BRANDEFENSE BRANDEFENSE
  • Home
  • Product
    How it works?
    Platform Overview
    Cyber Intelligence
    Brand & Reputation Protection
    Exposure Management
    Solutions
    Threat Intelligence Service
    Brand Protection
    Vulnerability Management
    Attack Surface Management
    Fraud Protection
    VIP Security
    Vulnerability Intelligence
    By Use Case
    Preventing Data Leakage
    Phishing Monitoring
    Account Takeover Detection
    Stolen Credit Cards
    Dark Web Monitoring
    Remediation and Takedown
    brandefense background
    Eliminate risks
    Explore the Brandefense
  • Blog
  • Resources
    Security News
    Threat Intelligence Researches
    Digital Risk Protection – FAQ
    We in the Press
  • Partners
    Channel Partners
    Deal Registration
  • Company
    About Us
    Career
    Privacy Policy
    Terms of Use
    Contact Us
Free Trial

BRANDEFENSE

  • Home
  • Product
    How it works?
    Platform Overview
    Cyber Intelligence
    Brand & Reputation Protection
    Exposure Management
    Solutions
    Threat Intelligence Service
    Brand Protection
    Vulnerability Management
    Attack Surface Management
    Fraud Protection
    VIP Security
    Vulnerability Intelligence
    By Use Case
    Preventing Data Leakage
    Phishing Monitoring
    Account Takeover Detection
    Stolen Credit Cards
    Dark Web Monitoring
    Remediation and Takedown
    brandefense background
    Eliminate risks
    Explore the Brandefense
  • Blog
  • Resources
    Security News
    Threat Intelligence Researches
    Digital Risk Protection – FAQ
    We in the Press
  • Partners
    Channel Partners
    Deal Registration
  • Company
    About Us
    Career
    Privacy Policy
    Terms of Use
    Contact Us
Top Ransomware Groups and Monitoring Techniques

Top Ransomware Groups and Monitoring Techniques

BRANDEFENSE
Ransomware
07/07/2022

Last updated on March 27th, 2023 at 10:38 am

Table of Contents

  • Overview
    • Ransomware Groups
      • Conti
      • Lockbit
      • Cl0p
      • Stormous
      • Lapsus$
    • Ransomware Monitoring
      • No More Ransom Project
      • ID Ransomware
      • Monitoring Announcement Sites
      • who’s been ransomware’d
  • Conclusion

Overview

Ransomware attacks increase every year, causing significant financial and reputational damage to companies, the multi-extortion trend adopted and frequently used by threat actors is seen in almost every attack attempt.

While a few high-profile bands that made their mark in 2021 disappeared, it didn’t take long for new ones to arrive. Groups such as Sodinokibi/REvil, Darkside, Blackmatter, and Avaddon have not observed operations since 2021. Unfortunately, these groups’ stopping the attacks did not cause a decrease in ransomware attacks. On the contrary, it resulted in the emergence of new ransomware groups, and they succeeded in carrying out effective attacks on giant companies operating in various sectors.

Some of the groups that are new to the ransomware scene and pretty active are called Lockbit, Lapsus, and Stormous. In addition to these groups, there have been ransomware groups in existence and activity for a long time. Some of the most active groups were determined as Conti and Cl0p.

Ransomware groups are observed to use various toolkits such as malware, legitimate software, and operating system functionalities to carry out their attacks and maintain their persistence. We have shown the incidence of these toolkits in the table below.

TTP %
PsExec 34%
Cobalt Strike 18%
Mimikatz 11%
VssAdmin 10%
NetScan 7%
BITSAdmin 4%
PowerShell 5%

Table 1: Toolsets Most Used by Ransomware Groups

Ransomware Groups

Conti

The ransomware gang called Conti started its activities in 2020 and continues its operations at an incredible pace today, and it is connected to central Russia. Although the primary team of Conti has a total of 62 members, it has been determined that the group is led by the pseudonyms Stern and Demon. In addition, we have thought that the number of people connected to the group has increased to about 100.

