Ransomware gangs pose a massive threat to businesses, with 59% of organizations reporting an attack in 2023. To protect against ransomware attacks, organizations must understand the groups that launch them and their tactics. So, let’s unpack the top 10 most dangerous ransomware gangs.
What is Ransomware?
First, we must understand what ransomware is. Ransomware is malicious software that encrypts a victim’s data, blocking access until the victim pays a ransom. Attackers typically demand ransoms in the form of cryptocurrency to retain their anonymity.
Ransomware attacks have three stages: infection, encryption, and ransom.
- Infection – Common methods include phishing emails, exploit kits, compromised Remote Desktop Protocol (RDP), and malicious advertisements.
- Encryption – Once executed, ransomware encrypts files using algorithms (e.g., RSA, AES) and leaves a ransom note with payment instructions.
- Ransom Demands – The note details the ransom amount, usually in cryptocurrency, and extortion threats such as data deletion or leakage if victims fail to pay the ransom.
What is Ransomware-as-a-Service (RaaS)?
Most ransomware gangs are RaaS operations. Ransomware-as-a-Service (RaaS) is a business model in which cybercriminals create and distribute ransomware tools for others to use in attacks. Clients, who often lack technical expertise, pay to access these tools – typically finding suppliers on the dark web – and share some of their ransom earnings with the RaaS providers.
Criteria for Ranking Ransomware Gangs
The criteria for the rankings below is based on the gang’s performance and innovation:
Performance:
- RaaS Platform: The relative maturity of the RaaS platform to successfully execute an attack, disrupt significant portions of a targeted network, and evade detection.
- Attack Volume: Attack campaign volume and percentage of successful attacks.
- Ransom Demands: The dollar value of ransom demands and estimated revenue.
Innovation:
- RaaS Platform Development: Evidence of continued development and improvement of the RaaS platform and tactics, techniques, and procedures (TTPs).
- Targeted Industries: The effectiveness of target selection for consistently realizing high dollar ransom demands/payments.
- Economic Model: The effectiveness of business models, R&D and recruiting efforts, and technical support services for affiliates.
The Top 10 Most Dangerous Ransomware Gangs
Based on the above criteria, here are the current top 10 most dangerous ransomware gangs as of the end of Q1-2024:
1. Play
The Play ransomware gang first appeared in the summer of 2022 and has compromised over 300 organizations. They typically compromise unpatched Fortinet SSL VPN vulnerabilities to gain access to target organizations. Play continued to increase attacks throughout Q1-2024 and is one of the most active ransomware groups today. The group broke a record at the beginning of March 2024—launching a massive attack that hit 16 victims simultaneously.
2. LockBit
LockBit emerged in 2019 and excels in evading security tools, encrypting files quickly, and utilizing multiple means of extortion. It is by far the most prolific ransomware group in history, boasting some of the world’s most influential companies as its victims, including Boeing, the Taiwan Semiconductor Manufacturing Company, and SpaceX. In February 2024, law enforcement from 10 countries disrupted LockBit’s criminal operations, freezing more than 200 linked cryptocurrency accounts and arresting two people. It remains to be seen whether LockBit will recover.
3. Black Basta
Black Basta is an anomaly because it only works with a limited group of highly vetted affiliate attackers. They employ unique TTPs for ingress, lateral movement, data exfiltration, and deployment of ransomware payloads. Black Basta exceeded $107 million in ransom revenue from more than 90 victims in less than two years.
4. 8Base
8Base saw a huge activity spike in the second half of 2023. Research suggests they are an offshoot of more experienced RaaS operations, most likely RansomHouse. Throughout Q4-2023, 8Base used a new variant of the Phobos ransomware payload, often delivered with SmokeLoader.
5. Akira
First emerging in 2023, Akira is most notable for deploying an extortion platform with a chat feature for direct negotiation with victims. Interestingly, victims who pay Akira the requested ransom will receive an explanation of how the criminal group breached their systems. Akira typically demands ransoms of between $200,00 and $4 million.
6. Medusa
Although Medusa was inconsistent throughout the first half of 2023, attack volumes surged in the latter half. They typically compromise victim networks through brute-forcing RDP credentials, malicious email attachments (macros), torrent websites, or malicious ad libraries.
7. Hunters International
Hunters International operates as a Ransomware-as-a-Service (RaaS), emerging from the remnants of the Hive ransomware group. It utilises a sophisticated platform that leverages Hive’s infrastructure and capabilities, including data exfiltration and double extortion techniques. Hunters International has quickly escalated its attack frequency, targeting a broad range of industries and geographies, indicating a significant operational capacity.
8. BianLian
The BianLian ransomware gang is interesting because, in early 2023, they abandoned the ransomware payload portion of their attacks in favor of data exfiltration and extortion attacks. They have used this technique successfully, launching attacks on organizations such as Air Canada, CMC Marine, and International Biomedical Ltd.
9. Cactus
Cactus only appeared in March 2023 but has quickly amassed many victims, including SCS Spa, OmniVision Technologies, and The Hurley Group. It employs Living-off-the-Land techniques to abuse legitimate network tools like Event Viewer, PowerShell, Chisel, Rclone, and Scheduled Tasks. It typically drops an SSH backdoor on systems for persistence and communication with the C2 servers.
10. INC Ransom
INC Ransom was first observed in the summer of 2023, and it is unclear if they maintain a RaaS affiliate operation or are a closed group. INC instructs victims to log into a Tor portal with a unique user ID provided by the attackers. It is unclear what the average ransom demand is at this point.
How Organizations Can Protect Themselves from Ransomware Gangs
To protect yourself from ransomware gangs, consider the following strategies:
- Endpoint and Anti-Ransomware Protection: Deploy an anti-ransomware solution alongside existing Endpoint Protection Platforms (EPP/EDR/XDR) to bridge the gaps in ransomware-specific coverage
- Patch Management: Keep all software and operating systems up to date and patched
- Data Backups: Assure critical data is backed up offsite and protected from corruption in the case of a ransomware attack (backups)
- Access Control: Implement network segmentation and policies of least privilege (Zero Trust)
- Awareness: Implement an employee awareness program to educate against risky behaviors, phishing techniques, etc.
- Resilience Testing: Regularly test solutions against simulated ransomware attacks to assure effective detection, prevention, response, and full recovery of targeted systems
- Procedure Testing: Plan and prepare for failure by running regular tabletop exercises and ensuring all stakeholders are ready and available to respond to an attack at all times.
In conclusion, understanding ransomware gangs is crucial to protecting against them. The consequences of a ransomware attack can be enormous: ransom payments can reach millions of dollars, customers can entirely lose faith in your ability to protect their information, and regulators can demand exorbitant legal fines. Remember, stay informed and vigilant to avoid disaster.
