Ransomware groups target businesses, government agencies, and critical infrastructures. Most of the time, they steal data and demand a significant amount of ransom. If the ransom doesn’t get paid, the data gets leaked to the public. These lead to crippled operations, compromised personal data security, and an expensive loss by companies to cybercriminals.
The recent ransomware attacks include the attack against Colonial Pipeline that prompted them to pay $4.4 million of bitcoin to DarkSide in May 2021. The attack against JBS Foods also led them to pay $11 million to REvil that also occurred in May 2021.
Because of the cybersecurity breach, Colonial Pipeline needed to desist operations for a while that led to panic buying and a price hike in gas. Food supply was also threatened because of the disruption of cattle slaughtering for a day.
The media has extensively covered the companies involved in the ransomware attack, but how about the ransomware groups that perpetrated the attack? How well do we actually know them?
The similarities of these ransomware groups
These ransomware groups have similar motivations and methods in successfully breaching the cybersecurity of their target institutions.
Most of these similarities include the following:
- They exploit unpatched vulnerabilities in the software system of their targets to gain initial access
- They often use legitimate tools for the process to avoid detection
- They locate valuable and critical assets for data exfiltration
- They use leak sites to store or publish stolen data
- They share the same content structure in sending ransom notes to their victims
- They threaten to release personal records of the clientele of the victim if the ransom isn’t paid
- Most of the ransomware groups are profit-oriented when they carry out an attack
- Most of the ransomware groups demand to be paid in bitcoin
Get to know these popular ransomware groups
These ransomware groups have been selected due to their recent attacks, the degree of their impact, and the significant amount of ransom they’ve collected. Most of them follow the same methods that eventually compromised and cost the victims’ assets.
- DarkSide
Perceived location: The FBI believed that DarkSide originated from Eastern Europe
Usual targets: manufacturing, finance, and critical infrastructure
Recent targets: Colonial Pipeline (2021), a technology service in the US, a renewable energy product seller in Brazil, and a construction company based in Scotland
DarkSide made headlines when it attacked Colonial Pipeline, a major pipeline system of refined oil on the East Coast, in May 2021. DarkSide demanded a ransom of $11 million in bitcoin. Colonial Pipeline released a statement that they paid $4.4 million in bitcoin to DarkSide to recover their data.
The ransomware group targets its victim through phishing which includes analyzing the victims’ financial status before deciding to attack. They use remote desktop protocol (RDP) abuse and exploit vulnerabilities to gain access. They also use another tool known as PowerShell, a task automation and configuration management program, to execute a command. The said program also deletes the shadow copies from the network.
DarkSide does not target certain industries such as healthcare, education, the public sector, and the nonprofit sector. They don’t attack targets located in a Commonwealth of Independent States (CIS) country either.
CIS is an intergovernmental organization in Eastern Europe and Asia created in December 1991. The countries belonging to the CIS are Armenia, Azerbaijan, Belarus, Kazakhstan, Kirghizstan, Moldavia, Uzbekistan, Russia, Tajikistan, Turkmenistan, and Ukraine.
- REvil
Perceived location: a Russian-speaking cybercriminal collective with various unidentified affiliates all over the world
Usual targets: managed IT service providers and other businesses
Recent targets: Kaseya (July 2021), an IT Management Software Service based in Miami that provides security management solutions for managed service providers (MSPs) and small to medium-sized businesses (SMBs). They also attacked JBS Foods, a meat processing company.
REvil ransomware is a file-blocking virus that will encrypt files after infection and discards a ransom request message. When they attacked Kaseya in July 2021, they’ve demanded $70 million for the data.
REvil’s processes are as follows: File and directory discovery, File deletion, Modifying registry, Query registry, Registry modification, Query information of the user, Crypt files, Destroy files, Make C2 connections to send information of the victim, Modify system configuration, and Elevate privileges.
- Avaddon
Perceived location: Reports indicated that the ransomware group originated from Russia
Usual targets: telecom service providers, insurance companies, and health care industries
Recent targets: AXA, a leading cybercrime insurance company; Capital Medical Center in Washington, Bridgeway Senior Healthcare in New Jersey, and an intensive care online network.
Avaddon is a Ransomware-as-a-Service (RaaS) that provides affiliate attackers a platform that they could use to attack their targets. Affiliated attackers and Avaddon ransomware developers could share profits when the attack is carried out successfully and if the ransom was paid.
Avaddon’s technique is the classic deception of phishing and spamming email recipients with malicious JavaScript files. They would threaten and invite the recipient to view or download the malicious files that contained a malicious photo of them.
Around June 2021, Avaddon released a statement that they would be retiring from targeting victims with ransomware attacks. This might be due to the intensified fight by the government against cyberattacks, but many speculate that it is just a ruse and that the group would eventually operate again.
- Ragnar
Perceived location: Unreported
Usual targets: Managed Service Providers
Recent targets: In April 2020, Ragnar attacked Energias de Portugal (EDP). They released a statement claiming they stole 10 terabytes of sensitive company data and demanded a payment of $11 million in bitcoin.
Ragnar Locker is a kind of ransomware that disables any detected antivirus and deletes existing shadow copies. Ragnar uses PowerShell script to transfer a company asset to another. If the victim doesn’t pay for the demand then Ragnar would publish confidential information to other servers.
- Conti
Perceived Location: Russia
Usual targets: government agencies and health care providers
Recent targets: Conti attacked Florida’s Broward County Public Schools and demanded a ransom of $40 million. They were also reported to have attacked government agencies in New Zealand and Scotland.
Conti had been reported to be the perpetrator of over 400 cyber-attacks on organizations all over the world. One of the most notorious attacks that Conti inflicted upon an organization is on the Irish Health Service Executive that caused the delay of COVID-19 tests in Ireland.
Conti is also following the popular double extortion technique to pressure the victims to pay the ransom immediately or their data would be published. It has been reported that Conti released 3 GB of data from Advantech, a manufacturer of chips for IoT devices. The cause why Conti released the data has not been known.
A Game of Attack and Defense
Because of these breaches, cybersecurity teams have developed sophisticated tools to guard against ransomware, but ransomware groups have also been improving their techniques to outsmart those security measures. It is an uphill battle for both parties with the outcome depending on the intensity of the attack of the perpetrator and the defense of the target.
Cybersecurity would always be a threat, but it doesn’t mean that you are defenseless because we are here to protect your assets and keep your mind at ease. We will develop the security measures suited for your needs in keeping yourself safe. Give us a call now.