The malware used by the group can infect all versions of the Windows operating system, and the known methods for the group to distribute their malware and gain initial access are listed below:

  • Phishing emails with malicious file attachments and malicious links
  • Weak or stolen Remote Desktop Protocol (RDP) credentials
  • Fake software delivered through search engine optimization
  • Common security vulnerabilities
  • Collaboration with other malware distribution networks (e.g., Zloader)

Conti frequently uses the DarkWeb network and discloses information about the organizations they target on the website served over the Tor network.

top ransomware groups and monitoring techniques
Top Ransomware Groups and Monitoring Techniques

Lockbit

Lockbit is one of the most active ransomware groups that started its activities in 2019 and continues its operations today. Lockbit, which began its activities as ABCD ransomware, serves with the Ransomware-as-a-Service (RaaS) model. In other words, threat actors get the right to use Lockbit ransomware by paying a rental fee. In addition, the income obtained is shared between the attacker and the developers at specific rates.

top ransomware groups and monitoring techniques
Top Ransomware Groups and Monitoring Techniques

The Lockbit gang also uses a Tor-served website to make announcements about infected organizations.

top ransomware groups and monitoring techniques
Top Ransomware Groups and Monitoring Techniques

Cl0p

Cl0p is a ransomware group first detected by MalwareHunterTeam in 2019, and its activities continue intensely today. Cl0p ransomware can run on all Windows operating system versions. Cl0p is part of the CryptoMix ransomware family, and they targeted English-speaking targets. Although it is not officially affiliated with Russia, such indicators suggest that it is a Russia-based group. The Cl0p has targeted more organizations rather than individual users. In addition, the final payload of the Cl0p ransomware was also used by an APT group called TA505.

Like others, Cl0p uses its website, which is served over Tor, to announce the organizations they operate and to share information.

top ransomware groups and monitoring techniques
Top Ransomware Groups and Monitoring Techniques

Stormous

The Stormous ransomware group first emerged at the beginning of the tension between Russia and Ukraine and started its activities by stating it was with Russia. Then, announcing that it cooperates with Conti, it carries out attacks with the Conti, which attacks targets against Russia.

Many ransomware groups are heavily operated via Telegram instead of using an announcement site served over the Tor network, but they also have a website on the Tor network. However, the website in question is inactive, and when it is active, no sharing is made yet.

top ransomware groups and monitoring techniques
Top Ransomware Groups and Monitoring Techniques

Notable organizations that the Stormous group has managed to include in its target list include Epic Games and the Ministry of Foreign Affairs of Ukraine.

Lapsus$

Lapsus$ was first spotted in the ransomware arena in December 2021. With the start of its operations, Microsoft, Samsung, NVIDIA, Okta, and the Brazilian Ministry of Health. They have targeted industry giants and government institutions and use the double-extortion tactic, which they threaten to release if the requested ransom amount is not paid by leaking sensitive data from the target organization. Although its targets so far are the United Kingdom and South American countries, its operations are expanding even more in a short time.

However, as an exception, they do not perform the operations performed by traditional ransomware groups, such as file encryption and blocking of access to the system.

Lapsus$ does not have the website served on the Tor network as many other ransomware groups do. Instead, an announcement is made through the Telegram channel, which is another most preferred alternative.

That is not the only feature that distinguishes Lapsus$ from other ransomware groups. Many characteristic traits of ransomware groups are not available in the Lapsus$ ransomware group.

top ransomware groups and monitoring techniques
Top Ransomware Groups and Monitoring Techniques

Ransomware Monitoring

We listed the processes below associated with ransomware can be combined under the term “Monitoring”:

  • Monitoring the movements of ransomware groups (influenced organizations and shared information, etc.)
  • Identifying the ransomware type that infected the system
  • Detecting existing decryption/recovery directives

No More Ransom Project

It is a project created in collaboration with the Dutch police’s National High-Tech Crime Unit, Europol’s European Center for Cybercrime, Kaspersky, and McAfee to ensure that affected users can recover files against ransomware threats without paying a ransom. Additionally, it aims to educate about how ransomware works and the precautions that can be taken to prevent the system from getting infected.

