Colonial Pipeline. JBS. Kaseya. 2021 was a record year for high-profile, expensive ransomware attacks. In 2022 we can only expect this to continue, as ransomware-as-a-service expands threat actor accessibility to tools, and new double/triple extortion ransomware attacks raise potential profits even higher.
Although the retail and hospitality sector has not been hit nearly as hard as other industries, such as healthcare or infrastructure, we’ve seen that ransomware groups are not discriminatory in their targets. If they can gain access, your business is at risk.
According to sharing data observed during the final quarter of 2021, here are some of the top ransomware groups and initial access malware threats discussed by the RH-ISAC membership.
Xinglocker first appeared around May of 2021. XingLocker is unique in that it has been referred to as a “franchise” of Mount Locker. Typically, in a ransomware-as-a-service operation, the attacker will obtain the ransomware from a ransomware group and deploy it under the branding of that ransomware group. However, in this “franchise” model, the ransomware is obtained and rebranded under the deploying group’s name, resulting here in Mount Locker being deployed as XingLocker and AstroLocker. This makes it confusing to trace, as it is sharing infrastructure with other groups but using different names. The downside for the ransomware group, however, is you don’t get the name recognition of a well-known group when a victim searches for the ransomware to determine if they should pay. In some cases, notably in this case study from the DFRI Report, IcedID (also known as BokBot) malware was used as the initial access, which led to the deployment of the XingLocker ransomware.
DarkSide is a type of ransomware associated with the DarkSide ransomware group, believed to be out of Eastern Europe. They gained notoriety in 2021 as the group, or at least the ransomware-as-a-service provider, behind the Colonial Pipeline attack. Like in that attack, they most often exploit weaknesses such as compromised passwords, remote desktop protocol, or known unpatched vulnerabilities and then live off the land, utilizing existing tools such as Cobalt Strike to avoid detection. They’ve also been known to use additional extortion methods such as releasing stolen data to increase profits.
This Russian group is responsible for Dridex, the top reported malware by RH-ISAC membership in Q4 of 2021. Dridex, which is often deployed through phishing emails, was traditionally known for stealing banking credentials, but has adapted over the years to be used for numerous nefarious purposes, including initial access for the deployment of ransomware. Like many ransomware-as-a-service providers, when one brand is getting too much heat, they’ll just come back with a new name. Evil Corp and Dridex have been connected to multiple ransomwares, including WastedLocker, BitPaymer, and DoppelPaymer.
Sodinokibi / REvil
Much like Evil Corp, REvil has been through its own series of rebrandings. Its methods are likened to the widespread GandCrab ransomware of 2018, leading people to believe they are the same operators. In 2021, Qakbot malware was known to be a common precursor to REvil. Qakbot operators have been hijacking email threads with their phishing messages, posing as someone the target has already been in communication with, making them much more likely to open the email.
Ryuk has been around since 2018 and is believed to be operated by the Russian group, WIZARD SPIDER. According to CrowdStrike’s 2020 Global Threat Report, Ryuk was responsible for 3 out of 10 of the most expensive ransom demands of the year. Ryuk, along with others such as Sodinokibi/REvil, have been blamed for initiating the overall rise in ransomware demands over the past three years. Ryuk is often deployed through a dropper such as Emotet or BazarLoader, malware that is generally installed through clicking on phishing emails.
RH-ISAC members have exclusive access to vetted intelligence that can help you protect your organization against ransomware threats. Learn more about becoming an RH-ISAC member.