By Doel Santos and Ruchna Nigam
As part of Unit 42’s commitment to stop ransomware attacks, we conduct ransomware hunting operations to ensure our customers are protected against new and evolving ransomware variants. During our operations, we have observed four emerging ransomware groups that are currently affecting organizations and showing signs of potential to become more prevalent in the future:
- AvosLocker is a ransomware as a service (RaaS) that started operating in late June, using a blue beetle logo to identify itself in victim communications and “press releases” aimed at recruiting new affiliates. AvosLocker has been observed promoting its RaaS program and researching affiliates on dark web discussion boards and other forums. Like many of its competitors, AvosLocker offers technical support to help victims recover after being attacked with encryption software the group claims to be “foolproof”, has low detection rates, and is capable of handling large files. This ransomware also has an extortion site, which claims to have affected six organizations in the following countries: United States, United Kingdom, United Arab Emirates, Belgium, Spain and Lebanon. Initial ransom demands ranged from $ 50,000 to $ 75,000.
- Hive Ransomware is a double-extortion ransomware that began operations in June. Since then, Hive has reached 28 organizations that are now listed on the group’s extortion site, including a European airline and three US-based organizations. Hive uses all the tools available in the Extortion Toolkit to create pressure on the victim, including the date of the initial compromise, the countdown, the date the leak was actually disclosed on their site. , and even the possibility of sharing the leak disclosed on social networks.
- HelloKitty is not a new ransomware group; it can be tracked as early as 2020, primarily targeting Windows systems. However, in July, a Linux variant of HelloKitty targeted VMware’s ESXi hypervisor, which is widely used in cloud and on-premises data centers. There were two groups of activity. In the observed samples, some threat actors preferred email communications, while others used TOR chats to communicate with victims. The variations observed affected five organizations in Italy, Australia, Germany, the Netherlands and the United States. approximately $ 1.48 million.
- LockBit 2.0 (formerly known as ABCD ransomware) is a three-year-old RaaS operator who has been linked to high-profile attacks recently after launching a crafty marketing campaign in June to recruit new affiliates. It claims to offer the fastest encryption in the ransomware market. LockBit 2.0 has impacted multiple industries – 52 victims are listed on the group’s leak site. Its victims include organizations in the United States, Mexico, Belgium, Argentina, Malaysia, Australia, Brazil, Switzerland, Germany, Italy, Austria, Romania and the United Kingdom.
To access the full report, please click here