The most dangerous ransomware groups might have gone dark. But it only means they are rebranding, evolving their tactics, and preparing to strike even more fiercely.
After the Colonial Pipeline, JBS, and Kaseya cyberattacks, ransomware groups were banned from cybercriminal forums. Some of them even went dark, but it certainly doesn’t mean they are retreating. If anything, ransomware gangs have become more dangerous.
“They are not scared of who they are targeting,” believes Alec Alvadaro, threat intelligence manager at the digital risk protection company Digital Shadows. “The reward certainly outweighs the risk right now. As a result, ransomware is not going anywhere anytime soon.”
During their recent webinar, Digital Shadows looked into the landscape of ransomware, the most prominent ransomware groups, and the evolution of their tactics.
Cybercriminal forums banned ransomware
The absolute ransomware nightmare began in 2019, when since defunct Maze ransomware group introduced double extortion tactics.
"What's good for one is good for everyone," Alvarado said. A wave of ransomware groups began hopping on this trend. By 2019, organizations learned how to mitigate ransomware threats to some extent, using backups and storing them safely, putting them offline. Naturally, cybercriminals innovated and adopted double extortion tactics.
"The state of ransomware has been huge in the press, lots of giant attacks, and different things happening. Just this year, in a very short amount of time, probably from about spring until roughly July or August, there's been some massive shake-ups," added Sean Nikkel, senior cyber threat intelligence analyst at Digital Shadows.
Since 2019, multiple data leak sites have emerged, such as the Maze ransomware website, Happy Blog operated by Sodinokibi (REvil), Conti News, and Babuk Locker. Over 2,600 victims have been named to a data leak site since the trend began, and 740 different victims were named just in Q2 2021 alone.
"We've also seen bans on ransomware on forums. Not only banning the sale of any affiliates or any malware related to ransomware but also even discussing it," Nikkel said.
As XSS and Exploit, among other forums, banned ransomware gangs, they moved to social media channels, such as Telegram, to discuss ransomware business.
Ransomware actors were banned on forums after the notorious cyberattacks on the Colonial Pipeline, meat supplier JBS, and Kaseya.
Top ransomware actors for the first half of 2021 were Conti, Avaddon, PYSA, REvil, DarkSide, Babuk Locker, DoppelPaymer, and Cl0p.
There are also some upstarts - Prometheus, LV, and another 15 groups - increasing activity in the year's second quarter.
"You are in a bad place if you are in the United States, in the industrial goods sector, in Construction, Retail, Technology, and Healthcare. The top targeted region pretty much month over month will be the US, followed closely by parts of Europe and parts of Asia like India, China, and some others. It's mostly going to be the larger, more IT heavy and industry heavy countries that are getting hit," Nikkel said.
He presented some of the ransomware groups that have been dominating the field lately. Even though some of them might have gone dark, it doesn't mean they will not strike again under a different name.
Conti ransomware – the steady one
Conti started operating in late 2019, and it runs Conti.News data leak site. According to Nikkel, this group gets initial access through stolen RDP credentials, phishing emails with malicious attachments.
“They are more kind of a low and slow attack, more similar to a nation-state attack in that way. They are not necessarily very noisy. They are more of a human-operated attack versus some of the automated ones that are out there,” Nikkel said.
Conti is similar to nation-state threat actors - they do their homework and choose their targets carefully. The group attempts to find a buyer for the data before it’s posted on site.
Ireland’s HSE, Volkswagen Group, several US cities, counties, and school districts were affected by Conti.
“They often will target specific machines within the network. They will do some reconnaissance and figure out where the high pay-off, high-value targets are within the network and go after those. They are very targeted, and they know what they are looking for,” Nikkel said.
Conti has been observed to be in the networks for anywhere between a few days to even weeks before actually launching ransomware.
“To make Conti a little bit more scary, they also use tools that are already available on the networks. This will be a lot of your system-specific tools, things of that nature that are already there and will blend in with a lot of noise that is already in your network. So you are not necessarily looking for malware at that point. You are looking for legitimate system tools,” Nikkel explained.
DarkSide – spearheaded for significant change
DarkSide began operating in August 2020 and gained notoriety around Q3-Q4 2020.
"They are looking for companies with the means to pay," Nikkel said.
DarkSide's biggest operation was the Colonial Pipeline breach in May 2021. After the incident, law enforcement took down their blog, ransom collection site, and breach data infrastructure; seized funds (at least $2M known publicly). DarkSide announced its exit on 13 May 2021.
Alvarado believes that the Colonial Pipeline incident was the spearhead for significant change to the ransomware groups. The Biden administration issued an executive order in an effort to tackle ransomware. Also, he claims, ransomware got banned on the cybercriminal forums.
"Those two big things were a direct result of the Colonial Pipeline. I was under the impression that these big headlines aren't necessarily good publicity for these ransomware groups because you are increasing that magnifying glass on your organization. They are just trying to make money, from my understanding," he said.
But only a month passed, and another ransomware gang - REvil group - went after the JBS. Another month later, Kasyea was hit.
"It's like they are not scared of who they are targeting right now," he said.
Nikkel pointed out that ransomware groups now seem to be somewhat PR-savvy. In January, DarkSide announced they will not attack morgues, funeral homes, and healthcare institutions involved with the COVID vaccination.
"There's been more public contact in the media, direct contact with journalists, announcements that are on very public blogs, reaching out to customers and employees, and vendors of companies," he said.
REvil – the mysterious exit
REvil is believed to have replaced GandCrab in 2019. Before it was banned, it advertised on XSS and Exploit forums. Revil is responsible for JBS and Kaseya attacks, with their first big hit targeting a law firm GSMS.
"This law firm represented a lot of different celebrities to include Donald Trump, several singers like Lady Gaga and Madonna, and a few other high-profile celebrities. They threatened to extort the data, the law firm refused, and then they started slowly publishing different documents to tease and show that they did have access to a lot of stuff," Nikkel said.
As for the JBS and Kaseya attacks, they are some of the largest ransoms ever documented.
"After the JBS attacks, there was an interview with the representative from REvil that said that they don't care about the sanctions, more strict laws and guidelines and things that were coming out through the law-enforcement community," Nikkel added.
“A lot of these groups have rebranded. They are doing the same stuff but under a new name,” Nikkel explained.
For example, DarkSide and REvil formed the BlackMatter ransomware group, Avaddon became Haron, DoppelPaymer is now Grief, and SynAck is now El Cometa.
“So many ransomware groups rebranded around the same time this July, and now we see the results of that. I imagine all these new groups are going to want to establish themselves and potentially increase targeting, activity, and increase the level of attack against larger organizations to rebuild that name,” Alvarado said.
He highlighted once more that ransomware operators are not scared of who they are targeting. All they have to do is change their name, come back with a new website and start working again.
“The reward certainly outweighs the risk right now, and as a result, ransomware is not going anywhere anytime soon,” he said.
More from CyberNews:
Subscribe to our newsletter