Articles

The Top 15 Ransom Kings

Inside the World of The Top 15 Most Dangerous Ransomware Groups

Despite the efforts of authorities to combat ransomware, there are still many groups operating fearlessly, seemingly untouchable by law enforcement. These groups continue to launch attacks and extort victims, often targeting large organizations and government entities. To shed light on this shadowy world, we've collaborated with the Syhunt Icy team, experts in monitoring the dark web for leaks, to profile the top ransomware gangs. In this exclusive article, we take a deep dive into the origins, traits and evolution of these criminal organizations, examining their history, tactics, and achievements, as well as the number of victims they've exposed and the programming languages they use. From financially motivated groups to those with political agendas, these gangs are a constant threat to the cyber security of individuals and organizations.

Welcome to the dark underbelly of the digital age: the world of ransomware gangs. The above fictional dialog serves as an example of the aggressive and unlawful tactics used by some ransomware gangs. These cybercriminals have found a lucrative niche in the digital landscape, using malware and extortion to bleed millions of dollars from unsuspecting victims. But make no mistake, these are not Robin Hoods of the cyber world, they are ruthless and dangerous actors that threaten the stability of our digital society. In this article, we'll pull back the curtain on some of the key players in this shadowy industry, and take a closer look at their methods, motives, and the impact they're having on organizations and individuals around the world.

These groups are considered a serious threat by cybersecurity experts, and organizations are advised to take steps to protect themselves from being targeted by these groups, including regularly updating their software, implementing strong security measures, and regularly backing up important data. It's also crucial to have incident response plans in place in case of an attack, which should include a professional ransomware incident response team to handle the situation.

These groups use tactics to mask their true origin and location, like using VPNs or compromised machines in different countries. Additionally, the identification of the location of a group is often based on analysis of the group's infrastructure and the language used in the ransom notes and other communication with victims. The key groups are known to use advanced techniques to infiltrate networks, such as using multiple layers of encryption and using a variety of different command and control servers to evade detection. With the growing trend of Ransomware as a Service (RaaS), these groups are expected to become more active and target more organizations.

The following are the top players in the ruthless world of ransomware, actively targeting healthcare, manufacturing, government, information technology, energy, and other sectors.

• #1 LockBit: The Top Recruiter in the Ransomware Ecosystem
• #2 Cl0p: The Ransomware Group That Survived The Police Crackdown
• #3 Vice Society: The Outsourcer Outlaw Targeting The Education Sector
• #4 Ragnar Locker: The Ransomware Group Hiding in a Virtual Machine
• #5 Lorenz: The Ransomware Group That Returns To The Cybercrime Scene
• #6 LV: The Ransomware With Modified REvil DNA
• #7 Snatch: The Ransomware Group With A Taste for Cinema
• #8 BlackCat: The Group Managed by a Former Member of REvil
• #9 Quantum: A Merger of Ransomware Franchises
• #10 Everest: Climbing To The Top Of The Ransomware Ecosystem
• #11 RansomExx: The Memory Run Fileless Ransomware Targeting Organizations Worldwide
• #12 AvosLocker: The Rising Ransomware Group That Accidentally Hit the Police, And Apologized for It
• #13 BianLian: An Emerging Ransomware Group Skilled In Network Intrusion
• #14 Lapsus$: Not Exactly A Ransomware Group, But A Dangerous Attack Group
• #15 Cuba: The Russian Ransomware Group Pretending To Be Cuban

---

#1 LockBit: The Top Recruiter in the Ransomware Ecosystem

LockBit is one of the most active ransomware groups today. The group is known for its savvy recruitment and marketing strategies, which include partnering with network access brokers, collaborating with other criminal organizations, and even recruiting insiders from targeted companies. Researchers suspect that an insider helped the group gain access to Accenture’s network in the 2021 attack against the firm [3].

Another notable tactic employed by LockBit is its sponsorship of underground technical writing contests, which serves as a recruitment tool for the group to attract top-tier hackers to join its ranks. With these tactics, LockBit has cemented its position as one of the most professional and organized cybercriminal groups in the world.

