New Report Profiles Ransomware Cybergangs
New Report Profiles Ransomware Cybergangs
That old adage about crime never paying could not be further from the truth, at least in the case of modern-day cybercriminals. Crime is more profitable than ever for bad actors who use ransomware as a weapon.
Emisoft estimates that the true global cost of ransomware in 2020 will be between US$42 billion and nearly $170 billion, including business interruption and ransom payments.
According to a report released Wednesday by managed detection and response firm eSentire, 66 percent of victims admitted to paying part or all of the ransom.
The report, which was authored by eSentire's threat research team known as the Threat Response Unit (TRU), discovered that six ransomware gangs have claimed at least 290 new victims this year. The hackers could earn up to $45 million from the combined spoils.
eSentire researchers collaborated with dark web researcher Mike Mayes to identify and track the Ryuk/Conti, Sodin/REvil, CLOP, and DoppelPaymer ransomware groups. Additionally, they tracked two newly formed cybergangs known as DarkSide and Avaddon.
The DarkSide gang should bring back some memories. It is the group responsible for the ransomware attack on Colonial Pipeline earlier this month.
Esentire's TRU and Hayes discovered that between January 1 and April 30 of this year, specific groups amassed hundreds of victims and collectively compromised 292 new victim organizations. The average ransom paid by organizations, according to researchers, increased from $115,123 in 2019 to $312,493 in 2020, a 171 percent year-over-year increase.
"There are many more successful ransomware attacks that compromise businesses than the general public is aware of. There is no industry or business that is not a potential target of these organizations "According to Mark Sangster, vice president at eSentire.
Booming Business for Hackers
Ransomware attacks are a common occurrence. Their payouts are frequently withheld by victims out of embarrassment or fear of losing public trust. Hacker groups, on the other hand, are not shy about self-reporting successful exploits on their personal blogs/leak sites.
Three new attacks were noted in the previous three months, according to the eSentire report:
Tata Steel—- In April, the Sodin/REvil ransomware group compromised the company. Tata Steel refused to pay the ransom of $4 million.
Broward County School District — in March, the Ryuk/Conti gang compromised the district. The district refused to pay the $40 million demanded by threat actors.
Quanta Computer – the manufacturer of Apple's next-generation MacBooks, which was also targeted by Sodin/REvil. In April, hackers allegedly demanded $50 million from Quanta, which declined the extortion, and then from Apple.
However, researchers noted that, despite increased media coverage of ransomware attacks, the victim organizations disclosed by the media are a drop in the bucket compared to the actual events.
One ransomware incident that occurred last month but went unreported involved a small privately held company in the United States. According to a high-ranking employee of the organization who requested anonymity, the threat actors demanded $12 million, which the company paid.
Cyberthreat intelligence (CTI) has become a critical component of cybersecurity programs as cyberattacks evolve at a breakneck pace. Without intelligence, organizations are flying blind through extremely stormy skies, according to Dov Lerner, Cybersixgill's Security Research Lead.
"On a strategic level, CTI enables executives to comprehend the threat landscape and assess their organizations' vulnerabilities. On a more tactical level, CTI is used to detect and block malicious indicators of compromise "Lerner confirmed this to TechNewsWorld.
As more daily transactions and activities become digital, dark web actors will have an increased opportunity to consume and exploit sensitive data posted on underground platforms, he added. The underground cybercrime economy is growing at a breakneck pace, and pandemic and economic crises may encourage more threat actors to engage in illicit financial activity and, more recently, radical political discourse.
No Doubt About Successes
Sangster stated that his researchers are convinced that the organizations these groups claim to have compromised are legitimate for a variety of reasons, including the following:
The report details numerous examples of various files and documents that the ransomware groups claim to have stolen from victim companies. Additionally, they all appear to be authentic.
Researchers observed threat groups publishing a victim on their leak website. Later, perhaps weeks later, the target publicly admits to being the victim of a ransomware attack.
It is counterproductive for these ransomware groups to fabricate information about the victims they claim to have hacked. If they did post victims on their leak site who had not been compromised, word would spread quickly and no victim would pay.
"Our security research team, TRU, and dark web researcher Mike Mayes descended into the dark web and spent considerable time analyzing the blog/leak sites of these six ransomware groups, as well as the TTPs of these groups that we have gleaned from tracking them since they began their crime spree," Sangster explained.
