Top 5 Ransomware Groups You Should Be Aware Of in 2023

Ransomware attacks are a unique challenge in today’s business environment.

They are extremely dangerous and unpredictable.

Although you know, the perpetrators’ intentions are malicious. You will not know what they are until you are attacked.

You can do your best to avoid ransomware attacks by reviewing your Ransomware Preparedness regularly. You are fully aware, however, that only effective incident response will protect you.

While working hard to strengthen your defenses, you’re also practicing what to do if you’re attacked with Ransomware Tabletop exercises.

Ransomware protection and prevention continue to be a complex mix. However, one tried-and-true strategy will always work: Knowing your enemy.

This week, we will be focusing on five ransomware groups as part of our continuing series of educational blogs about ransomware protection.

Understanding their past attacks, motives, and methods can help us improve our ability to deal with them and similar criminals.

Five Famous Ransomware Groups

1. Pandora: Pandora was a high-profile victim of Denso Corp.’s successful targeting of some high-profile targets, including Denso Corp., the second-largest automotive parts supplier in the world.

Pandora typically infects files and locks them, leaving a note encouraging the victim to call them for the key. Pandora’s strategy is “double extortion,” when the threat actor infiltrates and encrypts the victim’s sensitive information, then offers the decryption keys only after the ransom has been paid.

Many researchers believe Pandora may be a rebranding of Rook ransomware, as their Tactics, Techniques, and Procedures have a lot to do with each other.

Ransomware groups often rebrand themselves or create new aliases when they are under scrutiny. Rook might have rechristened themselves as Pandora to avoid being too scrutinized.

2. LockBit Ransomware: LockBit is highly malicious software that targets vulnerable targets and spreads the infection to encrypt all data in a network. LockBit is usually used to attack larger businesses and government agencies rather than individuals.

LockBit was discovered to be a “.abcd” virus in 2019. This was because it used this file extension when encrypting the victim’s data.

LockBit can launch prominent attacks against Thales Group, a French multinational electronics company, and the French Ministry of Justice.

3. BlackCat Ransomware: BlackCat is now widely acknowledged as a growing threat and an excellent example of the scourge of Ransomware-as-a-Service (RaaS).

BlackCat is also one of the few ransomware groups that use the modern programming language ‘Rust. This allows it to be evaded by traditional security solutions, which still have a lot of work to do with analyzing this language.

BlackCat has already caused quite a few ripples by 2022. The Moncler ransomware attack on Moncler, an Italian fashion house, was one of the most well-known. Although the ransomware group hacked the company in late 2013, they leaked the data in January, when they didn’t pay the ransom of $3 million.

An alleged BlackCat attack on two German oil companies, Oiltanking & Mabanaft, in February 2022 left many German oil organizations severely damaged. Two sister organizations’ systems were compromised, causing damage to 233 gas stations in Germany. In an internal report, the Federal Office for Information Security (BSI) stated that the BlackCat ransomware organization was behind the attack.

4. Lapsus$: This allegedly teenager-led ransomware organization has been behind several recent high-profile attacks. According to the ransomware group, it has breached Nvidia’s and Ubisoft’s systems, among others.

It was most recently in the news for compromising Okta’s internal network and gaining access to the source code to Microsoft products Bing and Cortana.

Okta services are used by many companies and users around the world to protect their identities. This breach was significant and could have profound implications. Although the ransomware group did not leak sensitive data from the company, it posted screenshots showing it had access to customer data to demonstrate its ability to reset passwords or access admin panels.

The ransomware group allegedly leaked 40GB of Microsoft’s data to the hackers. Microsoft clarified that it does not rely on secrecy to reduce risk and that no customer data or code was compromised.

Many security professionals and researchers prefer to refer to Lapsus$ as an extortionist organization since their attacks involve data theft and leakage threats if ransom payments are not made.

5. Vice Society: Vice Society, a ransomware organization that encrypts the victim’s data and gives decryption access only when the ransom is paid, is called Vice Society. Vice Society was targeting schools and government agencies in 2022.

The group attacked Missouri School and leaked sensitive information, including social security numbers, because the school didn’t pay enough ransom.

Similar data was also released on UK’s Durham Johnston School students and teachers. The school refused to pay the ransom.

Vice Society recently added Palermo, Italy, to its list. The attack affected 1.3 million people, including tourists. All internet-based services were shut down to limit the damage.

Conclusion

This list does not cover all the Ransomware groups. However, it highlights that these groups are increasing in sophistication and number every minute. On top of this, the rise of Ransomware-as-a-Service further means that anyone with even basic skills can download a kit online and unleash an attack on your business.

Although the idea is not meant to be fear-mongering, it is essential to emphasize the urgent need for ransomware readiness in businesses. A ransomware readiness assessment can be a great way to start to see where you stand regarding technology and training.

Many resources are also available, such as the Ransomware Readiness List, which covers nine key points you can use immediately to increase your preparedness.

It is crucial to train staff today in ransomware response. Chances of your business/organization being compromised are high, as is clear from the examples discussed earlier.

These recent events highlight the importance of having your IT and Incident Response teams know how to respond effectively and limit damage from cyber-criminals. For quick recall during the chaos, the Ransomware Respond Checklist and Ransomware Reply Workflow can be downloaded and printed.