• LockBit's operators have targeted organizations around the world since its formation, including the UK, US, Ukraine and France.
• The group's malware employs a two-step encryption process to secure the files it exfiltrates. First, it uses the Advanced Encryption Standard (AES) to encrypt the files. Next, it encrypts the AES key used to encrypt the files using the RSA encryption algorithm. To generate the AES key, the group uses the BCryptGenRandom function, a widely used and secure method for generating cryptographically strong random numbers.
• The malware intentionally avoids attacking systems in Russia or any other countries within the Commonwealth of Independent States (CIS).
• The group primarily uses compromised servers or Remote Desktop Protocol (RDP) accounts that are obtained through affiliates or purchased on the dark web. However, the group is also known to employ more traditional methods such as spamming emails and brute-forcing insecure RDP or Virtual Private Network (VPN) credentials. Furthermore, the group has been observed exploiting a vulnerability in Fortinet VPN software (CVE-2018-13379) to gain access to target networks.

LockBit Strains

New strains of the malware are constantly emerging:

• LockBit 1.0 renames files with the “.abcd” extension name.
• LockBit 2.0 adopted the “.LockBit” file extension and added faster and more efficient encryption and the malware StealBit, which automates data exfiltration. LockBit 2.0 was developed using the Assembly and Origin C programming languages[4]. Origin C is an ANSI C compatible programming language that also includes elements of C++ and C#.
• The group released a Linux version of LockBit 2.0 to target VMware ESXi hypervisor systems in October 2021, coded exclusively in the C programming language.
• LockBit 3.0, also known as LockBit Black, uses multi-threading for faster encryption. Researchers also found that LockBit 3.0’s code is very similar to that of the BlackMatter and DarkSide[5] ransomware.

#2 Cl0p: The Ransomware Group That Survived The Police Crackdown

Clop is a ransomware that evolved as a variant of the CryptoMix ransomware family [8] and was first observed in February 2019 in an attack campaign run by the attack group known as TA505[9]. The English word "clop" is similar in sound to the Russian and Bulgarian word "клоп", which means "bug".

Unlike many other ransomware groups, Clop doesn't seem to be interested in regular users - it's honing in on enterprises. The answer, it seems, lies in their financial potential. With deep pockets and valuable data, enterprises present a tempting target for the group looking to profit from cybercrime. The list of targeted data includes private backups, financial records, thousands of emails and even vouchers. According to a researcher at FireEye, the Clop group doesn't have its own affiliate program, meaning they don't share their ransomware with other cybercriminals. The group is believed to run the whole hacking operation from start to finish and appears to halt their activities during Russian holidays.

In April 2020, the individuals behind Clop attempted the double extortion tactic for the first time. This tactic involves not only encrypting a victim's data but also threatening to publicly release it if a ransom is not paid. They targeted a pharmaceutical company and made their move by publicly leaking their stolen data on a leak site. In March 2021, the group made headlines by leaking data stolen from cybersecurity firm Qualys [10].

A coordinated global effort to take down ransomware cartels led to the arrest of six suspected Clop members in Ukraine in June 2021[11]. The operation, conducted by a coalition of law enforcement agencies and private partners across five continents, marked a significant blow to the group's operations. The Ukranian police raided 21 buildings and homes near Kyiv allegedly connected to the Clop ransomware group when the arrests where made [12]. Authorities swooped in and seized a cache of high-end computers and luxury vehicles, along with $185,000 in cash. The six individuals taken into custody are facing a litany of charges stemming from their alleged involvement in the ruthless ransomware operation and the subsequent laundering of money. These cybercriminals could be looking at up to eight years behind bars for their activities.

However, despite the arrests, Clop's cyber criminal activities have continued [13]. According to Syhunt research, the group has exposed a total of 129 victim organizations on its leak site. Recently, in January 2023, the group added among other victims the NYC Bar Association to its site [14].

• The Clop group targets organizations with a revenue of $5 million (USD) or higher.
• The Clop ransomware is distributed through executable files that have been verified with a digital signature, which can make it appear more trustworthy and possibly evade defenses.
• It uses AES to encrypt the files.
• It terminates itself if Russian language is detected on the compromised system.
• Vulnerabilities targeted by the group include the Accellion File Transfer Appliance (FTA) vulnerabilities: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, and CVE-2021-27104, and the Serv-U remote code execution (RCE) vulnerability (CVE-2021-35211).
• It is a popular payload for groups such as FIN11 and other Russian affiliates.

