Ransomware Gangs: Here’s What You Need to Know About the World’s Most Dangerous Hackers
Since the ransomware epidemic really took off with the WannaCry attack, ransomware gangs have been getting more and more media attention. With damages from ransomware estimated to reach $30 billion USD in 2023, ransomware gangs are by far the most dangerous hackers in history.
Ransomware gangs have raked in billions of dollars in profits over the past decade. They have reinvested a lot of this money in becoming more sophisticated and well organized than ever.
Knowing about the behavior and methods of different ransomware gangs is important for many reasons. For one, knowing how they work can help to prevent attacks. Knowing the track record of specific gangs can also be very helpful for making decisions about whether or not to negotiate with them.
Origin and History of Ransomware Gangs
To understand why ransomware gangs have become so dangerous, you have to understand how cryptocurrency changed the criminal economy.
In the past, hackers were limited in what they could do by the banking system. The only way to send money electronically was through banks, which meant accounts could be frozen and transactions reversed.
Cryptocurrency changed all of that. Suddenly, it was possible to send money anonymously, to and from anywhere with an internet connection.
This made it easier to commit crimes, since hackers could demand money from victims without having a bank account linked to their identity. However, the most important change was that it allowed ransomware gangs to get much bigger and more specialized.
For example, hackers could now buy and sell services and software. Some gangs could specialize in breaking into networks. Others could develop software for evading antivirus software. Others could specialize in extortion. And they could all market and sell these services to each other anonymously.
This eventually reached the point where hackers could recruit, pay salaries, and even raise venture capital, selling shares in criminal enterprises. This has created a kind of “Silicon Valley for hackers.” This situation has been a real threat multiplier for the cybersecurity landscape.
Most Dangerous Ransomware Gangs
Another factor that has made ransomware gangs much more dangerous is nation-state backing. Geopolitical rivalry has led countries like Russia, Iran, and North Korea to either back ransomware gangs, or turn a blind eye to their activities.
The Lockbit ransomware gang is widely viewed as one of the most active gangs. It was blamed for over 30% of all known ransomware attacks in 2022. The gang is said to have close ties to Russia.
Lockbit first appeared in 2019, calling itself the “ABCD” gang, since encrypted files on its victims computers had the file extension .abcd. Lockbit is actually a ransomware as a service operation, which means it works with many affiliates.
The affiliates may work without communicating all details with the developers— for example, in 2022 one Lockbit affiliate attacked a children’s hospital, and the developers released a free decryption key and claimed to have blocked the affiliate responsible for the attack. Perhaps there is some honor among thieves.
One of the reasons Lockbit is seen as especially dangerous is because it has a tendency to attack industrial infrastructure, including chemical plants. If control systems of such targets are affected by ransomware, it could lead to serious accidents.
Black Basta ransomware is believed to be composed of members of Conti and REvil (also known as Sodinokibi), which was behind one of the biggest ransom payouts in history after meat processor JBS was paralyzed by ransomware.
Black Basta is one of the most prolific users of the notorious “double extortion” technique. They target companies with sensitive data, and then threaten to make it public. As if that were not enough, they also commonly use DDoS attacks to put even more pressure on their victims.
Black Basta initially spread mainly through email phishing, but they have recently started exploiting software vulnerabilities as they move up to bigger targets.
Royal is a relative newcomer to the ransomware, but it has quickly made a name for itself, surpassing Lockbit in number of attacks in December, 2022. The gang is different from ransomware-as-a-service operations, and handles all aspects of attacks in house.
What makes Royal one of the most dangerous gangs around is their use of sophisticated phishing attacks. The gang contacts employees and impersonates food delivery services or subscription-based services. They then have the victims call the number to cancel the delivery or subscription, and in the process convince them to click a link which downloads malicious software.
Some ransomware groups try to avoid hitting sensitive targets like healthcare and energy infrastructure. This may be because they don’t want to attract extra attention from law enforcement, or maybe they have some ethics.
In any case, the creators of the Hive ransomware definitely are willing to hit any target, and have been known to shut down systems of health care facilities. They are also one of the most tech-savvy and well-organized gangs, using a custom API with portals for affiliates and victims, and dedicated “customer service” channels for communicating with victims.
They are also known for using “triple extortion” attacks, which involve using stolen data to contact clients or partners of the victim and threaten them, putting even more pressure on victims to pay the ransom.
The Ransomware arms race
It seems like ransomware gangs are getting more dangerous with each passing year. This has caused a kind of “arms race” as cyber security experts try to adapt. Unfortunately, for now, the ransomware gangs are winning.
So how can we turn this situation around? We can’t wait for governments or cyber security professionals to bail us out. This is a crisis affecting the whole world, and everyone has to do their part in confronting it.
The key to confronting this crisis is education, education, education. Most attacks occur because of lax security practices and lack of understanding about how attacks happen. Knowledge of cybersecurity needs to be seen as a fundamental job skill, like knowing how to use Microsoft Word or email.
There is only so much that management and IT leadership can do. When it comes to ransomware defenses, the chain is only as strong as the weakest link.