Ransomware is malicious software that encrypts a victim’s files or locks their computer system and demands payment, typically in cryptocurrency, to restore access to the affected data or system. In some cases, ransomware may threaten to publicly release or delete the victim’s data if the ransom is unpaid. Ransomware attacks are typically carried out through phishing emails, exploit kits, or remote desktop protocol (RDP) attacks.
Victims of ransomware attacks are often individuals or organizations with valuable data, such as financial institutions, healthcare providers, or government agencies. Ransomware attacks can have severe financial and reputational consequences for victims and are considered significant cybersecurity threats.
Ransomware groups are organized criminal organizations or individuals who create and distribute ransomware to extort money from victims. These groups typically operate on the dark web and use various tactics, such as phishing emails or exploiting vulnerabilities in software, to infect victims’ computers with ransomware. Some of the most notorious ransomware groups include REvil, Conti, Maze, and Ryuk.
These groups often have complex hierarchies and use sophisticated techniques to evade detection by law enforcement and cybersecurity professionals. They may also offer ransomware-as-a-service (RaaS) to other criminals, allowing them to use their ransomware in exchange for a cut of the ransom payments. Using cryptocurrency for ransom payments makes it difficult for law enforcement to track down and prosecute the individuals behind these attacks.
Here is a list of some of the top ransomware gangs:
REvil/Sodinokibi
REvil, also known as Sodinokibi, is a high-profile ransomware group responsible for numerous attacks on businesses and organizations worldwide. The group emerged in April 2019 and quickly gained notoriety for its sophisticated and aggressive attacks.
REvil typically uses phishing emails or exploit kits to infect victims’ computers with ransomware. Once the ransomware is installed, it encrypts the victim’s files and demands payment in exchange for the decryption key. REvil often demands large ransom payments, sometimes in the millions of dollars, and threatens to release the victim’s data if the ransom is not paid.
In addition to its ransomware activities, REvil is known for using a “leak site,” where it posts stolen data from its victims as leverage to encourage ransom payment. This tactic has led to several high-profile data breaches, including attacks on Travelex, Grubman Shire Meiselas & Sacks (a law firm representing numerous celebrities), and the software company Kaseya.
REvil is believed to be a Russian-based criminal organization, although its exact origins and membership are unclear. The group is known for its sophisticated tactics and has been able to evade law enforcement in many cases. However, some group members have been arrested or otherwise identified, and efforts are ongoing to disrupt their operations.
Conti
Conti is a ransomware group that emerged in late 2019 and has quickly become one of the most prolific and successful ransomware operations. Like other ransomware groups, Conti infects victims’ computers with ransomware and demands payment for the decryption key. The group is known for its aggressive tactics and willingness to target various organizations, including healthcare providers, government agencies, and businesses.
Conti typically gains access to victims’ networks through phishing emails or exploiting vulnerabilities in software. Once inside a network, the group will often conduct surveillance to identify valuable data and systems to target for encryption. Conti has been known to demand large ransom payments, sometimes in the millions of dollars, and will threaten to release the victim’s data if the ransom is not paid.
One of the unique features of Conti is its use of a “double extortion” tactic. In addition to encrypting victims’ files and demanding payment, Conti will threaten to release stolen data on its leak site if the ransom is not paid. This tactic has convinced many victims to pay the ransom to avoid the public release of their sensitive data. Conti is believed to be a Russian-based criminal organization, although its exact origins and membership are unknown.
Ryuk
Ryuk is a sophisticated ransomware group that first emerged in August 2018 and has been responsible for several high-profile attacks on businesses and organizations worldwide. The group is known for its highly targeted attacks on large organizations, often involving extensive reconnaissance and lateral movement within victims’ networks.
Like other ransomware groups, Ryuk encrypts victims’ files and demands payment for the decryption key. However, the group is known for its sophisticated encryption methods and its ability to evade detection by antivirus software. Ryuk typically demands large ransom payments, sometimes in the millions of dollars, and has been known to threaten to release the victim’s data if the ransom is unpaid.