#3 Vice Society: The Outsourcer Outlaw Targeting The Education Sector

The Vice Society gang first emerged on the cybercrime scene in the summer of 2021. Vice Society operates differently from its peers in the cybercrime underworld. Rather than crafting their own bespoke malware, they've been known to leverage forks of pre-existing ransomware families, procured from the shadowy corners of DarkWeb marketplaces. These nefarious tools of the trade include the HelloKitty (also known as FiveHands) and Zeppelin strains of ransomware, which the group deploys as part of its attack chain.

In 2022, the group has been seen disproportionately targeting the education sector, prompting the FBI to publish an alert [17] [18], and by the end of the year, the group introduced a new strain, dubbed "PolyVice" by malware researchers, that uses a custom strong, hybrid encryption scheme based on NTRUEncrypt and ChaCha20-Poly1305 [19].

An analysis by researchers at SentinelOne revealed that PolyVice has extensive code similarities to the Chilly and SunnyDay ransomware, with a 100% match on functions [20], and has been developed by an experienced and knowledgeable malware creator. The variations in campaign-specific elements, such as the file extension, ransom note name, hardcoded master key, and wallpaper, bolster the theory of a common vendor at play.

• PolyVice uses multi-threading for parallel symmetric data encryption, to rapidly encrypt victims' data by harnessing the full power of their processors.
• Encrypted files are appended with a .v-society or .ViceSociety extension.
• Vulnerabilities targeted by the group include the CVE-2021-34527 vulnerability, also known as PrintNightmare.
• Initial demands by this actor could exceed $1 million USD.
• The strains used by the group have elements written in C++.
• Syhunt researchers identified a total of 99 victim organizations that were exposed by the group in their leak site.

#4 Ragnar Locker: The Ransomware Group Hiding in a Virtual Machine

In December 2019, a new player entered the world of cybercrime: the ransomware group Viking Spider. They quickly made a name for themselves by using a strain of ransomware known as Ragnar Locker to infiltrate and extort organizations. They introduced a new tactic, installing their own virtual machine (VM) into victim environments to evade detection and launch their attacks. This marked the first time a ransomware attacker had employed this tactic. But Viking Spider's tactics also included using Facebook ads to pressure victims into paying the ransom. This was a new and highly effective way employed by the cybercriminal group to ratchet up the pressure on victims.

A virtual machine is like a computer within a computer, it allows multiple operating systems to run on the same physical machine. The group can use the virtual machine to remain persistent on the victim's network even after the attack, making it harder for the victim to remove the ransomware and regain control of their network.

As if that weren't enough, Viking Spider also stands out for conducting DDoS attacks alongside ransom attacks. This two-pronged approach further increases the pressure on victims, making it clear that the group is willing to use any means necessary to extort organizations.

With their use of advanced tactics and their willingness to use multiple forms of attack, Viking Spider has become one of the most dangerous ransomware groups in the cybercrime landscape.

• The Ragnar Locker ransomware has dealt a devastating blow to critical infrastructure in the United States, with at least 52 businesses across multiple sectors falling victim to their attacks, according to the FBI[23], and, according to Syhunt researchers, at least 45 businesses were exposed by the group in their leak site.
• The encryption process employed is AES with a dynamically generated key, which is then wrapped up using RSA encryption.
• It filters out Russian and Chinese targets by utilizing the Language ID feature of the system.

#5 Lorenz: The Ransomware Group That Returns To The Cybercrime Scene

Lorenz is a ransomware believed to be a rebranding of the sZ40 ransomware that was discovered in October 2020. Some researchers also believe that the Lorenz group is made up of the same individuals behind the now-defunct ThunderCrypt ransomware, which has been observed in May 2017, while others believe that the ThunderCrypt ransomware source code has been sold to the group[26].

