If you’ve been following my blogs over the last few months, you’ll have spotted a recurring theme in many of them – ransomware. It’s a scourge of modern Inetrnet life and it can be absolutely devastating for those affected.
There are many gangs running ransomware campaigns, but there are a small handfull which top the list.
LockBit
The LockBit gang is one which crops up quite a lot, and with goid reason, in May 2022 the gang was responsible for 40% of all ransomware attacks globally.
The group even boasted on social media that it had attacked 12,125 organizations.
LockBit made headlines by being the first hacking group to launch its own bug bounty program, offering up to USD $1 M to those willing to share their companies sensitive information with them.
LockBit’s attack method of using a propriety information stealer and downloading browser data to its secure server separates it from other groups.
I have written a few blogs which feature the attacks of this gang:
Blog 63 – LockBit just wont quit
REvil
Many of this groups members were arrested in Russia in early 2022, but they are now back, causing disruption with their attacks.
The resurrected REvil is using many of the same strategies as before such as creating and attaching a random extension to affected files. However, the new attacks now use an updated encrypter, which makes it easier for the gang to target its attacks.
BlackCat (ALPHV)
This group is fairly new on the ransomware scene, launching its first official attack in 2021 but are quickly rising up through the ranks.
BlackCat has launched attacks on many organisations, targeting both nonprofits and corporations in various industries ranging from technology to real estate.
The group has the distinction of being the first to launch an attack on an organization using RUST, which is typically considered to be one of the more secure programming languages.
BlackCat’s attacks tend to use a similar approach: gaining access through previously compromised credentials and then using distributed denial-of-service (DDoS) attacks.
The attacks begin by compromising Active Directory user and administrator accounts and then deploying the ransomware.
I wrote a blog about this gangs despicable acts the other week:
Blog 74 – Ransomware gang sinks to a new low
The blog below covers two ransomware attacks, one by Lockbit, and one by ALPHAV:
Blog 73 – MoaR Ransomware attacks
Black Basta
Another fairly new gang, their first known attack took place in April 2022 against the American Dental Association.
Many of Black Basta’s members were previously part of the Conti and REvil ransomware gangs.
The gang specialises in using a RaaS (Ransomware as a Service) double-extortion technique, which initially renders the victim’s data unusable and then the gang threatens to make sensitive information public.
Like many other groups, once Black Basta infiltrates a target network, they encrypt and steal the data, and then use DDoS attacks to increase the odds that the target will pay the ransom demanded.
What to do if you get ransomware
If you are in the unfortunate position to be compromised with a ransomware attack, then your response will depend on your own circumstances. In the UK, Law enforcement does not encourage, endorse nor condone the payment of ransom demands.
It is a similar case in the US – U.S. Law Generally Does Not Prohibit Paying a Ransom for the Return of People or Goods.
However…
Ever since Russia started their illegal war in Ukraine, the US government has implemented ever-tightening sanctions against Russian citizens, including the payment of ransoms.
U.S. law imposes strict liability on anyone that makes a payment to a sanctioned entity—meaning that a lack of intent to flaunt sanctions doesn’t exonerate the paying party.
So far, U.S. enforcers haven’t publicly targeted a company for making a ransomware payment to a sanctioned entity, but several experts have said some kind of enforcement activity is likely.
The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) and its Financial Crimes Enforcement Network both have highlighted the topic of ransomware payments in recent months. OFAC said in September 2022 that it “strongly discourages” extortion payments and reiterated that it can take action against payers.
According to the NCSC guidance on ransomware, if you do pay the ransom:
- there is no guarantee that you will get access to your data or computer
- your computer will still be infected
- you will be paying criminal groups
- you’re more likely to be targeted in future
For this reason, it is important that you always have a recent offline backup of your most important files and data.
Help is available
The cyber security industry is fighting its war against ransomware attacks and a number of prominent organisations have grouped together to put their combined knowledge and skills forward to help victims.
The nomoreransom project is a collaboration between law enforcement and industry experts and provide, advice and guidance for ransomware victims as well and an ever-increasing list of decryption utilities for many ranromware variants.
Initially founded by Europol, Politite, Kaspersky & McAfee, the collaboration now has the expertise of multiple cyber-security organisations such as Avast, Bitdefender, Trend micro, Bleeping computer, Cisco, F-Secure and many more.
The project also calls on the experts of 45 different law enforcement agencies, and over 70 commercial partners.
A big threat calls for a big response, and ransomeware is certainly a big threat for the Internet.