The ransomware industry remains the number one threat to organizations worldwide. The supply chain attacks became a solid technique for the mature and experienced ransomware groups.
Although we have seen increased activity by law authorities worldwide, this industry keeps on thriving despite these efforts.The industry is feeling increasingly impacted by ransomware as many critical vulnerabilities were discovered this quarter. Additionally, the emergence of new groups has contributed to the industry’s growth. These ambitious groups show promise and are introducing a new generation of ransomware families.
TheCyberThrone discusses the new ransomware families of year 2024 in no specific order.
Slug Ransomware
Slug ransomware burst onto the scene in early 2024, quickly making headlines by targeting major organizations. One of its most notable attacks was on AerCap, the world’s largest aircraft leasing company. Slug claimed to have exfiltrated 1TB of sensitive data and demanded a significant ransom. The group operates a dark web portal, but it remains sparse, offering limited information about their operations and motives. Their methods indicate a high level of sophistication and a targeted approach towards high-profile industries.
Kasseika Ransomware
Kasseika ransomware came to light in late 2023 and has garnered attention for its advanced techniques. One of its distinguishing tactics is the use of Bring Your Own Vulnerable Driver (BYOVD) attacks. This method involves leveraging a vulnerable driver to disable antivirus processes and other security tools, thereby clearing the way for their ransomware to encrypt files unimpeded. Kasseika shares similarities with the notorious BlackMatter ransomware, both in its coding structure and operational strategies, suggesting possible connections or shared expertise between the groups.
Going Insane Ransomware
Going Insane ransomware emerged in January 2024 and quickly made its presence felt with a high-impact attack in Thailand. The ransomware employs AES encryption to lock victims’ files and has been associated with data theft followed by extortion demands. The group’s leak site is minimalistic, but it hints at a potential origin in Russia, based on language and other subtle cues. Going Insane’s modus operandi includes precise targeting and rapid execution, making it a formidable threat in the ransomware landscape.
Blackout Ransomware
Blackout Ransomware is a significant new threat that emerged in 2024, targeting critical infrastructures around the world. The group first gained widespread attention with its attack on a major telecommunications provider in Mexico, which resulted in severe operational disruptions by compromising all backups. Blackout’s tactics include using malware originally developed by the prolific LockBit group, known for its involvement in over 2,500 global attacks. Despite efforts by law enforcement to dismantle their operations, Blackout remains an active and formidable threat in the cybersecurity landscape.
Alpha Ransomware
Alpha Ransomware made a debut in early 2024 and quickly drew attention due to its striking resemblance to the now-defunct NetWalker ransomware. Alpha uses a PowerShell-based loader to deliver its payload, targeting both Windows and Linux systems. Once it has encrypted the victim’s files, it deletes itself via a temporary batch file, leaving behind a payment portal message that closely mimics the style of NetWalker.
Despite being a relatively new player, Alpha has demonstrated significant capabilities. It first appeared in February 2023 and has since escalated its operations, launching a Dedicated/Data Leak Site (DLS) on the dark web, where it lists data from six victims. Although Alpha’s infection rates are lower compared to other major ransomware groups, its sophisticated techniques and connections to NetWalker make it a formidable threat in the ransomware landscape
Donex Ransomware
Donex ransomware is the latest iteration of a series of rebrandings, evolving from Muse (April 2022) to fake LockBit 3.0, then DarkRace, and finally becoming Donex in March 2024. A critical flaw in its cryptographic schema was identified by researchers, enabling the creation of a decryptor for Donex and its earlier versions. This decryptor has been made available to victims since March 2024. Donex predominantly targeted victims in the US, Italy, and Belgium.
Kill Security Ransomware
Kill Security ransomware, also known by its aliases KillSec, KillSecurity 2.0, and KillSecurity 3.0, first appeared in October 2023. Operating as a Ransomware-as-a-Service (RaaS), Kill Security has been involved in numerous attacks across various sectors, including government, manufacturing, and finance. Known for its aggressive extortion tactics, Kill Security has demanded ransoms ranging from a few thousand to hundreds of thousands of euros.
DarkVault Ransomware
DarkVault ransomware emerged in November 2023 and quickly established itself as a significant cyber threat. The group is notorious for its aggressive and diverse range of cybercriminal activities, claiming to be part of an exclusive online community involved in illegal operations such as bomb threats, swatting, doxing, website defacing, malware creation, scams, spam, and fraud. Despite being a recent addition to the ransomware landscape, DarkVault has already caused substantial disruptions across multiple sectors. They employ a double extortion tactic, encrypting systems, and threatening to release stolen data if ransoms are not paid.
