The Evolving Landscape of Ransomware: Key Players and Their Impact
Egregor: The Double-Extortion Threat
Egregor ransomware has quickly gained notoriety, leveraging a “double extortion” technique that not only encrypts victims’ data but also threatens to leak sensitive information if the ransom is not paid. This sophisticated malware employs obfuscation and anti-analysis techniques to evade detection, making it a formidable player in the ransomware landscape. As of late November, Egregor has targeted at least 71 organizations across 19 different industries globally, showcasing its broad reach and appeal.
An interesting aspect of Egregor’s rise is its attribution to the shutdown of the Maze ransomware gang. It appears that affiliates from Maze have transitioned to Egregor, which is categorized as a variant of the Sekhmet ransomware family and has associations with Qakbot malware. Egregor was most active between September 2020 and early 2021 before law enforcement interventions curbed its operations.
FONIX: A Brief Life in Ransomware
FONIX appeared on the scene in July 2020 as a Ransomware-as-a-Service (RaaS) offering, allowing buyers to customize ransomware payloads. Users would simply provide an email address and password, and FONIX would send a tailored ransomware package. However, the gang went defunct by January 2021 after a series of code revisions and eventually released its master decryption key. Unlike other ransomware operations, FONIX did not reach a wide array of victims, making it a relatively obscure player in the grand scheme of ransomware.
GandCrab: The Powerhouse of RaaS
GandCrab is one of the most infamous ransomware strains, claiming over $2 billion in victim payouts as of July 2019. First identified in January 2018, it operated on an affiliate model, allowing cybercriminals to take a cut of the ransom fees. The malware is typically disseminated through phishing emails, specifically crafted Microsoft Office documents. Variations of GandCrab have exploited system vulnerabilities to ramp up attacks, although it avoided systems in Russian-speaking regions.
GandCrab was active from January 2018 to May 2019, after which its creators are believed to have shifted focus to a new strain, REvil. The impact of GandCrab has left a lasting impression, as it paved the way for more sophisticated RaaS operations.
GoldenEye: A Subtle Disruption
GoldenEye made its mark in 2016, appearing to be based on the Petya ransomware. Initially targeting human resources departments via fake job applications, it employed a macro to encrypt files and modified the hard drive’s master boot record to take control. GoldenEye primarily spread among German-speaking users and, while it caused some disruption, it is no longer active today, showcasing how ransomware can rise and fall within a short lifespan.
Grief: The Evolution of DoppelPaymer
Grief, also known as “Pay or Grief,” emerged in May 2021 as a successor to the DoppelPaymer ransomware. The operation claimed responsibility for 41 organizational breaches within a short span, making an estimated $11 million from ransoms. Grief utilizes double extortion tactics and has established a leak site to pressure victims further. The minimal changes from its predecessor conflict with its straightforward operation model, and the group remains active as of now, constantly evolving its methods.
Jigsaw: It Delivers a Unique Threat
Jigsaw first surfaced in 2016, known for a distinct tactic of progressively deleting files the longer a victim delays in paying the ransom. This aggressive approach added an element of urgency that required victims to act quickly. Although researchers released a decryption tool shortly after, the underlying genius of Jigsaw’s model still holds valuable lessons in ransomware strategy.
KeRanger: Targeting Apple’s Ecosystem
In 2016, KeRanger made headlines as the first ransomware targeting Mac OS X systems. Delivered through a compromised BitTorrent client, its clever evasion strategy allowed it to spread through legitimate channels. While KeRanger is no longer active, its existence illuminated the vulnerabilities within Apple’s ecosystem.
Leatherlocker: Disrupting Android Devices
Leatherlocker, discovered in 2017, targeted Android users through seemingly legitimate apps that locked devices instead of encrypting files. The operation showcases a unique angle on ransomware, significantly affecting mobile users and compelling app developers to prioritize security.
LockerGoga: Aimed at Industrial Giants
Emerging in 2019, LockerGoga targeted industrial companies with a focus on disruption rather than just financial gain. Its sophisticated phishing campaigns particularly affected European manufacturers, notably Norsk Hydro, leading to significant outages. This reflected a growing trend where ransomware attacks aimed at industrial entities had destructive instead of purely economic motives.
Locky: The Invoice Trick
First appearing in 2016, Locky was one of the most notorious ransomware strains and operated under a model that delivered malicious invoices via email. This approach affected a wide range of victims, with Locky leaving a lasting legacy that has inspired numerous variants.
Maze: Setting a Precedent
Maze ransomware, discovered in May 2019, was revolutionary for its use of the double extortion tactic. The group gained access to networks and sought not only to encrypt files but also to publicize stolen data if ransoms weren’t paid. Its closure in September 2020 marked a significant moment in the ransomware timeline.