The researchers have just concluded their work and are in the process of sharing the findings with various law enforcement agencies, he added.
Expanded Attack List
Esentire and Mayes discovered that the six ransomware groups they monitored for this report are not only targeting the usual suspects – state and local government, school districts, law firms, and hospitals and healthcare organizations. Their target list has been expanded to include manufacturers, transportation/logistics companies, and construction firms in the United States, Canada, South America, France, and the United Kingdom.
The following is a summary of the additional victims as a result of this expanded attack list:
Ryuk/Conti
In August 2018, the Ryuk/Conti ransomware group made its first appearance. Their initial targets were frequently organizations based in the United States. These organizations included technology firms, healthcare providers, educational institutions, financial services providers, and a variety of state and local government entities.
This year alone, the gang targeted 352 organizations, compromising 63 businesses and private sector organizations. TRU examined 37 of Ryuk's 63 victims and discovered that 16 of them were manufacturers of medical devices, industrial furnaces, electromagnetic radiation equipment, and school administration software.
Ryuk reportedly compromised companies involved in transportation/logistics, construction, and healthcare in 2021.
Sodin/REvil
This year, Sodin/REvil identified 161 new victims, including 52 manufacturers and a few healthcare organizations, transportation/logistics companies, and construction firms. In March, the group targeted Acer, a manufacturer of computers and electronics, and demanded a $50 million ransom.
When Quanta Computer, the company that manufactures Apple's notebook computers, refused to negotiate, the Sodin criminals reportedly turned to Apple for the ransom. On their blog, "Happy Blog," the Sodin hackers issued a warning that if they were not paid, they would publish what they claimed were technical specifications for current and future Apple hardware.
DoppelPaymer
In 2019, the DoppelPaymer ransomware group was discovered. According to the DoppelPaymer group's website, they have compromised 186 victims since their debut in 2021, including 59 in 2021 alone. Numerous state and local government agencies, as well as several educational institutions, are among the victims.
The FBI issued a warning in December 2020, stating that "Since late August 2019, unknown actors have used DoppelPaymer ransomware to encrypt data from victims in critical industries worldwide, including healthcare, emergency services, and education, disrupting citizens' access to services."
Numerous small and medium-sized businesses that the group claims as victims have never been reported in the press, as have numerous public sector entities. The Illinois Attorney General's office is one of the exceptions, having discovered the DoppelPaymer attack on April 10, 2021.
Clop (Cl0p)
Clop ransomware first appeared in February 2019 and gained widespread attention in October 2020, when its operators became the first group to demand a ransom payment in excess of $20 million. The victim, Software AG, a German technology company, refused to pay.
Clop made headlines this year for poring over victims' stolen data, obtaining contact information for the company's customers and partners, and emailing them to urge them to demand payment from the victim company.
DarkSide
DarkSide is a relatively new group of ransomware attackers. Esentire's TRU began tracking it in December, less than a month after it allegedly surfaced. On their blog/leak site, the operators claim to have infected 59 organizations in total, compromising 37 of them in 2021.
Victims are located in the United States, South America, the Middle East, and the United Kingdom. They include manufacturers of a wide variety of products, such as energy companies, apparel manufacturers, and travel companies.
Late on May 13, the DarkSide blog/leak site went offline, with the DarkSide threat actors claiming that they had lost access to the infrastructure necessary to run their operation and were forced to shut down. The notice cited a disruption caused by a law enforcement agency and US pressure. Prior to the DarkSide website's demise, the operators consistently stated that their malware was distributed via a ransomware-as-a-service model.
The DarkSide operators asserted that they are similar to Robin Hood in that they target only profitable businesses that can afford to pay a ransom. According to eSentire's report, the group's operators have also stated that they will refrain from attacking hospitals, palliative care facilities, nursing homes, funeral homes, and companies involved in developing and distributing the Covid-19 vaccine.
Courses and Certification
Software Engineering Course and Certificate
CompTIA Network+ Course and Certificate
Computer Security Course and Certificate
SQL Database Course and Certificate
C-Sharp Programming Course and Certificate
Information Security and Cyber Law Course and Certificate
Internet/Cyber Security Course and Certificate
