BRANDEFENSE BRANDEFENSE
  • Home
  • Product
    How it works?
    Platform Overview
    Cyber Intelligence
    Brand & Reputation Protection
    Exposure Management
    Solutions
    Threat Intelligence Service
    Brand Protection
    Vulnerability Management
    Attack Surface Management
    Fraud Protection
    VIP Security
    Vulnerability Intelligence
    By Use Case
    Preventing Data Leakage
    Phishing Monitoring
    Account Takeover Detection
    Stolen Credit Cards
    Dark Web Monitoring
    Remediation and Takedown
    brandefense background
    Eliminate risks
    Explore the Brandefense
  • Blog
  • Resources
    Security News
    Threat Intelligence Researches
    Digital Risk Protection – FAQ
    We in the Press
  • Partners
    Channel Partners
    Deal Registration
  • Company
    About Us
    Career
    Privacy Policy
    Terms of Use
    Contact Us
Free Trial

BRANDEFENSE

  • Home
  • Product
    How it works?
    Platform Overview
    Cyber Intelligence
    Brand & Reputation Protection
    Exposure Management
    Solutions
    Threat Intelligence Service
    Brand Protection
    Vulnerability Management
    Attack Surface Management
    Fraud Protection
    VIP Security
    Vulnerability Intelligence
    By Use Case
    Preventing Data Leakage
    Phishing Monitoring
    Account Takeover Detection
    Stolen Credit Cards
    Dark Web Monitoring
    Remediation and Takedown
    brandefense background
    Eliminate risks
    Explore the Brandefense
  • Blog
  • Resources
    Security News
    Threat Intelligence Researches
    Digital Risk Protection – FAQ
    We in the Press
  • Partners
    Channel Partners
    Deal Registration
  • Company
    About Us
    Career
    Privacy Policy
    Terms of Use
    Contact Us
European Focused Threat Actors – Ransomware Groups

European Focused Threat Actors – Ransomware Groups

BRANDEFENSE
APT Groups
26/09/2022

Introduction

Cyber attacks experienced during the COVID-19 pandemic process have increased not only in vectors and numbers but also in terms of their impact. The pandemic process has expanded the surface of attacks and caused an increase in the number of cyber attacks targeting organizations through homes and offices. Also, cyber threat environments are changing with the fact that attackers are coming up with new technologies and processes constantly.

For example, in 2021, when we inspect the SolarWinds attack, which made an enormous impact, it seems that the malware has adopted a way of distributing embedded in a trusted product. After the SolarWinds attack, it has been determined that 1500 small and medium-sized companies were affected, especially the U.S. and Europe.

It has been observed that the main motivation of individual threat actors who carry out European-focused attacks is to earn financial gain. Cybercriminals have made the banking/financial sector the main target. With the crisis of the COVID-19 Pandemic, targeted ransomware attacks have increased swiftly. Many organizations that could not afford service interruptions had to pay the requested ransom. Although, some ransomware groups have demanded more ransomware, threatening organizations to publish stolen data using Double Extortion methods.

Threat actors that are supported by governments usually organize longer-term operations in the interests of the state they are affiliated with. Financial interests are in the background and trying to obtain strategic intelligence about the targeted country. It all comes to this that it is significant for security teams’ operations in today’s environment, where visibility and agility are crucial more than ever to be able to monitor cyber threat actors and their ongoing activities.

Ransomware Groups

lockbit ransomware group

LockBit

Lockbit ransomware, which was launched in September 2019, continues its activities intensively even in 2022. With the release of Lockbit v2.0 in June 2021, this ransomware has faster encryption capability, UAC bypass capability, and double extortion capabilities with StealBit malware. At the same time, Lockbit receives 80% of the ransom paid, allowing Affiliates to set their own ransom amount with the RaaS (Ransomware-as-a-Service) option.

The Lockbit team has stated that they will not attack 9 countries that are members of the Commonwealth of Independent States (CIS). The analyzes made also support this situation.

If the user’s language setting on the victim computer matches any of the following values, the ransomware does not initiate the encryption process.

To learn more about “LockBit” technical details, click here.

commonwealth of independent states
Figure 1: Members of Commonwealth Independent States (CIS)
conti ransomware group

Conti

Conti ransomware, which first appeared in May 2021, has since then continued to use increasingly complex techniques and increase its effectiveness It quickly became one of the popular ransomware in 2021 due to the fact that it is mostly distributed through the ransomware-as-a-service (RaaS) model. For example, in July 2020, the Trickbot ransomware group replaced Ryuk with Conti as a weapon to attack their targets. Accordingly, the possibility of cooperation between the Conti and Trickbot groups has increased.

blackmatter ransomware group

BlackMatter

BlackMatter ransomware is a ransomware (RaaS) affiliate program that was launched as a service in July 2021. According to the BlackMatter ransomware group, “The project embodies the best of DarkSide, REvil, and LockBit.” This group generally attacks Windows and Linux servers and cooperates with first access agents (IABs) to further facilitate exploitation. IABs are financially motivated threat actors who sell remote access to corporate networks on underground platforms.