APT73 Ransomware
APT73 surfaced in mid-April 2024, positioning itself as an Advanced Persistent Threat (APT), a designation usually reserved for highly skilled and persistent cyber adversaries. This group has been linked to the infamous LockBit group, with its data leak site mimicking LockBit’s design, likely to leverage LockBit’s notoriety and attract affiliates. APT73 has publicly identified numerous victims and has carried out various ransomware attacks across different industries, demonstrating its capability and intent.
Qiulong Ransomware
Qiulong ransomware made its debut in early 2024 and has primarily targeted Brazilian organizations. The group announced its presence by compromising entities such as Dr. Lincoln Graca Neto and Rosalvo Automoveis. Qiulong uses the double extortion tactic, encrypting critical systems and exfiltrating sensitive data to strengthen their leverage during ransom negotiations. The name “Qiulong,” which translates to “horned dragon” or “hornless dragon” from Chinese, may hint at the group’s Asian origins or intended mystique.
ArcusMedia Ransomware
ArcusMedia ransomware emerged in May 2024 and quickly established itself as a significant threat. The group operates a Ransomware-as-a-Service (RaaS) model, enabling other threat actors to utilize their malware. ArcusMedia is known for its double extortion tactics, encrypting data and threatening to leak it if ransoms aren’t paid. They gain initial access through phishing and exploiting vulnerabilities, using RDP and living-off-the-land techniques for lateral movement.
SpiderX Ransomware
SpiderX ransomware is a newly emerged group identified as the successor to the notorious Diablo group. Announced by a threat actor known as “phant0m” on a dark web forum, SpiderX employs sophisticated techniques, including the ChaCha20-256 encryption algorithm, which is known for its speed and security. SpiderX can perform encryption activities offline, reducing its network footprint and making it harder to detect. The group also includes a built-in information stealer that exfiltrates sensitive data to external servers.
FakePenny Ransomware
FakePenny ransomware is a custom variant deployed by the North Korean hacking group Moonstone Sleet. First observed in April 2024, FakePenny has been used in attacks demanding significant ransoms, such as $6.6 million in Bitcoin. Moonstone Sleet, previously known as Storm-17, targets a wide range of sectors, including finance, cyber espionage, software, IT, education, and defense. The group employs unique attack methods and custom tools, diverging from the tactics of other North Korean groups.
Ransomcortex Ransomware
Ransomcortex is a new ransomware group that emerged in 2024, specializing in attacks on healthcare facilities. They quickly gained notoriety by targeting four institutions within days, including three in Brazil and one in Canada. Their focus on healthcare highlights the vulnerability of this sector, which often holds sensitive and valuable information. Ransomcortex employs double extortion tactics, encrypting data and threatening to release it unless a ransom is paid.
Vanir Group Ransomware
Vanir Group is another new ransomware group that surfaced in 2024. This group is composed of former affiliates from well-known ransomware groups like LockBit, Karakurt, and Knight. Vanir Group is known for its aggressive and professional operations, quickly making a name for itself by targeting multiple victims and publishing their data on a leak site. Their unique aesthetic and intimidating messages to victims underscore their ruthless approach.
Mad Liberator Ransomware
Mad Liberator ransomware emerged in mid-2024 and is known for leveraging social engineering techniques to gain access to victims’ environments. They often exploit remote access tools like AnyDesk, using fake Microsoft Windows update screens to conceal their data exfiltration activities. Mad Liberator primarily focuses on data exfiltration, but they also employ double extortion tactics, threatening to release stolen data if ransoms are not paid.
SafePay
SafePay is an emerging ransomware group that uses LockBit-based ransomware. They have targeted various industries and have claimed 22 victims so far. They use double extortion tactics, combining data encryption with data theft to pressure victims into paying ransoms.
Chort
Chort, also known as “Devil” in Russian, is a new ransomware group that emerged in late 2024. They have targeted mainly the US education sector, naming six victims on their data-leak site. They practice double extortion, stealing sensitive data before encrypting files.
KAIROS
KAIROS surfaced in November 2024 and has targeted healthcare and engineering firms. They use double extortion tactics and have claimed responsibility for six attacks, including a significant breach at The Physical Medicine & Rehabilitation Center in July 2024.
