beebright - stock.adobe.com

4 emerging ransomware groups take center stage

Four ransomware operations -- AvosLocker, Hive, HelloKitty and LockBit 2.0 -- have popped up on the radar of researchers with Palo Alto Network's Unit 42 team.

A series of four emerging ransomware groups have caught the attention of researchers with Palo Alto Networks' Unit 42.

In research published Tuesday, the Unit 42 team profiled four ransomware packages, dubbed AvosLocker, Hive, HelloKitty and LockBit 2.0, that could potentially fill the voids left by the notorious and now-defunct DarkSide and REvil gangs. The emerging quartet is an equal mixture of cybercriminal groups that operate on their own and ransomware as a service (RaaS) operations that create the malware and outsource the actual hacking to others.

Unit 42 expects that all four of the operations will probably be menacing companies for some time.

"During our operations, we have observed four emerging ransomware groups that are currently affecting organizations and show signs of having the potential to become more prevalent in the future," researchers Doel Santos and Ruchna Nigam said in a blog post.

As its name suggests, LockBit 2.0 is an operation that has been around for some three years. Despite the LockBit moniker, however, the outfit previously went by the name ABCD. Unit 42 said LockBit 2.0 recently rose in prominence thanks to what is described as a "slick marketing campaign." Its victims have been spotted in Europe, the U.S. and South America.

The most colorfully named of the four, the HelloKitty crew, does its own hacking. The hackers are said to be largely targeting Linux systems. The malware looks to infect servers and then tells admins to contact either a Tor site or a ProtonMail address for payment instructions. It also creates the unenviable situation of a CISO having to explain to the board how their company was just hacked by "Hello Kitty."

Also operating as a self-contained hacking outfit, the Hive crew particularly nasty in its choice of targets, according to Unit 42, going after healthcare operations and smaller companies. Like more established ransomware groups, Hive practices "double extortion," encrypting organizations data while also threatening to publicly expose sensitive data. Those who fall victim to the attackers are directed to a login page to contact a "support agent." How the hackers get into networks, however, remains a mystery.

"We don't yet have information on how Hive ransomware is being delivered, but ransomware operators are known for buying access to certain networks, brute-forcing credentials or spear-phishing for initial access," the researchers explained.

The newest of the four is AvosLocker, having only caught the attention of researchers about seven weeks ago. The RaaS outfit, which also has data leak site for double extortion purposes, was found on a crimeware forum seeking out affiliates to spread what they described as "fail-proof" malware that infects Windows machines. The ransom demands are said to range from $50,000 to $75,000.

Santos and Nigam noted that all four of the emerging ransomware groups are coming on to the scene at a particularly opportune time, as the crews that were big players previously are all no longer in business.

"With major ransomware groups such as REvil and Darkside lying low or rebranding to evade law enforcement heat and media attention, new groups will emerge to replace the ones that are no longer actively targeting victims," they said.

Dig Deeper on Threats and vulnerabilities

Networking
CIO
Enterprise Desktop
Cloud Computing
ComputerWeekly.com
Close