BlackMatter makes extensive use of defense evasion techniques in its security solutions in order to remain undetected and achieve its goals. For this reason, it seems that the IOC and signature-based approaches alone will not be an effective solution against BlackMatter. In addition to behavior-based detection and solutions, proactive defense approaches should also be used to deal with these threats.

darkside ransomware group

Darkside

March-August 2020, and updated as v2.0 in March 2021, DarkSide ransomware usually works in the ransomware-as-a-service (RaaS) model. The DarkSide ransomware group also makes October ransom demands from its victims using the double extortion method. Separate pay is being requested to unlock the affected computers separately to receive the leaked data.

In May 2021, a ransomware attack was carried out by DarkSide on the Colonial Pipeline company, which is responsible for almost half of the fuel supply on the East Coast of the United States. The organization has spent $ 4.4 million to recover data and maintain operations.

The techniques used in DarkSide ransomware can be very complex. These techniques have a unique structure with Initial Access, privilege escalation, and Impair Defenses techniques using public applications (for example, RDP).

Read our analysis report about Darkside Ransomware

ragnar locker ransomware group

Ragnar_Locker

The Ragnar group, operating Ragnar Locker ransomware, has been active since 2019 targeting critical industries and employing double extortion.

In March 2022, the FBI warned that at least 52 entities across ten critical industry sectors have been affected.

blackcat alphavm alphav ransomware group

AlphaVM / Blackcat

BlackCat (aka AlphaVM or AlphaV) is a ransomware family created in the Rust programming language and operated under a ransomware-as-a-service (RaaS) model.

AlphaVM/Blackcat has versions that work on both Windows and GNU/Linux operating systems and in VMware’s ESXi environment. TrendMicro has identified that AlphaVM/Blackcat’s using the exploitation of CVE-2021-31207, which could be used to write a web shell on the vulnerable Microsoft Exchange Server.

revil ransomware group

REvil

Revil is an ambitious service-offering ransomware (RAAS) group that first came to prominence in April 2019 after GandCrab, another ransomware group, ceased its activities. The Revil group is sometimes referred to by other names, such as Sodin and Sodinokibi.

Ransomware groups are known to offer 24/7 technical support, subscriptions, affiliate plans, and online forums, just like legitimate online companies. The Revil group is also one of the ransomware that is gradually turning into a software-as-a-service (SAAS) platform.

 

To be continued…

Share on Facebook Share on Twitter
Search
Categories
APT GroupsBlogDark WebDRPSFraudRansomwareSector AnalysisSecurity NewsVIP SecurityWe in the PressWeekly Newsletter
Recent Posts
  • What is BEC (Business Email Compromise) Attack?
    What is BEC (Business Email Compromise) Attack?
  • What Is Smishing and How To Protect Yourself?
    What Is Smishing and How To Protect Yourself?
  • Security Newsletter | March 30, 2023
    Security Newsletter | March 30, 2023
  • What is Incident Response and How to Build It?
    What is Incident Response and How to Build It?
2022 Ransomware Trends Report
Report
Download Report
Follow us!

    Continue Reading

    Previous post

    AffectMe: The Critical Vulnerability in Oracle Cloud Infrastructure

    there is a critical vulnerability in oracle oci called attachme
    sophos firewall has a critical rce 0-day vulnerability
    Next post

    Critical RCE Alarm in Sophos Firewall Solutions

    particle element
    We know what hackers know about you
    Our cyber threat intelligence and security research team is ready to help you.
    Request a demo
    Free Trial
    Contact
    Login

    Follow us on

    brandefense logo brandefense

    Brandefense is solving SOC’s complex challenges. We are here to help Brandefense customers to protect their brands and reputations against cyber threats.

    United States:

    300 Delaware Ave. Ste 210 #328 Wilmington, DE 19801 / USA

    Turkey:

    Üniversiteler Mahallesi, 1605.Cadde, Kapı No:3/1, No: 204, 06800 Çankaya/Ankara 06800

    © 2022 Brandefense. All rights reserved.

    Solutions
    Threat IntelligenceBrand ProtectionVulnerability ManagementFraud ProtectionVIP SecurityAttack Surface ManagementVulnerability Intelligence
    Use Case
    Data LeakagePhishing MonitoringAccount Takeover DetectionStolen Credit CardsDark Web MonitoringRemediation / Takedown
    Partners
    Channel PartnersDeal Registration
    Company
    AboutCareerPrivacy PolicyTerms Of UseContact
    Manage Cookie Consent
    To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
    Functional Always active
    The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
    Preferences
    The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
    Statistics
    The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
    Marketing
    The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
    Manage options Manage services Manage vendors Read more about these purposes
    View preferences
    {title} {title} {title}
    Close
    Search

    Hit enter to search or ESC to close