The group is known to employ a multifaceted extortion strategy to pressure victims into paying up. They first make the stolen data available for purchase on the dark web, offering it up to other threat actors or potential competitors. But as time goes on, they ratchet up the pressure by releasing password-protected RAR archives containing the victim's sensitive information. If no ransom is paid, and the data is not purchased, Lorenz pulls the trigger, releasing the password for the data leak archives, making the stolen information publicly available for anyone to download. According to Syhunt researchers, Lorenz has exposed a total of 53 victims on its leak site.

The group is known to plant backdoors while the window of opportunity exists and use this tactic to return long after the victim applied the necessary security updates and removed the ransomware infection[27].

• Lorenz ransomware payment demands have ranged from $500,000 to $700,000 USD.
• Prior to the deployment of the ransomware, the group attempts to infiltrate and move laterally throughout the organization while planting backdoors.
• The group mostly targets English-speaking countries and is known to customize the malware code for the specific organization they are targeting.
• It uses a combination of RSA and AES-128 in CBC mode to encrypt files on an infected system.
• A decryption tool for 2021 and 2022 versions can restore some types of files affected by Lorenz. The decryptor was released by the project No More Ransom, a joint project by law enforcement agencies including Europol's European Cybercrime Center.
• Vulnerabilities targeted by the group include the Mitel’s VoIP flaw (CVE-2022-29499).
• It is written in C++ likely using Microsoft Visual Studio 2015 [28].

Name Origin

Lorenz is a Germanic interpretation of the Latin moniker Laurentius. The roots of lorenz can be traced back to the Latin word "laurus," meaning "laurel." In ancient Greece, the laurel was a symbol of victory, often used to crown the champions of the Olympic games. As such, the name Laurentius, and its Germanic counterpart Lorenz, carries with it connotations of triumph and success. But the legacy of Lorenz extends far beyond its linguistic origins. It is also famously associated with Edward Lorenz, an American mathematician and meteorologist who pioneered the study of chaotic systems, and the Lorenz system, which displays chaotic behavior. Thus, Lorenz is not just a name, but a symbol of victory, both in the past and in the field of science.

#6 LV: The Ransomware With Modified REvil DNA

The LV ransomware group has quickly risen to prominence as a Ransomware-as-a-Service (RaaS) provider, filling the void left by the disappearance of the REvil ransomware group. But new findings by researchers at Secureworks suggest that the group's success may have been built on stolen goods. It appears that the LV group may have pirated the malware code of their rival, REvil.

This is an ironic turn of events in the world of cybercrime, where one group has had their own malware appropriated without authorization by another group. Furthermore, the process of stealing the REvil's ransomware appears to have been relatively straightforward, requiring only reverse engineering skills and basic tools such as a hex editor.

Known for their Ransomware-as-a-Service (RaaS) operations, the group also resorts to initial access brokers (IABs). IABs are third-party actors that sell access to organizations' networks, allowing the group to bypass traditional methods of intrusion and infiltrate the target's systems with ease.

According to experts, the malicious actor had the intention of gaining unauthorized access to the networks of entities from Canada, Europe, and the U.S., with the intent to deploy ransomware and extort payment from them. [31]

• In August 2022, the LV ransomware group made headlines with their successful attack on German multinational semiconductor manufacturer, Semikron. The group claimed to have stolen 2TB worth of sensitive documents from Semikron, adding to the already significant damage caused by their ransomware infection.
• Vulnerabilities targeted by the group include The ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065).
• According to researchers [32], the LV Ransomware authors were able to replace the encrypted configuration file stored inside the REvil/LV ransomware executable, without any access to or knowledge of the REvil source code.

#7 Snatch: The Ransomware Group With A Taste for Cinema

The Snatch ransomware group made headlines at the end of 2021, when they announced on their data leak site that they had successfully breached the networks of a major automobile manufacturer and stolen a significant amount of sensitive information. The group was known to use a well-known method of intrusion: RDP (Remote Desktop Protocol) credential brute-forcing. This technique involves using automated tools to repeatedly guess login credentials until the correct ones are found, allowing the attackers to gain access to the targeted system.