Mespinoza (or PYSA): Evolving Techniques
Emerging in 2019, Mespinoza, also known as PYSA, has been characterized by a cheeky demeanor while being quite strategic in targeting high-value assets. The group’s tools emphasize targeted attacks on sensitive data within organizations, maintaining a focus on educational institutions and emphasizing the importance of operational security.
Netwalker: A Healthcare Focus
Active since 2019, Netwalker pushed the envelope in ransomware operations by not only encrypting but also exfiltrating data. Its reputation grew amidst the COVID-19 pandemic, targeting healthcare facilities with the dual threat of ransom demands and data leaks.
NotPetya: The Wiper Masquerade
First appearing in 2016, NotPetya is infamous for being a wiper masquerading as ransomware. It spread extensively, particularly impacting Ukraine, and caused widespread devastation. Its tactics and origin remain a significant point of discussion within cybersecurity circles.
Petya: The Precursor to NotPetya
Initially spreading in March 2016, Petya was less sophisticated than NotPetya but still targeted Windows systems. Its existence paints a broader picture of how ransomware can evolve and impact vital sectors.
PureLocker and the Shift to Server Targets
PureLocker specializes in targeting enterprise servers, utilizing a more sophisticated attack vector that focuses on machines already compromised. This strategy emphasizes the changing landscape of ransomware, moving beyond individual users to broader organizational threats.
RobbinHood: Local Government’s Struggles
RobbinHood gained notoriety in 2019 for dramatically crippling local governments, notably Baltimore’s. The malware’s unique approach to bypassing security measures serves as a reminder of the persistent vulnerabilities in government technologies.
Ryuk: High Stakes Ransomware
Ryuk, initially recognized in 2018, often targets high-stakes environments like hospitals and government facilities. Known for demanding exorbitant ransoms, its affiliations with previous malware frameworks highlight the interconnected nature of ransomware operations.
SamSam: A Bold Approach in Healthcare
Beginning in 2015, SamSam targeted healthcare organizations, exploiting various vulnerabilities to enact devastating attacks. Its approach characterized a shift toward more focused targeting of critical sectors, thereby elevating the conversation around ransomware preparedness.
SimpleLocker: The Start of Mobile Ransomware
Discovered in 2014, SimpleLocker was one of the first to attack mobile devices, highlighting a significant shift in the ransomware landscape. This alignment with mobile technology created new avenues for cybercriminals and forced users to reconsider their security measures.
Sodinokibi/REvil: The Sophisticated RaaS Model
Emerging in April 2019, Sodinokibi, or REvil, capitalized on its predecessor GandCrab’s success with a modernized approach to ransomware. Its attacks on high-profile organizations have illustrated the sophistication and impact of RaaS models today.
TeslaCrypt: A Gamified Ransomware
TeslaCrypt targeted gamers and, despite its early success, soon shut down operations in 2016, releasing decryption keys. Its unique focus on gaming demonstrates how ransomware can adapt to target specific demographics.
Thanos: A New Competitor
Thanos, a RaaS discovered in late 2019, has introduced innovative techniques that can bypass traditional security methods. Its ability to sell tailored ransomware packages through underground networks exemplifies the continuous evolution of ransomware operations.
WannaCry: A Worldwide Warning
WannaCry, which spread rapidly in May 2017, highlighted the vulnerabilities in global cybersecurity infrastructures. Its origin in North Korea and the subsequent chaos it enacted serves as a critical learning point for both individuals and organizations.
WastedLocker: Uncompromising Tactics
WastedLocker has made a name for itself with sophisticated techniques and particularly high ransom demands. Its connections to the Evil Corp group reflect how cybercriminal gang structures can create long-lasting threats.
WYSIWYE: The Many Faces of Ransomware
Discovered in 2017, WYSIWYE utilized open Remote Desktop Protocol servers for its attacks, indicating a shift in the tactics employed by ransomware operators. Though it appears to be defunct, the strategies used are still instructional for understanding potential future threats.
Zeppelin: Targeted Disruptions
Zeppelin emerged in 2019 as a targeted RaaS that refined operatic strategies down to specific demographics while employing sophisticated encryption techniques. Its focus on high-profile entities ensures that ransomware remains a persistent threat across all sectors.
This article underscores the diverse tapestry of ransomware operations, detailing how their tactics, targets, and lifecycles shape the ever-evolving landscape of cybersecurity threats. Each ransomware’s strategies teach us lessons that could help in bolstering defenses against future attacks.