2022 marked another year in which ransomware proved to be one of the most pernicious cyberthreats around the world. Targeting victims both large and small, ransomware gangs showed that they could still wreak havoc despite efforts by law enforcement and governments to crack down on them. Though a variety of these criminal groups litter the cyberspace landscape, a few were especially dangerous and destructive in their ransomware attacks throughout the year. Here are four of those ransomware groups.
SEE: Security incident response policy (TechRepublic Premium)
ALPHV aka BlackCat specializes in ransomware-as-a-service through which it offers the necessary malware and infrastructure to affiliates who then carry out the actual attacks. Though seemingly new to the ransomware landscape, having surfaced in 2021, ALPHV reportedly is connected to the BlackMatter/DarkSide group responsible for the infamous ransomware attack against Colonial Pipeline in 2021.
How ALPHV operates
Infiltrating its victims by exploiting known security flaws or vulnerable account credentials, ALPHV pressures organizations to pay the ransom by launching Distributed Denial of Service attacks against them. The group also likes to expose stolen files publicly through a search engine for the data leaks of its victims.
The group targets public and nonprofit organizations as well as large corporations, according to Brad Crompton, director of intelligence at cyber threat intelligence provider Intel 471. During the third quarter of the year, this ransomware variant hit 30 organizations, impacting real estate businesses, professional services and consulting firms, consumer and industrial product makers, and technology companies. In September, ALPHV took credit for attacking airports, fuel pipeline operators, gas stations, oil refineries and other critical infrastructure providers.
Appearing in April of 2022, RaaS group Black Basta reportedly is comprised of former members of the Conti and REvil ransomware gangs, with which it shares similar tactics, techniques and procedures. Boasting highly skilled and experienced group and affiliate members, Black Basta increasingly gains access to organizations by exploiting unpatched security vulnerabilities and publicly available source code, Crompton said.
How does Black Basta attack their victims?
Black Basta often relies on double extortion techniques, threatening to publicly leak the stolen data unless the ransom is paid. The group also deploys DDoS attacks to convince its victims to pay the ransom. In some cases, Black Basta members have demanded millions of dollars from their victims to keep the stolen data private.
Ransomware attacks stemming from Black Basta hit 50 organizations in the third quarter of 2022, according to Intel 471. The sectors most impacted by these ransomware attacks included consumer and industrial products, professional services and consulting, technology and media, and life sciences and healthcare. Among different countries, the U.S. was the group’s biggest target for the quarter with 62% of all reported attacks.
Springing up in early 2022, Hive quickly earned a name for itself as one of the most active ransomware groups. The number of attacks from this gang alone jumped by 188% from February to March, according to NCC’s March Cyber Threat Pulse report. This ransomware variant was also one of the top four most observed during the third quarter of the year, Intel 471 said.
What types of companies does Hive target?
Traditionally focused on the industrials sector, Hive has also targeted academic and educational services as well as sciences and healthcare companies along with energy, resources and agriculture businesses. Last quarter, the Hive ransomware hit 15 countries, with the U.S. and the U.K. as the top two targets, respectively.
The group is fast, allegedly encrypting anywhere from hundreds of megabytes to more than four gigabytes of data per minute. To help carry out its attacks, Hive hires penetration testers, access brokers and threat actors, Crompton said. In August 2022, an alleged operator of the Hive ransomware reported using phishing emails as the initial attack vector.
With 192 attacks in the third quarter, the LockBit 3.0 ransomware continued its reign as the most prominent variant of 2022, according to Intel 471. This new variant impacted 41 countries, with the U.S. as the top target, followed by France, Italy, Taiwan and Canada. The sectors most impacted by LockBit were professional services and consulting and manufacturing, consumer and industrial products and real estate.
First announced in the second quarter of 2022, the LockBit 3.0 variant reportedly included an updated data leak blog, a bug bounty program and new features in the ransomware itself. The bug bounty concept was a first for ransomware groups, with LockBit offering as much as $1 million for anyone who discovered vulnerabilities in the gang’s malware, its victim shaming sites, its Tor network and its messaging service, Intel 471 reported.
How does LockBit carry out its ransomware attacks?
Unlike other ransomware groups, LockBit reportedly prefers low-profile attacks and tries to avoid generating headlines, Crompton said. The gang is always evolving and adapting their TTPs and software. LockBit also runs a proprietary information stealer called StealBit. Instead of acting as a typical information stealer that grabs data from browsers, StealBit is a file grabber that quickly clones files from the victim’s network to LockBit-controlled infrastructure in a short period of time.
“There are numerous reasons why these ransomware groups are dangerous in their own right,” Crompton told TechRepublic. “Generally speaking, these groups have good malware with good infrastructure, experienced negotiation teams and custom-made tools that make ransomware attacks more straightforward, in turn attracting more affiliates to their groups.”
How can organizations protect themselves from the ransomware attacks carried out by these groups?
Crompton shares the following tips:
- Make sure that multifactor authentication is in place.
- Adopt a strong password policy that prevents the reuse of old or similar passwords.
If your organization needs guidance on setting up a password management strategy, TechRepublic Premium has a policy with details on best practices and more.
- Monitor for insider threats and for any type of compromised access to your own organization and to third parties.
- Conduct frequent security audits.
- Keep an eye on all privileged accounts to guard against compromise.
- Conduct phishing awareness training for all employees.
- Don’t prioritize productivity over security, as this makes your organization more vulnerable to ransomware attacks, creating a far worse scenario than less productivity.