The Snatch ransomware group has employed a new technique to evade detection during their encryption process. The ransomware executable forces the targeted Windows machine to reboot into Safe Mode before beginning the encryption process. This technique allows the attackers to circumvent endpoint protection software, which often won't run in Safe Mode, making it harder for organizations to detect and stop the attack.

Experts discovered that earlier versions of the ransomware featured a ransom note with an email address referencing Boris The Blade, a character from the 2000 film "Snatch". The handle "Bullet Tooth Tony" used by a group's message board poster is another nod to the film. In the film, Boris The Blade is a ruthless and highly skilled assassin, known for his proficiency with knives and blades. Bullet Tooth Tony is a ruthless and highly skilled criminal who is feared by many of the other characters in the film. The character is known for his coolness under pressure and his sharp wit, qualities that might be admired by the cybercriminal.

• Written in the Go programming language.
• The ransomware uses OpenPGP. Analysis of the malware's binaries revealed the presence of hardcoded PGP Public Key blocks [35].
• Their ransom demands (in Bitcoin) ranged in value from $2,000 to $35,000 USD.
• Packed with the open source packer UPX to obfuscate their contents. Packing an executable with UPX may draw attention from antivirus software because it is a technique often used by malware authors to evade detection, and antivirus software companies have developed methods to detect UPX packed files and flag them as potentially malicious.

#8 BlackCat: The Group Managed by a Former Member of REvil

Known as the Most Sophisticated Ransomware of 2021, BlackCat was the first ransomware to be fully coded in the Rust programming language. The language's built-in support for concurrent programming, low-level control over the system, low AV detection rates, and ability to target multiple platforms and architectures have made it an attractive choice for the development of malware, which the BlackCat group decided to explore.

The group is thought to be a successor group of the infamous Darkside and BlackMatter. The group is also suspected to be recruiting from the ranks of REvil.

During the first months of 2022, BlackCat managed to infiltrate over 60 organizations in a short period of time, prompting the FBI to release a warning about the threat it represented [38]. In February 2022, German news publication Handelsblatt reported that 233 gasoline stations across northern Germany had been hit by the BlackCat ransomware. The supply chain attack resulted in the halting of operations and the forced rerouting of supplies to other depots. According to Syhunt researchers, over 70 organizations were listed by the group in their leak site.

BlackCat also claimed responsibility for an attack on an Italian energy agency that advocates for renewable energy sources in September 2022. Prior to the attack, BlackCat reportedly claimed that it had exfiltrated roughly 700 GB of the agency's data.

• BlackCat's attacks have been detected in multiple locations globally, but organizations based in the US lead the victim count, followed by some in Europe and Asia-Pacific.
• Their ransom demands range from a staggering $400,000 USD to a jaw-dropping $3 million USD.
• Known to, not only encrypts victims' files, but threaten DDoS attacks and data leaks, a method known as triple extortion.
• Known for exploiting vulnerabilities in a variety of widely-used systems, including Windows operating systems and servers, Exchange Servers, and Secure Mobile Access products. This includes CVE-2016-0099, CVE-2019-7481, CVE-2021-31207, CVE-2021-34473 and CVE-2021-34523 [39].
• BlackCat uses two key algorithms, the AES and ChaCha20 (256-bit, 20-round stream cipher), for encrypting the victim's files. It also supports six encryption modes.
• BlackCat’s primary data exfiltration tool, called ExMatter, has been originally utilized by the BlackMatter and Conti groups.
• It has been reported that the BlackCat admin is a former member of REvil.

#9 Quantum: A Merger of Ransomware Franchises

Operating on a RaaS model, this malware has been particularly successful in compromising healthcare organizations. Quantum ransomware is linked to the Quantum Locker operation, which has undergone several rebrands over the years, including AstroLocker, MountLocker, and XingLocker. [42].

Researchers believe that Quantum is the result of a merger between Quantum Locker and several members of Conti's former penetration testing group, Conti Team Two [43]. Before the rebrand, researchers have discovered that the malware known as Mount Locker was at the top of the hierarchy, with two affiliates, XingLocker and AstroLocker Team, using the base malware and a common infrastructure, but with their own branding[44].

