According to Bleeping Computer, several ransomware crews are teaming up to split profits obtained in malicious attacks targeting public and private companies.
The profits originating out of the paid ransoms following each of the attacks will then be split between the crew in equal shares.
Intel 471 categorized the ransomware gangs into three tiers, with over two dozen active ransomware-as-a-service (RaaS) gangs that are actively looking to outsource to ransomware affiliates.
These gangs range from well-known groups to newly-formed variants that have risen from the failures of old, to completely new variants.
- TIER 1: ransomware gangs are groups who have successfully raked in hundreds of millions in ransom over the last few years. RaaS crews included in the TIER 1 group are DopplePaymer, Egregor, Netwalker/Mailto, and REvil/Sodinokibi.
Ryuk is at the top of the rankings, with its payloads being detected in roughly one in three ransomware attacks during the last year. The group is also known for delivering their payloads as part of multi-stage attacks using Trickbot, Emotet, and BazarLoader infection vectors for an easy way into their targets' networks.
- TIER 2: RaaS operations have slowly grown to a larger number of affiliates during 2020 and were involved in several confirmed attacks. Ransomware groups included in this tier are SunCrypt, Conti, Clop, Ragnar Locker, Pysa/Mespinoza, Avaddon, DarkSide (believed to be a splinter of REvil), and more. Just as the TIER 1 ransomware gangs, they are also using the data theft extortion tactic as a secondary extortion method.
- TIER 3: RaaS crews are offering newly created to affiliates but, according to Intel 471, "there is limited to no information on successful attacks, volume of attacks, payments received or cost of mitigation." The groups tagged as emerging TIER 3 gangs include Nemty, Wally, XINOF, Zeoticus, CVartek.u45, Muchlove, Rush, Lolkek, Gothmog, and Exorcist.
Besides the ransomware gangs listed by Intel 471 as actively seeking partners, there are also emerging crews that should receive an dishonorable mention.
For instance, Dharma is a long-running strain that has been around since 2017 and known as an offshoot of Crysis ransomware, which started operating in 2016. LockBit, another high-profile operation, surfaced in September 2019 as a private operation targeting enterprises and later observed by Microsoft while used in attacks healthcare and critical services.
Other RaaS operations left outside of Intel 471's tiers are Ragnarok, CryLock, ProLock, Nefilim, and Mount Locker, with all of them known to be active and involved in recent attacks.
These ransomware gangs have no end in sight and will continue to discover tricky ways to hack your user's network. With that said, new-school security awareness training can ensure your users can learn how to report any suspicious activity and can be vigilant of any social engineering attacks.
Bleeping Computer has the full story.