On Tuesday, Unit 42 researchers released a report about four new ransomware groups that can pose a threat to enterprises and critical infrastructure in the future.
“While the ransomware crisis appears poised to get worse before it gets better, the cast of cybercrime groups that cause the most damage is constantly changing,” Palo Alto Networks’ Unit 42 threat intelligence team said in a recent report. “Groups sometimes go quiet when they’ve achieved so much notoriety that they become a priority for law enforcement. Others reboot their operations to make them more lucrative by revising their tactics, techniques and procedures, updating their software and launching marketing campaigns to recruit new affiliates.”
One of the new entrants is AvosLocker, a ransomware-as-a-service operation. It started out in June with its “press releases” recruiting new affiliates. The group’s infrastructure is complete with a data leak and extortion site. The group has reportedly breached six organizations in Belgium, Spain, U.S., U.K., U.A.E., and Lebanon. Its ransoms range from $50,000 to $75,000.
Another group, Hive, which also appeared in the same month, has hit several healthcare providers and mid-size companies. Some of these include a European airline company and three U.S.-based companies. Its victims are located in China, Australia, India, Peru, Portugal, Switzerland, Netherlands, Norway, Thailand, and the U.K.
Unit 42 researchers also detected a Linux variant of the HelloKitty ransomware, its operators were targeting Linux servers running VMware’s ESXi hypervisor.
“The observed variants impacted five organizations in Italy, Australia, Germany, the Netherlands and the U.S.,” Unit 42 researchers Doel Santos and Ruchna Nigam said. “The highest ransom demand observed from this group was $10 million, but at the time of writing, the threat actors have only received three transactions that sum up to about $1.48 million.”
The most troublesome ransomware group that resurfaced in June was LockBit 2.0. Its developers claim their malware is “the fastest encryption software all over the world.” The group also offers a stealer named StealBit that enables the attackers to download victims’ data.
Since June, LockBit 2.0 has compromised at least 52 organizations. Most of these are from accounting, automotive, consulting, insurance, law enforcement, and finance sectors from countries like Australia, Austria, Belgium, Brazil, Germany, Italy, Romania, Switzerland, the U.K., and the U.S.
The rise of new ransomware variants shows that cybercriminals are still doubling down on their attacks, which means this activity is very profitable, and we are likely to see new groups appear on the scene.
“With major ransomware groups such as REvil and DarkSide lying low or rebranding to evade law enforcement heat and media attention, new groups will emerge to replace the ones that are no longer actively targeting victims,” the researchers said. “While LockBit and HelloKitty have been previously active, their recent evolution makes them a good example on how old groups can re-emerge and remain persistent threats.”