This strategy allows these cyber criminals to expand their reach and target more victims while also allowing them to evade detection and attribution. By franchising their malware, these groups are able to operate under different names and with different branding, making it more difficult for law enforcement and cybersecurity firms to track them down. The use of a franchise business model in the world of cybercrime is not new, but it is becoming increasingly popular among ransomware operators.

One of the group's most notable attacks was against LineStar Integrity Services, which occurred around the same time as the high-profile Colonial Pipeline attack. The LineStar attack, however, went largely unnoticed, with details being disclosed by transparency advocacy group DDoSecrets[45].

By posing as legitimate organizations and using social engineering, Quantum has been able to infiltrate and compromise a number of high-profile targets.

• The victim's files are encrypted by the malware using the ChaCha20 algorithm, and the encryption keys for those files are further secured with RSA-2048 encryption.
• Written in Visual Basic 6[46].

#10 Everest: Climbing To The Top Of The Ransomware Ecosystem

Earlier reports had linked this malware to the sophisticated Everbe 2.0 family, a group of related strains that includes Embrace, PainLocker, EvilLocker, and Hyena Locker. These strains have been used to target a wide range of victims, including businesses and government agencies.

But a new analysis by researchers at NCC Group suggests a different origin for this ransomware. After recovering and analyzing an Everest ransomware file, the researchers have assessed with medium confidence that the malware is related to the RaaS operation known as BlackByte[49]. According to Syhunt research, the BlackByte group exposed 43 victim organizations.

Over the years, the BlackByte group's malware, adopted by the Everest group, has undergone multiple transformations, with the first known version written in C#. Later the group released two Go-based variants. The most recent Go variant, introduced in February 2022, featured significant modifications to its encryption algorithm.

• In August 2021, the Brazilian government was hit by the group, with the national treasury and the network of the Attorney General of the National Treasury both falling victim to the Everest ransomware.
• The Everest group was observed using legitimate compromised user accounts and Remote Desktop Protocol (RDP) to move laterally within the target network.
• The group is known to use phishing emails or exploit unpatched ProxyShell vulnerability in Microsoft Exchange Servers to gain initial access into a victim's system.
• In its earlier days, the BlackBlack group made the mistake of using the same key in each campaign to encrypt files, making it relatively easy for researchers to create a decrypter to help victims. This forced BlackByte to change its encryption method in newer variants. The group relied heavily on AES, a symmetric key algorithm.

#11 RansomExx: The Memory Run Fileless Ransomware Targeting Organizations Worldwide

The RansomExx ransomware gang has been lurking in the shadows since 2018 but captured the attention in 2020 after targeting and infecting high-profile organizations which include Gigabyte and Starhub.

In December 2020, the group launched a dark web leak site where they publicly shame victims who refuse to pay the ransom by publishing their stolen data. According to Syhunt researchers, a total of 47 victims have been exposed in group's leak site since its creation.

In November 2022, the 2.0 version of RansomExx has been spotted by malware analysis departments. Completely rewritten using Rust, the RansomExx2 variant offers the same functionality as its C++ predecessor, but with one major difference: improved stealth. The shift to Rust programming language not only improves its ability to evade detection but also makes it more challenging for security researchers to analyze it.[52]

• The RansomExx malware encrypts files using AES-256, with RSA used to protect the encryption keys.
• The cybercriminals behind RansomExx also developed the PyXie malware, Vatet loader and Defray ransomware strains.
• The group's ransomware is usually delivered as a secondary in-memory payload without ever touching the disk, making it harder to be detected [53].
• RansomExx has impacted organizations in North America, South America, Asia, Europe and Oceania.

Links with Gold Dupont group

The ransomware group is believed to be linked to Gold Dupont, a financially motivated cybercriminal group that specializes in post-intrusion ransomware attacks [54]. Active since November 2018, the group's modus operandi is to establish initial access into victims' networks by leveraging stolen credentials to remote access services such as virtual desktop infrastructure (VDI) or virtual private networks (VPN) [55]. This technique allows the group to bypass traditional perimeter defenses and gain a foothold into the target network, allowing them to move laterally and exfiltrate sensitive data.

