The ransomware industry remains the number one threat to organizations worldwide. The supply chain attacks became a solid technique for the mature and experienced ransomware groups.
Although we have seen increased activity by law authorities worldwide, this industry keeps on thriving despite these efforts.The industry is feeling increasingly impacted by ransomware as many critical vulnerabilities were discovered this quarter. Additionally, the emergence of new groups has contributed to the industry’s growth. These ambitious groups show promise and are introducing a new generation of ransomware families.
TheCyberThrone discusses the new ransomware families of year 2023
8BASE
8Base is a newly discovered ransomware gang which, despite only recently gaining attention, has been in operation since April 2022. In May, it had a total of 67 victims. Predominantly targeting small and medium-sized businesses (SMBs), 8Base has attacked companies within the Scientific, Technical sector, comprising 36% of known attacks, followed by Manufacturing at 17%. Geographical analysis of the victims suggests a concentration in America and Europe, with the United States and Brazil being the most targeted countries.
Akira
Akira is a fresh ransomware hitting enterprises globally since March 2023, having already published in April the data of nine companies across different sectors like education, finance, and manufacturing. When executed, the ransomware deletes Windows Shadow Volume Copies, encrypts files with specific extensions, and appends the .akira extension to the encrypted files.
BlackSuit
BlackSuit is a new ransomware that is strikingly like Royal, sharing 98% of its code. It targets both Windows and Linux hosts. BlackSuit could be a new variant developed by Royal’s authors, a mimicry attempt using similar code, an affiliate of the Royal ransomware gang running its own modifications, or even a breakaway group from the Royal ransomware gang.
CACTUS
CACTUS emerged in March 2023 as a fresh strain of ransomware, zeroing in on large-scale commercial operations. Last month, they published 18 victims on their leak site. To infiltrate systems, this gang exploits well-known vulnerabilities present in VPNs. Once CACTUS operatives gain access to a network, they enumerate local and network user accounts and reachable endpoints. Following this, they craft new user accounts and deploy their ransomware encryptor. The uniqueness of CACTUS lies in their use of specialized scripts that automate the release and activation of the ransomware through scheduled tasks.
CiphBit
While CiphBit has been posting victims on their dark website since April, the group was not discovered in-the-wild until last month. In September, they reported two new victims, bringing their total to eight victims to-date.
CloAk
CloAk is a new ransomware group that emerged between late 2022 and the beginning of 2023. In August 2023, the group published the data of 25 victims, mostly from Europe and with a special focus on Germany.
CrossLock
CrossLock is a new ransomware strain using the Go programming language, which makes it more difficult to reverse engineer and boosts its compatibility across platforms. The ransomware employs tactics to avoid analysis, such as looking for the WINE environment and tweaking Event Tracing for Windows (ETW) functions. In April, the CrossLock Ransomware Group said they targeted Valid Certificadora, a Brazilian IT & ITES company.
Cyclops/Knight
Though the underworld caught wind of Cyclops in May 2023, it is only recently that evidence of their activities surfaced as new victims’ details appeared on their dark web portal. In addition, they have announced a shift in branding to “Knight.” Last month, they published 6 victims on their leak site. This ransomware is versatile, capable of compromising Windows, Linux, and macOS systems alike. Cyclops stands out with its intricate encryption methodology, which mandates a unique key to decrypt the execution binary. Cyclops also comes equipped with a distinct stealer component designed to extract and transfer sensitive information.
Dark Power
March saw the rise of Dark Power, a new ransomware group that tallied 10 victims. Dark Power’s ransomware is interesting in that it is written in the obscure Nim programming language. Dark Power’s approach to ransomware, despite being basic, manages to create unique encryption keys for each targeted machine, making it difficult to develop a generic decryption tool. The ransomware effectively stops services and terminates processes, ensuring the encryption process is unhindered. It also clears logs, making it harder for analysts to investigate an attack. The effectiveness of Dark Power ransomware underlines the fact that attackers do not always need advanced, novel techniques to succeed.
DPRK’s ransomware
In early February, CISA released an alert highlighting the continuous state-sponsored ransomware activities by the Democratic People’s Republic of Korea (DPRK) against organizations in the US healthcare sector and other vital infrastructure sectors.
Dunghill Leak
Dunghill Leak is a new ransomware that evolved from the Dark Angels ransomware, which itself came from Babuk ransomware. In April it published the data of two companies, including Incredible Technologies, an American developer and manufacturer of coin-operated video games. The Dunghill Leak gang claims they have access to 500 GB of the company’s data, including game files and tax payment reports. Researchers think Dunghill Leak is just a rebranded Dark Angels.
DarkRace
DarkRace is a new ransomware group first discovered by researcher S!Ri. DarkRace specifically targets Windows operating systems and has several similarities to LockBit. The gang attacked 10 victims last month, the majority of them being from the Information and Communications Technology (ICT) sectors. Geographically, most victims are in Europe, specifically Italy.
