The recent surge in ransomware attacks is an indication that threat actors have become bolder, more sophisticated and equipped with advanced extortion schemes. In their regular ransomware hunting operations, Palo Alto Networks Unit 42 threat intelligence team discovered four upcoming ransomware gangs targeting organizations’ critical digital infrastructure.
“We monitor the activity of existing groups, search for dark web leak sites and fresh onion sites, identify up-and-coming players and study tactics, techniques and procedures. During our operations, we have observed four emerging ransomware groups that are currently affecting organizations and show signs of having the potential to become more prevalent in the future,” Palo Alto said.
The Four Emerging Ransomware Groups
1. AvosLocker – AvosLocker entered the cybercrime scene in June 2021, providing ransomware as a service (RaaS) and aiming at recruiting new affiliates to perform malicious activities. The AvosLocker ransomware also runs an extortion site, which claims to have targeted six organizations across the U.S., Spain, Lebanon, the U.K., the U.A.E., and Belgium. The ransom demand of this group ranges from $50,000 to $75,000.
2. Hive – Active since June 2021, this double-extortion ransomware has impacted 28 organizations across Europe and the U.S. Hive
3. HelloKitty – First spotted in early 2020, the HelloKitty ransomware group mainly targets Windows systems. Researchers found HelloKitty’s Linux variant in July 2021, targeting VMware’s ESXi hypervisor, used in cloud and on-premises data centers. The group impacted five organizations in Australia, Germany, Italy, the Netherlands, and the U.S. The highest ransom demand from this group was $10 million and has received $1.48 million ransom so far.
4. LockBit 2.0 – LockBit 2.0 group, also known as the ABCD ransomware group, has been involved in multiple extortion schemes lately. LockBit 2.0 affected over 52 victims across the U.S., Mexico, Belgium, Argentina, Malaysia, Australia, Brazil, Switzerland, Germany, Italy, Austria, Romania, and the U.K. The gang operates as a ransomware-as-a-service (RaaS) model appointing affiliates and company insiders to carry out intrusion activities. Recently, the group targeted the global IT consultancy giant Accenture and compromised some of its critical networks. Attackers reportedly compromised servers that held over 6TB of information and demanded a $50 million ransom in exchange for the decryption key.
“With major ransomware groups such as REvil and Darkside lying low or rebranding to evade law enforcement heat and media attention, new groups will emerge to replace the ones that are no longer actively targeting victims. While LockBit and HelloKitty have been previously active, their recent evolution makes them a good example of how old groups can re-emerge and remain persistent threats. Unit 42 will continue to monitor these ransomware families – and new ones that may emerge in the future,” Palo Alto added.
It’s high time governments and organizations collectively disrupt these new ransomware groups before they cause damage to nations’ critical digital assets.