Argonauts
Argonauts is another newcomer, focusing on Italian technology and manufacturing organizations. They have claimed responsibility for cyberattacks against ten organizations as of late November 2024.
Nitrogen
Nitrogen ransomware emerged in September 2024 and has made headlines for its sophisticated attack strategies. They notably breached Red Barrels IT systems, compromising 1.8 terabytes of sensitive data, including game source codes. Nitrogen utilizes advanced techniques such as IP scanning and deploying Sliver and Cobalt Strike beacons, ultimately delivering BlackCat ransomware.
Orca
Orca ransomware, which surfaced in the same month, is associated with the Zeppelin malware family. This group targeted Chernan Technology Co Ltd, a Taiwanese manufacturer, exfiltrating 18GB of data. Orca employs double-extortion tactics, encrypting files while threatening to publish stolen data unless the ransom is paid.
Kransom
Kransom, also identified in September 2024, is notable for its unique approach using DLL side-loading. This method allows them to camouflage within a modified version of the game StarRail, evading detection while encrypting files using XOR encryption. They exploit vulnerabilities in unpatched software and use phishing campaigns to deliver their payload.
Lynx Ransomware Group
Lynx ransomware, which emerged in July 2024, has quickly gained infamy for its aggressive tactics. They’ve targeted Electrica Group, one of Romania’s largest electricity suppliers, and claimed over 78 victims, including multiple U.S. facilities and entities in the energy, oil, and gas sectors. Using double extortion tactics, Lynx steals and encrypts data to pressure victims into paying ransoms. They are believed to have purchased the source code from another ransomware group, INC Ransom.
Helldown Ransomware Group
Helldown ransomware, first documented in August 2024, has compromised 31 victims, including Zyxel Europe, a network equipment manufacturer. Helldown uses double extortion tactics, exfiltrating large volumes of data and threatening to publish it if the ransom is not paid. They exploit vulnerabilities in Zyxel firewalls and other systems to gain access and deploy their ransomware. Helldown has targeted a wide range of sectors, including museums and cargo transport companies.
Hellcat Ransomware Group
Hellcat ransomware has recently made waves with its attack on Schneider Electric, where they reportedly stole 40 GB of critical data, including projects and user information. They demanded a ransom of $125,000, humorously framed as payment in “baguettes.” Hellcat employs double extortion tactics, threatening to release the stolen data if the ransom isn’t paid.
Playboy Ransomware Group
Playboy Locker ransomware appeared in late 2024, encrypting files and adding the “.PLBOY” extension. After encryption, it creates a ransom note and changes the desktop wallpaper to pressure victims into paying. This group also uses double extortion, threatening to publish stolen data if the decryption service isn’t purchased.
Interlock Ransomware Group
Interlock ransomware, first observed in September 2024, targets both Windows and Linux systems. They use big-game hunting and double extortion tactics, encrypting files and exfiltrating sensitive data. Interlock has affected various industries, including healthcare, technology, and manufacturing.
Sarcoma Ransomware Group
Sarcoma ransomware is notorious for exploiting zero-day vulnerabilities, demonstrated in their attack on Smart Media Group Bulgaria. They employ advanced persistent threat (APT) tactics, using remote monitoring and management tools to infiltrate networks and exfiltrate large volumes of data. Sarcoma’s aggressive extortion tactics include threatening to publish stolen data if ransoms aren’t paid.
Space Bears
This is a new ransomware group that emerged in April 2024. They have already announced 7 victims across Germany, Norway, the US, and South Africa. They use a double-extortion tactic, encrypting data and threatening to publish stolen data if their ransom demands are not met.
Rabbit Hole
Another new ransomware group was identified in March 2024. They are known for their sophisticated attacks and selective targeting, customizing ransom demands based on the victim’s financial capacity and the perceived value of the encrypted data.
Qiulong
This group emerged in April 2024 and has targeted Brazilian victims. They have compromised several entities, including a plastic surgeon and a car dealership, and use double-extortion tactics.
Arcus Media
This group emerged in May 2024 and operates a Ransomware-as-a-Service (RaaS) model. They have executed 17 attacks, primarily targeting business services, retail, and media industries.
This brings the end of this security coverage. Thanks for visiting TheCyberThrone. If you like us, please follow us on Facebook, Twitter, Instagram
Nice post🌅🌅