Classes of Ransomware

 Intel 471 recently released a report out-lining the most popular, up-and-coming, and some deep cuts in the ransomware world. They separate the groups into three tiers based on how prevalent and successful they have been. But all of these groups work by specializing and delegating tasks.

The lowest tier groups include the likes of CVartek.u45, Exorcist, Gothmog, Lolkek, Muchlove, Nemty, Rush, Wally, XINOF, and Zeoticus. These groups have had low publicity regarding their attacks, but their marketing exists and persists, so it stands to reason that they are func-tional and operating. The main deviation from the other groups is how they don’t publish the data from victims who refuse to pay the ransom and how little infor-mation there is about their supposed victims.

The next tier includes the rising stars of the Ransomware as a Service (RaaS) world: Avaddon, Conti, Clop, DarkSide, Pysa/Mespinoza, Ragnar, Ranzy, SunCrypt, and Thanos. These are the names to keep an eye on. They have had successful confirmed attacks and employ their own blogs for the “expose and shame” tactics which embarrass victims who don’t pay the ransom, and encourage further victims with a credibility to back their threats.

Their final group includes the heaviest hitters with whom all our readers should be familiar. This rogues gallery includes DoppelPaymer, Egregor/Maze, Netwalker, REvil, and Ryuk. DoppelPaymer runs the Dopple Leaks blog and was behind the first mortality due to malware. Egregor/Maze had announced their retirement from the cybercrime scene, but have had an impressive record in their attacks on Barnes & Noble, Crytek, and Ubisoft. Netwalker began in September of 2019 and has had an efficient pattern of spear phishing their targets to establish a foot-hold and following it up with a fileless attack that undermines Windows OSs of 7 and up. They also have an “individual mode” which locks a single device and offers only the key to that device, as op-posed to their “network mode” which encrypts an entire network and offers options for individual keys or a master key to use with their decryption tool. REvil has been seen leveraging the popular Blue-Gate vulnerability and working with other groups to help gain access to networks for infection. By separating the tasks they’ve seen increases in profits from the tens of thousands in profit per target to the mil-lions in profit. Lastly the Ryuk ransomware has been seen in conjunction with both Trickbo, Emotet, and, most recently, BazarLoader. Ryuk has been seen working with up to three teams: one to direct spam campaigns to infect victims, a team to spread the attack through corporate networks, and a last team to deploy the ransomware and conduct negotiations.

Criminals working together is always a concern as the age-old adage says, “Teamwork makes the dream work”. Keeping up to date and aware of the various groups is critical to maintaining vigilance against their tactics.