swire Pacific Offshore.
Clop ransomware spreads via attack vectors like phishing emails, infected websites, and Remote Desktop Protocol (RDP) exploits. Clop is known for its use of malware, such as SDBOT, to spread throughout an organization’s network. The “calling card” of Clop ransomware is encrypting files with the extension “.clop” (or variants of this spelling).
Additionally, what makes this ransomware different from others is that they used different techniques to avoid getting caught. It uses a verified and digitally signed binary, which makes it look like a legitimate executable file that could evade security detection. It also kills many processes and security solutions. Finally, it won't execute itself if the ransomware observed that the environment is virtual.
First detected in February 2020, the Conti ransomware group is believed to be an offshoot of Ryuk, a ransomware variant developed by Russian cybercriminals gang Wizard Spider from Saint Petersburg . Like the Clop ransomware group, Conti employs a “double extortion” strategy, threatening victims with the release of their confidential data if they fail to send in a ransom.
Additionally, what makes Conti different from others is the speed that files are encrypted.
Conti is responsible for major ransomware attacks on both private companies and governments such as Ireland, the U.S., and Costa Rica. Although much of the group’s critical infrastructure was shut down in June 2022, the Conti ransomware group members have likely joined other ransomware gangs, and the situation requires further monitoring.
The DarkSide ransomware group was first observed in August 2020. DarkSide is a major purveyor of the “ransomware as a service” (RaaS) business model, in which gangs pay other gangs for the use of their ransomware kits and software tools. They often make use of CVE-2019-5544 and CVE-2020-3992 vulnerabilities. Although both vulnerabilities have been patched already, attackers focus on companies running unpatched or outdated software.
DarkSide is perhaps best known for its May 2021 ransomware attack on Colonial Pipeline, which brought the company’s operations to a screeching halt and left many gas stations in the southeastern U.S. temporarily without fuel. Like the Conti group, the DarkSide ransomware gang uses highly aggressive strategies and threats to get victims to pay up.
Also known as “Sodinokibi,” the REvil ransomware group first appeared in April 2019 and has rapidly become one of the most dangerous and infamous ransomware gangs. According to IBM, REvil was responsible for one in three ransomware attacks during 2020. Like many other ransomware groups, REvil is believed to be based in Russia or to have Russian-speaking members.
In one major case, REvil hacked Apple supplier Quanta Computer and stole several blueprints of future Apple products. In January 2022, Russian authorities said that they had arrested several members of REvil and that the group had “ceased to exist.” However, new attacks linked to REvil appeared in April, casting doubt on this claim.
The LockBit ransomware group has gone through several iterations since its first appearance in 2019, from LockBit 1.0 through 2.0 to the current LockBit 3.0 version. IT security consulting firm NCC Group reported that LockBit 3.0 was responsible for 40% of all ransomware attacks observed in August 2022, making it “the most threatening ransomware threat actor” that month.
Additionally, what makes LockBit different from other ransomwares is it can spread by itself under the control of pre-designed automated mechanisms.
LockBit ransomware attacks have tended to focus on private enterprises across the U.S., Europe, and Asia. The group is believed to be responsible for attacks on companies such as Accenture and Foxconn.
Also known as ALPHV, the BlackCat ransomware group first surfaced in November 2021, accumulating more than 60 victims over the next five months. While a relatively new player in the ransomware threat landscape, BlackCat has already launched successful attacks on organizations such as the German oil companies Oiltanking and Mabanaft, the Italian fashion brand Moncler, and Florida International University.
BlackCat uses a RaaS business model and is perhaps the first ransomware to use the cross-platform Rust programming language. This allows attackers to rapidly customize the malware for multiple operating systems and environments.
The LAPSUS$ hacking group (also written “Lapsus$”) appeared seemingly out of the blue in December 2021. In just a few months, the gang quickly racked up a string of massive attacks on high-profile targets in the tech industry, including Microsoft, Uber, Samsung, and Nvidia.
LAPSUS$ seems to be unique among the ransomware groups in this article. Like other gangs, LAPSUS$ extorts businesses for ransom in exchange for not leaking their sensitive data; however, it apparently does not use ransomware to encrypt this information. It remains to be seen how the recent arrests of suspects in the United Kingdom and Brazil will affect the group’s operations.
8. Ragnar Locker
Last but not least, the Ragnar Locker ransomware group has been in operation since at least December 2019. The ransomware does not work on computers located in Russia, Eastern Europe, or Central Asia, suggesting that the group’s members are from these regions.
Ragnar Locker seems to prefer targeting companies in the energy and critical infrastructure sectors, perhaps believing that these businesses are more likely to pay the ransom. However, the gang is not picky: it has also scored attacks on Italian liquor company Campari and the Portuguese airline TAP Air Portugal.
Ransomware gangs are one of the most serious cybersecurity issues that businesses face today—but the good news is that you’re far from helpless in the face of ransomware threats. By engaging in Dark Web threat monitoring, you can identify potential cybersecurity risks and malicious actors before they pose a real problem for your organization.
FYEO's Domain Intelligence threat intelligence platform maintains one of the world’s largest databases of more than 23 billion leaked credentials, so that users can detect immediately when their sensitive data has been leaked on the Dark Web. If we find a match between your private information and a Dark Web site, we’ll issue an alert so that you can move to protect yourself. Want to learn more? Get in touch with us today to request a demo ofFYEO Domain Intelligence.