The No More Ransom Project provides a service to assist you in identifying which ransomware you have been infected. It accomplishes this service by using samples of files created or encrypted by the ransomware. With this useful functionality, you can inquire about the detected ransomware by using the “Decryption Tools” page to query whether a decryption tool is included in the relevant group.

ID Ransomware

Another service created by various security researchers known as MalwareHunterTeam, which tries to detect the type of ransomware that infects the system, is the ID Ransomware project.

You can query using the ransomware note, encrypted file samples, or any contact addresses included in the ransom note. If you come across decryptable ransomware, it will direct you to a link with follow-up instructions for decryption.

Monitoring Announcement Sites

One of the common characteristics of many ransomware is to have an announcement site where they publish various information about the organizations they target and about them. These sites are served on the Tor network and cannot be accessed using traditional browsers. Therefore, a fundamental approach to tracking the movements of a ransomware group is to visit these announcement sites to check for new organization entries. This approach is known as Web Scraping. It relies on visiting announcement sites using a Tor proxy, parsing the pages’ HTML tags, and extracting the needed fields.

There are some projects using this method, and Telegram channels are offering it as a service. Some of these are listed below:

  • https://github.com/captainGeech42/ransomwatch
  • https://github.com/thetanz/ransomwatch
  • https://t.me/ransomwatcher

who’s been ransomware’d

Another monitoring service is the website, where you can check if any ransomware group has hacked an organization. ransom.wiki helps you identify both the organizations affected by querying the ransomware group name and determining which group was attacked by querying the organization name.

Conclusion

Ransomware is an ever-increasing threat, from individual users to industry giants and government agencies. By using the services mentioned here, you can get the chance to recover your files without meeting the ransom payment demands of the attackers. At the same time, you can educate yourself about ransomware and follow the movements of these groups to make inferences about the motivation of the attackers, the countries they target, and the sectors.

Cl0p Conti Lapsus LockBit Ransomware Ransomware Groups Stormous
Share on Facebook Share on Twitter
Search
Categories
APT GroupsBlogDark WebDRPSFraudRansomwareSector AnalysisSecurity NewsVIP SecurityWe in the PressWeekly Newsletter
Recent Posts
  • Perspective of the Month | APT Groups
    Perspective of the Month | APT Groups
  • BellaCiao: The New Malware From Iran’s Charming Kitten
    BellaCiao: The New Malware From Iran’s Charming Kitten
  • Security News Digest | Security Newsletter | April 27, 2023
    Security News Digest | Security Newsletter | April 27, 2023
  • Cyber Security Trends in 2023: What You Need to Know
    Cyber Security Trends in 2023: What You Need to Know
2023 Ransomware Trends Report
Let’s Dive in Ransomware Attack Trends
Report

Let’s Dive in Ransomware Attack Trends

Download Report
Follow us!

Continue Reading

Previous post

RedAlert: The New Ransomware Targeting VMware ESXi Servers

redalert ransomware
marriott international suffered from security breach leading to 20gb of data hijacking
Next post

Marriott International Suffered from Security Breach Leading to 20GB of Data Hijacking

particle element
We know what hackers know about you
Our cyber threat intelligence and security research team is ready to help you.
Request a demo
Free Trial
Contact
Login

Follow us on

brandefense logo brandefense

Brandefense is solving SOC’s complex challenges. We are here to help Brandefense customers to protect their brands and reputations against cyber threats.

United States:

300 Delaware Ave. Ste 210 #328 Wilmington, DE 19801 / USA

Turkey:

Üniversiteler Mahallesi, 1605.Cadde, Kapı No:3/1, No: 204, 06800 Çankaya/Ankara 06800

© 2022 Brandefense. All rights reserved.

Solutions
Threat IntelligenceBrand ProtectionVulnerability ManagementFraud ProtectionVIP SecurityAttack Surface ManagementVulnerability Intelligence
Use Case
Data LeakagePhishing MonitoringAccount Takeover DetectionStolen Credit CardsDark Web MonitoringRemediation / Takedown
Partners
Channel PartnersDeal Registration
Company
AboutCareerPrivacy PolicyTerms Of UseContact
Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}
Close
Search

Hit enter to search or ESC to close