Hunters International
Hunters International is a new ransomware player suspected to be a rebrand of the Hive ransomware, which was shut down in January 2023 by law enforcement. Despite Hunters International’s denial, claiming they are a distinct entity that purchased Hive’s source code, the overlap in their malware’s coding and functionality suggests a direct lineage from Hive.
INC Ransom
INC Ransom is a newcomer to the ransomware scene last month that published three victims to its leak site in August.
LostTrust
LostTrust is a rebrand from the MetaEncryptor ransomware gang we first spotted in August 2023. In September, they had a staggering 53 victims. The reason for the rebrand is unclear at present.
Medusa
Not since we introduced Royal ransomware in November 2022 have, we seen a new gang burst onto the scene with as much activity as Medusa did in February. The group published 20 victims on its leak site, making it the third most active ransomware last month. Among its victims are Tonga Communications Corporation (TCC), a state-owned telecommunications company, and oil and gas regulator company PetroChina Indonesia.
Metaencryptor
Metaencryptor is a new ransomware gang that published the data of 12 victims in August 2023.
MEOW
First detected in August 2022, Meow ransomware, linked to the Conti v2 variant, reappeared after vanishing in February 2023. The group published nine victims to its leak site in November. Operating as MeowCorp or MeowCorp2022, it encrypts files with a “.MEOW” extension and sends ransom notes demanding contact via email or Telegram. Using ChaCha20 and RSA-4096 encryption, Meow is related to other malware strains originating from the leaked Conti variant. Its dark web site shows a limited victim list, including the high-profile entity Sloan Kettering Cancer Center.
Money Message
Money Message is a new ransomware which targets both Windows and Linux systems. In April, criminals used Money Message to hit at least 10 victims, mostly in the US and from various industries. The gang also targeted some big-time companies worth billions of dollars, such as Taiwanese PC parts maker MSI (Micro-Star International). Money Message uses advanced encryption techniques and leaves a ransom note called “money_message.log.”
Nevada Ransomware
Nevada is a new ransomware which emerged on the Dark Web right before the start of 2023, but it was not until late January that it got a serious upgrade. An actor named ‘nebel’ published a post promoting the project on the RAMP underground community, which is known as a space for initial access brokers (IABs) and Russian and Chinese hackers and later it has updated and significantly improved the functionality of the locker for Windows and Linux/ESXi and distributed new builds for their affiliates.
NoEscape
NoEscape is a new ransomware which been doing the rounds in underground forums since May 2023. Developed in-house using C++, the NoEscape ransomware uses a hybrid approach to encryption, combining ChaCha20 and RSA encryption algorithms for file encryption and key protection.
RA Group
RA Group is a new ransomware primarily focusing its attacks on pharmaceutical, insurance, wealth management, and manufacturing firms located in the United States and South Korea. The RA Group employs an encryptor derived from the leaked source code of Babuk ransomware, an operation that ceased in 2021. The encryptor employs intermittent encryption, which alternates between encrypting and not encrypting sections of a file to expedite the encryption process but leaves some data partially recoverable.
Rancoz
Rancoz is a new ransomware variant which shares similarities with Vice Society. Its sophistication lies in its ability to modify existing code from leaked source codes to target specific industries, organizations, or geographic regions, increasing its attack efficacy and ability to evade detection
RansomedVC
RansomedVC is a new group that published the data of nine victims on its leak site last month. The group has adopted a favourite ideology of other ransomware actors—that they are serving as nothing more than “pen-testers”—and added a twist, alleging that any vulnerabilities they have found in victims’ networks must also be reported under compliance to Europe’s General Data Protection Regulation (GDPR). RansomedVC has advertised themselves as a “digital tax for peace” service and threatened victims with data breach fines if the ransom is not paid.
Rhysida
Rhysida, a new ransomware gang claiming to be a “cybersecurity team,” has been in operation since May 17, 2023, making headlines for their high-profile attack against the Chilean Army. The gang published a whopping eighteen victims on their leak site in June, making it one of the most prolific newcomers in our month reviews to-date.
ThreeAM (3AM)
ThreeAM, a new ransomware family used as a fallback in failed LockBit attack, had 10 victims in September.
Trigona
Trigona ransomware emerged in October 2022 and has targeted various sectors worldwide, including six in April. Operators use tools like NetScan, Splashtop, and Mimikatz to gain access, perform reconnaissance, and gather sensitive information from target systems. They also employ batch scripts to create new user accounts, disable security features, and cover their tracks.
Vendetta
V is Vendetta is a newcomer that published three victims in February on a site that follows the not-so-new practice of branding itself with imagery ripped from a particular mid-2000s dystopian action film. The site is noteworthy not only for its awful “teenager’s bedroom” design but also for using a subdomain of the Cuba ransomware dark web site.
This brings end of this security coverage. Thanks for visiting TheCyberThrone. If you like us please follow us on Facebook, Twitter, Instagram
Merry Christmas 🎄