Top Ransomware Groups and Monitoring Techniques

The Lockbit gang also uses a Tor-served website to make announcements about infected organizations.

Cl0p

Cl0p is a ransomware group first detected by MalwareHunterTeam in 2019, and its activities continue intensely today. Cl0p ransomware can run on all Windows operating system versions. Cl0p is part of the CryptoMix ransomware family, and they targeted English-speaking targets. Although it is not officially affiliated with Russia, such indicators suggest that it is a Russia-based group. The Cl0p has targeted more organizations rather than individual users. In addition, the final payload of the Cl0p ransomware was also used by an APT group called TA505.

Like others, Cl0p uses its website, which is served over Tor, to announce the organizations they operate and to share information.

Stormous

The Stormous ransomware group first emerged at the beginning of the tension between Russia and Ukraine and started its activities by stating it was with Russia. Then, announcing that it cooperates with Conti, it carries out attacks with the Conti, which attacks targets against Russia.

Many ransomware groups are heavily operated via Telegram instead of using an announcement site served over the Tor network, but they also have a website on the Tor network. However, the website in question is inactive, and when it is active, no sharing is made yet.

Notable organizations that the Stormous group has managed to include in its target list include Epic Games and the Ministry of Foreign Affairs of Ukraine.

Lapsus$

Lapsus$ was first spotted in the ransomware arena in December 2021. With the start of its operations, Microsoft, Samsung, NVIDIA, Okta, and the Brazilian Ministry of Health. They have targeted industry giants and government institutions and use the double-extortion tactic, which they threaten to release if the requested ransom amount is not paid by leaking sensitive data from the target organization. Although its targets so far are the United Kingdom and South American countries, its operations are expanding even more in a short time.

However, as an exception, they do not perform the operations performed by traditional ransomware groups, such as file encryption and blocking of access to the system.

Lapsus$ does not have the website served on the Tor network as many other ransomware groups do. Instead, an announcement is made through the Telegram channel, which is another most preferred alternative.

That is not the only feature that distinguishes Lapsus$ from other ransomware groups. Many characteristic traits of ransomware groups are not available in the Lapsus$ ransomware group.

Ransomware Monitoring

We listed the processes below associated with ransomware can be combined under the term “Monitoring”:

• Monitoring the movements of ransomware groups (influenced organizations and shared information, etc.)
• Identifying the ransomware type that infected the system
• Detecting existing decryption/recovery directives

No More Ransom Project

It is a project created in collaboration with the Dutch police’s National High-Tech Crime Unit, Europol’s European Center for Cybercrime, Kaspersky, and McAfee to ensure that affected users can recover files against ransomware threats without paying a ransom. Additionally, it aims to educate about how ransomware works and the precautions that can be taken to prevent the system from getting infected.

The No More Ransom Project provides a service to assist you in identifying which ransomware you have been infected. It accomplishes this service by using samples of files created or encrypted by the ransomware. With this useful functionality, you can inquire about the detected ransomware by using the “Decryption Tools” page to query whether a decryption tool is included in the relevant group.

ID Ransomware

Another service created by various security researchers known as MalwareHunterTeam, which tries to detect the type of ransomware that infects the system, is the ID Ransomware project.

You can query using the ransomware note, encrypted file samples, or any contact addresses included in the ransom note. If you come across decryptable ransomware, it will direct you to a link with follow-up instructions for decryption.

Monitoring Announcement Sites

One of the common characteristics of many ransomware is to have an announcement site where they publish various information about the organizations they target and about them. These sites are served on the Tor network and cannot be accessed using traditional browsers. Therefore, a fundamental approach to tracking the movements of a ransomware group is to visit these announcement sites to check for new organization entries. This approach is known as Web Scraping. It relies on visiting announcement sites using a Tor proxy, parsing the pages’ HTML tags, and extracting the needed fields.

There are some projects using this method, and Telegram channels are offering it as a service. Some of these are listed below:

• https://github.com/captainGeech42/ransomwatch
• https://github.com/thetanz/ransomwatch
• https://t.me/ransomwatcher

who’s been ransomware’d

Another monitoring service is the website, where you can check if any ransomware group has hacked an organization. ransom.wiki helps you identify both the organizations affected by querying the ransomware group name and determining which group was attacked by querying the organization name.