[HEADS UP] Ransomware Gangs Partner to Extort Victims

Ransomware Crews Team UpAccording to Bleeping Computer, several ransomware crews are teaming up to split profits obtained in malicious attacks targeting public and private companies.

The profits originating out of the paid ransoms following each of the attacks will then be split between the crew in equal shares.

Intel 471 categorized the ransomware gangs into three tiers, with over two dozen active ransomware-as-a-service (RaaS) gangs that are actively looking to outsource to ransomware affiliates. 

These gangs range from well-known groups to newly-formed variants that have risen from the failures of old, to completely new variants.

  • TIER 1: ransomware gangs are groups who have successfully raked in hundreds of millions in ransom over the last few years. RaaS crews included in the TIER 1 group are DopplePaymerEgregorNetwalker/Mailto, and REvil/Sodinokibi.
    Ryuk is at the top of the rankings, with its payloads being detected in roughly one in three ransomware attacks during the last year. The group is also known for delivering their payloads as part of multi-stage attacks using Trickbot, Emotet, and BazarLoader infection vectors for an easy way into their targets' networks.
  • TIER 2: RaaS operations have slowly grown to a larger number of affiliates during 2020 and were involved in several confirmed attacks. Ransomware groups included in this tier are SunCryptContiClopRagnar Locker, Pysa/Mespinoza, AvaddonDarkSide (believed to be a splinter of REvil), and more. Just as the TIER 1 ransomware gangs, they are also using the data theft extortion tactic as a secondary extortion method.
  • TIER 3: RaaS crews are offering newly created to affiliates but, according to Intel 471, "there is limited to no information on successful attacks, volume of attacks, payments received or cost of mitigation." The groups tagged as emerging TIER 3 gangs include Nemty, Wally, XINOF, Zeoticus, CVartek.u45, Muchlove, Rush, Lolkek, Gothmog, and Exorcist.

Besides the ransomware gangs listed by Intel 471 as actively seeking partners, there are also emerging crews that should receive an dishonorable mention. 

For instance, Dharma is a long-running strain that has been around since 2017 and known as an offshoot of Crysis ransomware, which started operating in 2016.  LockBit, another high-profile operation, surfaced in September 2019 as a private operation targeting enterprises and later observed by Microsoft while used in attacks healthcare and critical services. 

Other RaaS operations left outside of Intel 471's tiers are RagnarokCryLockProLockNefilim, and Mount Locker, with all of them known to be active and involved in recent attacks.

These ransomware gangs have no end in sight and will continue to discover tricky ways to hack your user's network. With that said, new-school security awareness training can ensure your users can learn how to report any suspicious activity and can be vigilant of any social engineering attacks. 

Bleeping Computer has the full story

Free Ransomware Simulator Tool

Threat actors are constantly coming out with new strains to evade detection. Is your network effective in blocking all of them when employees fall for social engineering attacks?

KnowBe4’s "RanSim" gives you a quick look at the effectiveness of your existing network protection. RanSim will simulate 24 ransomware infection scenarios and 1 cryptomining infection scenario and show you if a workstation is vulnerable.

RansIm-Monitor3Here's how it works:

  • 100% harmless simulation of real ransomware and cryptomining infections
  • Does not use any of your own files
  • Tests 25 types of infection scenarios
  • Just download the install and run it 
  • Results in a few minutes!

Get RanSim!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:


Topics: Ransomware

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews