• With major ransomware groups such as REvil and Darkside lying low or rebranding to evade law enforcement heat and media attention, new groups will emerge to replace the ones that are no longer actively targeting victims.
• Cybercriminals have implemented devious new cyber extortion techniques as average ransom demand increased by 518 per cent in the first half of this year.

Cybercriminals have employed increasingly aggressive tactics to coerce organisations into paying larger ransoms and there is no respite.

Average ransomware payments have climbed 82 per cent since 2020 to a record $570,000 in the first half of 2021, as cybercriminals employed increasingly aggressive tactics to coerce organisations into paying larger ransoms.

Cybercriminals have implemented devious new cyber extortion techniques as average ransom demand increased by 518 per cent in the first half of this year to $5.3 million compared to $847,000 in the first half of 2020.

With major ransomware groups such as REvil and Darkside lying low or rebranding to evade law enforcement heat and media attention, new groups will emerge to replace the ones that are no longer actively targeting victims.

While LockBit and HelloKitty have been previously active, their recent evolution makes them a good example of how old groups can re-emerge and remain persistent threats. 

Doel Santos, Threat Intelligence Analyst, and  Ruchna Nigam, Principal Threat Researcher, at Unit 42, the threat intelligence team of Palo Alto Networks, chalk out the four emerging ransomware groups that are currently affecting organisations, their mode of operations and impacted countries.

Four emerging ransomware groups

AvosLocker: A new ransomware that was first observed on July 4, 2021, and follows the ransomware-as-a-service (RaaS) model.

The ransomware operator of the same name, avos, advertised their affiliate program on Dread, a Reddit-like dark web discussion forum featuring news and sub-dreads around darknet markets.

The announcement of the program includes information about the features of the ransomware and lets affiliates know that AvosLocker operators will take care of negotiation and extortion practices.

The user Avos has also been observed trying to recruit individuals on the Russian forum XSS. Like many of its competitors, AvosLocker offers technical support to help victims recover after they’ve been attacked with encryption software that the group claims is “fail-proof,” has low detection rates and is capable of handling large files.

AvosLocker, when executed, first opens a Windows shell showing the progress of the encryption process. After encryption is complete, it then appends the .avos extension to the encrypted files and drops the ransom note “GET_YOUR_FILES_BACK.TXT” in every encrypted directory.

AvosLocker increases the ransom price if the victim doesn’t pay in the designated time.

This group has already affected seven organisations – two law firms, one in the UK and one in the US; a logistics company in Spain; a real estate agency in Belgium; a holdings company in Turkey; a Syrian transportation organization and a city in the US.

Some of the leaked data displayed on their site include private organisation documents and personal identifiable information.

AvosLocker’s first site post, on January 1, 2021, was an announcement that the site was officially online. The user avos also announced they started leaking data on multiple sub-dreads as well.

This ransomware also has an extortion site, which claims to have impacted six organisations in the following countries: the US, the UK, the UAE, Belgium, Spain and Lebanon. Their initial ransom demands range from $50,000 to $75,000.

Hive Ransomware: It is double-extortion ransomware that started operations in June this year and has already shown notable disregard for its victims’ welfare, attacking organisations including healthcare providers and mid-size organisations ill-equipped for managing a ransomware attack.

Hive uses all tools available in the extortion toolset to create pressure on the victim, including the date of initial compromise, countdown, the date the leak was disclosed on their site, and even the option to share the disclosed leak on social media.

When this ransomware is executed, it drops two batch scripts. The first script, hive.bat, tries to delete itself, and the second script is in charge of deleting the shadow copies of the system (shadow.bat).

Hive ransomware adds the [randomized characters].hive extension to the encrypted files and drops a ransom note titled “HOW_TO_DECRYPT.txt” containing instructions and guidelines to prevent data loss.

The ransom note includes a generated login credential for the victim to chat with what the threat actors claim is their “sales” department.

The TOR link directs the “customer” to a login page, and after the credentials are submitted, it opens up a chat room for communication between the operators and the victim.

Hive published their first victim on their leak site, Hive Leaks, in late June. Since then, 28 victims have been published on the Hive Leaks site, including a European airline company and three US-based organisations, one each in hardware retail, manufacturing and law. The posts include the date and time the victim was affected.

HelloKitty: It is not a new ransomware group; it can be tracked as early as 2020, mainly targeting Windows systems.

The malware family got its name due to its use of a Mutex with the same name: HelloKittyMutex. The ransomware samples seem to evolve quickly and frequently, with different versions making use of the .crypted or .kitty file extensions for encrypted files.

Some newer samples make use of a Golang packer that ensures the final ransomware code is only loaded in memory, most likely to evade detection by security solutions.

However, in July, a Linux variant of HelloKitty targeting VMware’s ESXi hypervisor, which is widely used in cloud and on-premises data centres.

Starting in March, the samples began targeting ESXi, a target of choice for recent Linux ransomware variants.

Oddly enough, the preferred mode of communication shared by attackers in the ransom notes across the different samples is a mix between TOR URLs and victim-specific Protonmail email addresses.

This could indicate different campaigns or even entirely different threat actors making use of the same malware codebase. Since the samples we found contained victim-specific ransom notes, we were able to get an idea of the ransomware’s targets.

The operators behind HelloKitty are also open to using bitcoin (BTC), but they charge higher for bitcoin transactions due to its associated fees.

The ransomware makes use of the Elliptic Curve Digital Signature Algorithm (ECDSA) for encrypting files using functions from the shared library libcrypto.so for encryption. The encrypted file is saved with the extension .crypt.

Each encrypted file has a corresponding file with the extension “.README_TO_RESTORE” containing the ransom note.

Six organisations are impacted by Hello Kitty, including Italian and Dutch pharmaceutical organizations, a Germany-based manufacturer, an Australian industrial automation solutions organization, and a medical office and a stockbroker in the US.

One sample, oddly enough, didn’t contain any contact information in its ransom note.

The highest ransom demand observed from this group was $10 million, but at the time of writing, the threat actors have only received three transactions that sum up to about $1.48 million.

LockBit 2.0: Previously known as ABCD ransomware is a three-year-old RaaS operator that has been linked to some high-profile attacks lately following the June launch of a slick marketing campaign to recruit new affiliates.

It claims to offer the fastest encryption on the ransomware market.

While LockBit has been known for some time, they have recently progressed to LockBit 2.0. In June 2021, the operators behind this ransomware revamped their site and rebranded it as LockBit 2.0.

When LockBit is executed, it starts encrypting files and appends the .lockbit extension. Additionally, the ransomware changes the icon of the encrypted file to the LockBit 2.0 logo.

After encryption is complete, LockBit then drops the ransom note titled, Restore-My-Files.txt.

Similar to REvil, LockBit 2.0 ransomware modifies the victim’s desktop wallpaper if the encryption process is successful, making the victim aware of their compromise.

The wallpaper also includes an advertisement aimed at encouraging insider threats that all organisations could fall prey to.

The advertisement states that the threat actors are interested in methods of access, such as RDP, VPN and corporate email credentials. In exchange, they offer a cut of the paid ransom.

If the victim wants to communicate with Lockbit operators to get their data back, the operators include a “Decryption ID” and a TOR link (and their clearnet mirror: decoding[.]at) on the ransom note. This information allows the user to log in and start the negotiation process.

LockBit 2.0 has impacted multiple industries – 52 victims are listed on the group’s leak site. Its victims include organizations in the US, Mexico, Belgium, Argentina, Malaysia, Australia, Brazil, Switzerland, Germany, Italy, Austria, Romania and the UK.

Related Posts:

• It is time to put your new Covid-19 incident response plans into practice
• Turkey accounts for quarter of malware attacks in Middle East
• Cybercriminals to have weaponised OT environments to successfully harm or kill humans by 2025