#12 AvosLocker: The Rising Ransomware Group That Accidentally Hit the Police, And Apologized for It

The AvosLocker group emerged on the dark web in July 2021, featuring a logo with a purple bug on their dark web site. AvosLocker initially targeted Windows systems before expanding its reach to include Linux-based variants. Today the group operates through a network of affiliates and shares profits with a select group of developers. The group has been observed by researchers trying to recruit individuals on a known Russian hacker forum.

In December, 2021. one of the group’s affiliates targeted a US government police agency without their permission. The group immediately posted an apology and published the decryptor for free claiming that it was not part of their agenda. “You should note, however, that sometimes an affiliate will lock a network without having us review it first” the AvosLocker operator told BleepingComputer [58].

In March 2022, the group's activity targeting of organizations across several critical infrastructure sectors prompted the FBI and the U.S. Treasury Financial Crimes Enforcement Network to release a joint advisory [59].

According to Syhunt research, the group's leak site on the dark web lists a total of 89 victims around the world, including the United Kingdom, Germany, Canada, China, Spain, Belgium, Turkey, UAE, Syria, Saudi Arabia, and Taiwan. It is rumored that there have been cases where AvosLocker's corporate victims have received phone calls from the criminals themselves, encouraging them to visit the group's leak site.

• AvosLocker utilizes spam or phishing emails as the initial vector to deliver the ransomware payload.
• The group is known to use AnyDesk (a known remote administration tool) to connect to victims’ machines.
• The group's ransomware is a Console based 32-bit application, developed using C/C++ programming language [60].
• Vulnerabilities targeted by the group include the Zoho ManageEngine ADSelfService Plus vulnerability CVE-2021-40539, Veeam Backup and Replication software (CVE-2022-26500 and CVE-2022-26501) for possible data exfiltration [61], a server-side request forgery flaw in Exchange (CVE-2021-26855), several ProxyShell vulnerabilities including CVE-2021-34473, CVE-2021-31206, CVE-2021-34523, and CVE-2021-31207, and a series of Apache vulnerabilities related to Log4j (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832) [62].
• It uses the salsa12 stream cipher to encrypt victim files. Older versions used AES-256-CBC and RSA to encrypt files and keys respectively.

#13 BianLian: An Emerging Ransomware Group Skilled In Network Intrusion

This new ransomware group operating under the name BianLian has emerged on the cyber threat landscape in late 2021. According to Syhunt researchers, this threat actor has already been linked to a string of attacks, with over 70 alleged victims across a diverse range of industries including insurance, medicine, law, and engineering. Other researchers highlight that BianLian is a group who possess exceptional skills in infiltrating networks, but have only recently ventured into the realm of extortion and ransomware [65].

• The group's ransomware is written in the Go programming language.
• The group usually targets English-speaking countries, having already made victims in the United States, Australia, and the United Kingdom.
• According to researchers, the BianLian ransomware raises the bar by encrypting victim's files with an exceptional speed.
• A malicious Android package (APK) with the same name has been identified and removed from the Google Play store, raising speculation about a possible link with the group. It would install the Anubis Banker trojan [66].
• BianLian members are known to have a high skill level in network penetration. The group targets the chain of vulnerabilities known as the ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207). This group has also been seen targeting SonicWall VPN devices and servers that provide remote network access via solutions such as Remote Desktop.

Name Origin

Bian Lian, also known as "face-changing," is a traditional Chinese performance art that has been captivating audiences for centuries. The technique involves the rapid, seamless switching of masks in a single performance, creating the illusion of a performer's face "changing" before the audience's eyes. The origins of Bian Lian can be traced back to the Sichuan province in southwestern China, where it was traditionally performed by actors in Sichuan opera. The name "Bian Lian" could symbolize the ability to quickly and seamlessly change identities or tactics, similar to how the performer changes masks in the traditional art form.

#14 Lapsus$: Not Exactly A Ransomware Group, But A Dangerous Attack Group

While it is often referred to as a ransomware group in reports, Lapsus$ stands out for its lack of use of ransomware in extortion attempts. Instead, this group appears to be driven by a desire for notoriety, rather than financial gain.

