European Focused Threat Actors – Ransomware Groups

Introduction

Cyber attacks experienced during the COVID-19 pandemic process have increased not only in vectors and numbers but also in terms of their impact. The pandemic process has expanded the surface of attacks and caused an increase in the number of cyber attacks targeting organizations through homes and offices. Also, cyber threat environments are changing because attackers are coming up with new technologies and processes constantly.

For example, in 2021, when we inspected the SolarWinds attack, which made an enormous impact, it seemed that the malware had adopted a way of distributing embedded in a trusted product. After the SolarWinds attack, it has been determined that 1,500 small and medium-sized companies were affected, especially in the U.S. and Europe.

It has been observed that the main motivation of individual threat actors who carry out European-focused attacks is to earn financial gain. Cybercriminals have made the banking/financial sector the main target. With the crisis of the COVID-19 Pandemic, targeted ransomware attacks have increased swiftly. Many organizations that could not afford service interruptions had to pay the requested ransom. However, some ransomware groups have demanded more ransomware, threatening organizations to publish stolen data using Double Extortion methods.

Threat actors that governments support usually organize longer-term operations in the interests of the state they are affiliated with. Financial interests are in the background, trying to obtain strategic intelligence about the targeted country. It all comes to this that it is significant for security teams’ operations in today’s environment, where visibility and agility are crucial more than ever to be able to monitor cyber threat actors and their ongoing activities.

Ransomware Groups

lockbit ransomware group

LockBit

Lockbit ransomware, which was launched in September 2019, continues its activities intensively even in 2022. With the release of Lockbit v2.0 in June 2021, this ransomware has faster encryption capability, UAC bypass capability, and double extortion capabilities with StealBit malware. At the same time, Lockbit receives 80% of the ransom paid, allowing Affiliates to set their own ransom amount with the RaaS (Ransomware-as-a-Service) option.

The Lockbit team has stated that they will not attack 9 countries that are members of the Commonwealth of Independent States (CIS). The analyses made also support this situation.

If the user’s language setting on the victim’s computer matches any of the following values, the ransomware does not initiate the encryption process.

To learn more about “LockBit” technical details, click here.

conti ransomware group

Conti

Conti ransomware, which first appeared in May 2021, has since then continued to use increasingly complex techniques and increase its effectiveness. It quickly became one of the popular ransomware in 2021 due to the fact that it is mostly distributed through the ransomware-as-a-service (RaaS) model. For example, in July 2020, the Trickbot ransomware group replaced Ryuk with Conti as a weapon to attack their targets. Accordingly, the possibility of cooperation between the Conti and Trickbot groups has increased.

blackmatter ransomware group

BlackMatter

BlackMatter ransomware is a ransomware (RaaS) affiliate program that was launched as a service in July 2021. According to the BlackMatter ransomware group, “The project embodies the best of DarkSide, REvil, and LockBit.” This group generally attacks Windows and Linux servers and cooperates with first access agents (IABs) to further facilitate exploitation. IABs are financially motivated threat actors who sell remote access to corporate networks on underground platforms.

BlackMatter makes extensive use of defense evasion techniques in its security solutions in order to remain undetected and achieve its goals. For this reason, it seems that the IOC and signature-based approaches alone will not be an effective solution against BlackMatter. In addition to behavior-based detection and solutions, proactive defense approaches should also be used to deal with these threats.

Read our analysis report about Darkside Ransomware

ragnar locker ransomware group

Ragnar_Locker

The Ragnar group, operating Ragnar Locker ransomware, has been active since 2019, targeting critical industries and employing double extortion.

In March 2022, the FBI warned that at least 52 entities across ten critical industry sectors have been affected.

blackcat alphavm alphav ransomware group

AlphaVM / Blackcat

BlackCat (aka AlphaVM or AlphaV) is a ransomware family created in the Rust programming language and operated under a ransomware-as-a-service (RaaS) model.

AlphaVM/Blackcat has versions that work on both Windows and GNU/Linux operating systems and in VMware’s ESXi environment. TrendMicro has identified that AlphaVM/Blackcat’s using the exploitation of CVE-2021-31207, which could be used to write a web shell on the vulnerable Microsoft Exchange Server.

revil ransomware group

REvil

Revil is an ambitious service-offering ransomware (RAAS) group that first came to prominence in April 2019 after GandCrab, another ransomware group, ceased its activities. The Revil group is sometimes referred to by other names, such as Sodin and Sodinokibi.

Ransomware groups are known to offer 24/7 technical support, subscriptions, affiliate plans, and online forums, just like legitimate online companies. The Revil group is also one of the ransomware that is gradually turning into a software-as-a-service (SAAS) platform.

To be continued…