Palo Alto’s Unit 42 researchers shed light on four emerging ransomware groups making the headlines this year. The discovery comes after an extensive research and analysis of the underground including web leak sites and fresh onion sites.
These ransomware-as-a-service operators pose a real threat to enterprise and organization networks, as well as critical infrastructure. As their business model is built on the “as-a-service” basis, these groups are currently looking for affiliates.
AvosLocker Ransomware Group
According to Palo Alto, this RaaS started operations in late June. It can be recognized by the blue beetle logo that the threat actors use in their communications with victims and press releases for recruiting new affiliates.
“AvosLocker was observed promoting its RaaS program and looking for affiliates on dark web discussion forums and other forums. Like many of its competitors, AvosLocker offers technical support to help victims recover after they’ve been attacked with encryption software that the group claims is “fail-proof,” has low detection rates and is capable of handling large files. This ransomware also has an extortion site, which claims to have impacted six organizations in the following countries: the U.S., the U.K., the U.A.E., Belgium, Spain and Lebanon. We have observed initial ransom demands ranging from $50,000 to $75,000,” Palo Alto’s Unit 42 said.
This ransomware group is known for its double-extortion game that first started this June. It seems that since then Hive ransomware has attacked 28 organizations currently listed on its extortion site. Victims include a European airline company and three U.S. organizations.
The ransomware gang utilizes several tools in the “extortion toolset” to pressure the victim into paying, including countdown, date of initial compromise, date of the leak on their site, and the option to share the leak on social media.
Apparently, HelloKitty is not a new ransomware group, as it can be traced back to 2020. It’s been mostly targeting Windows systems, but a Linux variant was detected this July targting VMware’s ESXi hypervisor.
This is not the only ransomware group exploiting VMware’s ESXi hypervisor. In February 2021, RansomExx operators utilized CVE-2019-5544 and CVE-2020-3992 in VMware ESXi. The device is a hypervisor allowing multiple virtual machines to share the same hard drive storage. There were also indications that the Babuk Locker ransomware gang is also carrying out attacks based on a similar scenario.
LockBit 2.0 Ransomware
This is a well-known player in the ransomware-as-a-service field, which has been around for at least 3 years. Claiming to have one of the fastest encryption on the market, LockBit 2.0 has impacted multiple industries, with 52 victims listen on its leak site. Victims include organizations the U.S., Mexico, Belgium, Argentina, Malaysia, Australia, Brazil, Switzerland, Germany, Italy, Austria, Romania and the U.K., according to Unit 42’s data.
Earlier this month, the LockBit 2.0 gang hit Accenture, a global business consulting firm. The cybercriminals posted the name and logo of the company. Accenture’s clients include 91 names of the Fortune Global 100, and at least three-quarters of the Fortune Global 500. Some of its clients are Alibaba, Google and Cisco. This is one of the world’s leading tech consultant companies, with more than 500,000 employees across 50 countries.
“With major ransomware groups such as REvil and Darkside lying low or rebranding to evade law enforcement heat and media attention, new groups will emerge to replace the ones that are no longer actively targeting victims,” Palo Alto’s Unit 42 concluded.
Another trend worth paying attention to is ransomware operators’ recent efforts to recruit company employees. According to a report by Abnormal Security, a Nigerian threat actor is trying to recruit an organization’s employees to deploy the Black Kingdom ransomware for a cut of the ransom profits.