Ransom victims less willing to pay: the five most notorious gangs

While cybercriminals’ appetite and ransom demands continue to grow, cybersecurity firm Arete revealed that the percentage of incidents where a ransom is paid fell to 19% in the first half of 2023, compared to 29% in the second half of last year.

The median ransom demand is now $600,000, doubling from the end of the last year, Arete's data shows.

The decrease in cases where ransoms are paid is partly attributed to increased attacks where exfiltration is only performed. Also, companies enhance their abilities to restore normal operations without ransom payments. The facilitation of a ransom payment is always a last resort.

Ransomware gangs shifted their initial attack vectors from last year’s software or hardware vulnerabilities and third-party remote access tools. In the first half of 2023, Remote Desktop Protocol (RDP) held the top spot, observed in 24.5% of cases, up from just 8.1% in H2 2022.

“We saw LockBit rise to the top spot, accounting for 30.3% of Arete's observed ransomware cases. New variants appeared on the scene, including Akira and Luna Moth. Despite the emergence of new variants over the past two years, Arete data indicates that dominant and well-established actors still maintain their top positions,” the report writes.

Amongst the top five affected industries, the professional services sector accounted for 38% of ransomware attacks, followed by manufacturing (20%), public services (16%), high technology (14%), and healthcare (12%). The rise in attacks against professional services is primarily due to the rise in the Luna Moth’s activity. The group disproportionately targeted law firms.

Here are the top five ransomware gangs:

LockBit – 18.7% of observed cases

LockBit has been at the forefront of the cybercrime sector over the last several years due to its constant development efforts and continued iterations of its ransomware encryptor.

The group commonly utilizes a double-extortion technique and sometimes even triple extortion, launching DDoS attacks on the victim’s network, Arete writes. Victims’ data is additionally leveraged in a data leak site.

LockBit members recruit experienced affiliates tasked with gaining initial access to victim networks in exchange for a percentage of the paid ransom. Affiliates, during intrusions, use various tools to achieve network reconnaissance, remote access, credential dumping, and exfiltration.

The LockBit 3.0 ransomware, which is already capable of encrypting files on Windows, Linux, and VMware ESXi virtual machines, is continuously evolving. Samples designed to encrypt Apple’s macOS arm64 architecture were discovered on Virus Total in April 2023. That raises concerns about the developing risk of ransomware on macOS.

Ransom notes are delivered with ‘[id].README.txt’. Arete identified a case with LockBit using double encryption for the first time.

ALPHV/Blackcat – 18.7% of observed cases

This group, which emerged in late 2021, targets organizations across various sectors and regions. ALPHV/Blackcat differs from other variants because it has unique features and techniques that make it more challenging to detect and stop.

The group has demonstrated continuous innovation by distributing various payloads, regularly incorporating new discovery techniques, defense evasion, and various post-compromise activities.

ALPHV/Blackcat uses various entry points to infect the victim's network, including phishing emails, compromised credentials, and remote desktop protocol (RDP) brute force attacks. It also utilizes other malware infections to launch its ransomware payload.

Blackcat targets both Windows and Linux devices and network-attached storage (NAS) devices, which are often used to store backups and sensitive data.

Black Basta –12.9% of observed cases

This cybercriminal organization, which emerged in late 2021, offers Ransomware-as-a-Service (RaaS) to other hackers, meaning that anyone can use Black Basta's software and infrastructure to launch ransomware attacks and share the profits with Black Basta's operators. The gang often utilizes a double extortion technique.

To attack its victims, criminals send phishing emails with malicious attachments or links that download and run malware, use stolen passwords or hacking tools to access the network remotely, and install the GHOSTRAT remote access trojan to execute the payload. The victims’ wallpaper is changed with an image file named dlaksjdoiwg.jpg.

Royal – 12.9% of observed cases

Active since September 2021, Royal ransomware is believed to loosely operate as a closed group rather than as a RaaS provider.

Before developing its proprietary encryptor, Royal utilized other variants. The group does not disproportionately target any single sector or organizational size. They do not hesitate to encrypt data of larger organizations, exfiltrate credentials, laterally spread across the system's domain, and encrypt devices, as reported by Arete.

Group’s toolset consists of phishing emails with malicious attachments or links leading to Royal payloads, stolen passwords, hacking tools to access victims’ networks, malicious advertisements leading to its website. The group also uses the CobatStrike tool to maintain persistence on a system.

Akira – 12.26% of observed cases

This is a new gang, as the first ransomware attack by Akira occurred in early April 2023, and the group quickly amassed victims throughout the first half of 2023.

“Akira encrypts and exfiltrates data to a remote server and extorts victims by threatening to post sensitive information on their data leak site (DLS). The ransomware appends a ".akira" extension to encrypted files and uses a password-protected TOR site for communication and negotiations with its victims,” Arete discloses.

Akira targeted education, professional services, retail, hospitality, healthcare, and manufacturing organizations, primarily in Canada and the US.

The threat actor uses the exact verbiage during negotiations. Akira usually sends a list of the five deliverables they will provide after payment, including decryption assistance and evidence of data removal, along with an option to pay for all five of the deliverables listed or just some of them. After payments are made, Akira sends the same "security report," regardless of the victim. Its decryptor is known to be unreliable and problematic, randomly skipping files or leaving .akira extensions.

Researchers at Avast developed a decryptor for Akira and released it as a public download in late June 2023. The gang is likely to adjust its encryption for future victims.