The Lapsus$ group doesn't rely on ransomware or encryption to achieve its goals. Instead, the group utilizes a combination of stolen credentials and social engineering tactics to gain access to victims. This has included soliciting employees on Telegram for login credentials at specific companies in a range of industries.

According to Syhunt researchers, other attack groups such as the less known RansomHouse are also known to make extortion work without ransomware, but have made a smaller number victims. [69].

• Unlike ransomware groups, Lapsus$ is known for using the messaging app Telegram for public-facing communications, including recruitment and posting sensitive data from their victims.
• On March 5, 2022, this threat actor made the bold move of publishing nearly 190GB of sensitive data alleged obtained from the Korean technology giant, Samsung.[70]
• On March 22, 2022, Lapsus$ made headlines for an audacious data dump. The group posted a file that it claimed contained partial source code for Microsoft's Bing and Cortana in an archive holding nearly 37GB of data. [71].
• On March 24, 2022, the City of London Police made a significant breakthrough, arresting seven individuals aged between 16 and 21 in connection to an ongoing investigation into the Lapsus$ Group. Among those taken into custody was an alleged prominent member of the group, going by the pseudonym "White," who was arrested in Oxford, England.

Unrealistic Claims

Syhunt's 2022 ransomware threat report also highlighted about unrealistic claims made by the group - in December, 2021, the group claimed to have exfiltrated 50 TB of data from Brazil's Ministry of Health. "Considering that the experienced REvil group has stolen 44.1 TB from 280 victims in two years of operation, it is not easy to believe that a newcomer has actually stolen 50 TB of data from a single victim", said Syhunt on its report [72]. The group has not yet provided proofs of the 50 TB exfiltration and only published 580MB of source code allegedly stolen from the victim.

#15 Cuba: The Russian Ransomware Group Pretending To Be Cuban

First observed in December 2019, Cuba is a ransomware group believed to be of Russian origin and affiliated with the high-impact threat actors RomCom and Industrial Spy [75]. Contrary to its moniker and other references to Fidel, the actors behind the Cuba ransomware have not demonstrated any link or association with the Republic of Cuba.

In November 2021, Cuba gained notoriety when the FBI posted an official notice about the group. Cuba has compromised over 100 entities worldwide, demanded over 145 million USD and received over 60 million USD in ransom payments, according to a joint report released by the FBI and CISA in December 2022. According to Syhunt research, the group exposed approximately 1/4 of its victims on its leak site.

In October 2022, the Ukrainian Computer Emergency Response Team (CERT-UA) issued a warning of a Cuba ransomware attack targeting the war-torn country. Victims were ensnared by phishing emails cleverly crafted to appear as if they originated from within the Ukrainian armed services [76].

• Vulnerabilities targeted by the group include the ProxyShell (CVE-2021-34473, CVE-2021-34523 , and CVE-2021-31207) and ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) vulnerabilities, while leveraging an Avast aswArPot.sys driver as part of its antivirus-disabling routine.
• The ransomware uses a combination of Salsa and RSA for its encryption algorithm, employing the LibTomCrypt library. It encrypts files with Salsa20, then RSA-encrypts the Salsa key to safeguard against decryption of the files.
• It is multithreaded for faster encryption and uses resource access synchronization to avoid file corruption.
• The ransomware terminates itself when a Russian keyboard layout or language is detected on the victim's system.

---

It's important to note that this list is not exhaustive, and new ransomware groups are emerging all the time. These groups are a prime examples of the growing threat of cybercrime and the importance of staying vigilant and implementing robust security measures to protect against ransomware attacks. It's important to note that the origin of most the groups is not confirmed and should be taken with a grain of salt. As with most ransomware groups, the true identity and origin of the actors behind most ransomware groups remains unknown and unconfirmed.

Most groups are believed by researchers to be of Russian origin. While Russia denies accusations that it is harbouring most of these cybercriminals, a 2022 analysis by researchers at Chainalysis revealed that 74% of all money made through ransomware attacks in 2021 went to Russia-linked hackers [77].

---

This article was published by The Hunter on January 25, 2023. It has been written with contributions from the Syhunt Icy team.