Date: 30 June 2022
In the modern business context, Ransomware Attacks enjoy a particularly peculiar position amongst all other organisational challenges.
They’re extremely damaging and absolutely unpredictable.
You know that the intentions of the perpetrators are malicious yet you won’t know exactly what they are until after you’ve been attacked.
You can try your best to prevent ransomware attacks by consistently evaluating your Ransomware Preparedness. However, as you invest your resources in prevention, you’re fully aware that the only thing that will probably protect you is effective incident response.
So while you’re trying your best to bolster defences, you are also simultaneously rehearsing what you’ll do when you’re attacked by way of Ransomware Tabletop Exercises.
But as ransomware prevention and protection continues to become a more complex mix every day, there is one time-tested strategy that always comes in handy: Knowing your enemy.
As part of our ongoing series of educational blogs on ransomware protection, this week we are focussing on the 5 major ransomware groups that are creating ripples across the globe at the moment.
Knowing about them, understanding their past attacks, intentions and methodologies can hopefully bring us a step closer to improving our capabilities in dealing with them and other similar criminals.
5 Famous Ransomware Groups
1. Pandora: Pandora came into the limelight around March 2022 after successfully targeting some high-profile victims including the world’s second largest automotive parts supplier - Denso Corp.
Pandora, typically infects and locks a file, leaving a note egging the victim to contact them for the decryption key. Researchers refer to Pandora’s tactic as “double extortion” - a technique using which the threat actor exfiltrates and encrypts the victim’s sensitive data, offering the decryption key only once the ransom is paid.
Many researchers also believe that Pandora is a possible rebrand of Rook ransomware as their Tactics, Techniques and Procedures (TTPs) have a lot in common.
Ransomware groups usually rebrand or come up with new aliases when they come under too much scrutiny. That’s perhaps why Rook may have rechristened itself as Pandora, if at all.
2. LockBit Ransomware: LockBit is a highly malicious software that identifies vulnerable targets, spreads infection and encrypts data on all systems of a network. LockBit is generally used for highly-targeted attacks on bigger businesses and government organisations, rather than individual targets.
LockBit came under the scanner in 2019 when it was known as the “.abcd virus” as this was the file extension it used when encrypting a victim’s data.
In 2022 alone, LockBit has managed to successfully unleash prominent attacks on French electronics multinational, Thales Group, the French Ministry of Justice and American tyre manufacturer, Bridgestone.
3. BlackCat Ransomware: BlackCat is now widely acknowledged as a growing threat and a good example of the scourge of Ransomware-as-a-Service (RaaS).
BlackCat is also one of the few ransomware families written in the modern programming language called ‘Rust’. This helps it escape detection especially by more traditional security solutions which are still playing catch-up in their ability to analyse this language.
BlackCat has already created quite a few ripples in 2022. Amongst the most prominent of BlackCat ransomware attacks was the one on Italian fashion house, Moncler. While the attack began late last year, the ransomware group leaked the company’s data in January this year when it didn’t make the ransom payment of $3 million.
German oil organisations, Oiltanking and Mabanaft, were severely hit by an alleged BlackCat attack in February 2022. 233 gas stations across Germany were affected when the two sister organisations’ systems were compromised. The Federal Office for Information Security (BSI) said, in an internal report, that the BlackCat ransomware group was behind the attack.
4. Lapsus$: A supposedly teenger-lead ransomware group, Lapsus$ is considered to be behind some high-profile attacks recently. The ransomware group claims to have breached the likes of Nvidia, Ubisoft and Samsung amongst others.
Most recently, it came into the spotlight for compromising the internal network of Authentication Services provider, Okta and gaining access to the source code of Microsoft products Bing and Cortana.
As several companies and users across the globe use Okta services for securing their identity, the magnitude of this breach and the implications it could have were significant. The ransomware group didn’t leak the company’s sensitive data but it posted screenshots to show it had gained access to customer data and to boast about the ability to reset passwords and access admin panels.
In the case of Microsoft, allegedly, the ransomware group leaked 40 GB of data belonging to the tech giant. Microsoft clarified that it doesn’t rely on the secrecy of the code to reduce risk in any way and confirmed that customer code or data had not been compromised.
Many researchers and security experts prefer to call Lapsus$ an extortionist group as their attacks involve theft of data and threats of leak in case ransom payments are not made.
5. Vice Society: Vice Society is a ransomware group that encrypts victim data and provides decryption access only if the ransom is paid. Vice Society has been targeting many schools and government institutions in 2022.
After attacking Missouri School, the group leaked sensitive information including social security numbers of its workforce because apparently the school didn’t pay a good enough ransom.
Personal data of UK’s Durham Johnston school students and teachers was also leaked in a similar fashion as the school refused to pay a ransom.
Most recently, Vice Society added the city of Palermo in Italy, to its list of victims. This attack impacted 1.3 million people and tourists in the city as all internet-based services had to be taken offline to contain the damage.
Conclusion
While this list merely scratches the surface when it comes to awareness of Ransomware groups, it does reiterate the point that these groups are growing in number and sophistication with every passing minute. On top of this, the rise of Ransomware-as-a-Service further means that anyone with even basic skills can download a kit online and unleash an attack on your business.
While the idea here is certainly not fear-mongering, it’s important to highlight the urgent need for businesses to improve their ransomware readiness. To start with, investing in a ransomware readiness assessment is a good way to get an accurate picture of where you really stand in terms of technology and training preparedness.
We also have several ready-to-use resources such as a Ransomware Readiness Checklist that covers 9 key points which you can use to boost your preparedness immediately.
Training staff in ransomware response should also be top priority today. Chances of your business/organisation being compromised are really high as is clear from the examples discussed earlier.
In light of these recent events, it’s important that your IT team and Incident Response team knows how to react effectively and contain the damage when cyber-criminals strike. Our Ransomware Response Checklist and Ransomware Response Workflow are handy resources that can be downloaded and printed for easy recall in times of chaos.
At Cyber Management Alliance, we also offer specialised Ransomware Tabletop Exercises that help our clients rehearse their response plans and strategies and become better prepared to deal with a ransomware attack.