Ryuk is believed to be linked to the Lazarus Group, a North Korean state-sponsored hacking group responsible for several high-profile cyberattacks. While the exact nature of the relationship between Ryuk and Lazarus is unclear, some experts believe that individuals with ties to North Korea may operate with Ryuk. Ryuk has been linked to several high-profile attacks, including the attack on the City of New Orleans in December 2019 and Universal Health Services in September 2020.
DarkSide
DarkSide is a ransomware group that emerged in August 2020 and gained notoriety in May 2021 after it was linked to the attack on Colonial Pipeline, one of the largest pipelines in the United States. The group is known for its sophisticated tactics and willingness to target large organizations.
DarkSide operates like other ransomware groups, using phishing emails or exploit kits to access victims’ networks, encrypting their files, and demanding payment in exchange for the decryption key. The group is known for its professionalism and business-like approach, offering customer support and even providing a “code of conduct” to its affiliates.
DarkSide claims to be a “for-profit” organization that only targets companies with “revenues of $100 million or more,” although it is unclear how strictly the group adheres to this policy. The group typically demands large ransom payments, sometimes in the millions of dollars, and has been known to threaten to release the victim’s data if the ransom is unpaid.
After the attack on Colonial Pipeline, DarkSide announced that it was shutting down its operations. However, whether this was a genuine shutdown or simply a tactic to evade law enforcement is unclear. Some experts believe that DarkSide is operated by individuals in Russia or Eastern Europe, although the group’s exact origins and membership are unclear.
Maze
Maze is a ransomware group that emerged in May 2019 and quickly gained notoriety for its aggressive tactics and high-profile targets. Like other ransomware groups, Maze infects victims’ computers with ransomware and demands payment for the decryption key. However, the group is known for its sophisticated tactics and willingness to target large organizations, including government agencies, healthcare providers, and businesses.
Maze typically gains access to victims’ networks through phishing emails or exploiting vulnerabilities in software. Once inside a network, the group will often conduct surveillance to identify valuable data and systems to target for encryption. Maze has been known to demand large ransom payments, sometimes in the millions of dollars, and will threaten to release the victim’s data if the ransom is not paid.
One of the unique features of Maze is its use of a “double extortion” tactic. In addition to encrypting victims’ files and demanding payment, Maze will threaten to release stolen data on its leak site if the ransom is not paid. This tactic has convinced many victims to pay the ransom to avoid the public release of their sensitive data.
Maze is believed to be a Russian-based criminal organization, although its exact origins and membership are unknown. The group has been linked to several high-profile attacks, including the attack on the City of Pensacola, Florida, in December 2019. In November 2020, the group announced that it was shutting down its operations, although it is unclear whether this was a genuine shutdown or simply a tactic to evade law enforcement.
The Maze group was also known for pioneering the “ransomware-as-a-service” model, which allows other criminal organizations to use its ransomware in exchange for a share of the profits. This model has been adopted by many other ransomware groups, contributing to the proliferation of ransomware attacks in recent years.
NetWalker
NetWalker is a ransomware group that emerged in August 2019 and quickly gained notoriety for its sophisticated tactics and high-profile targets. Like other ransomware groups, NetWalker infects victims’ computers with ransomware and demands payment for the decryption key. However, the group is known for its aggressive tactics and willingness to target large organizations, including government agencies, healthcare providers, and universities.
NetWalker typically gains access to victims’ networks through phishing emails or exploiting vulnerabilities in software. Once inside a network, the group will often conduct surveillance to identify valuable data and systems to target for encryption. NetWalker has been known to demand large ransom payments, sometimes in the millions of dollars, and will threaten to release the victim’s data if the ransom is not paid.
One of the unique features of NetWalker is its use of a “ransomware-as-a-service” model. This allows other criminal organizations to use its ransomware in exchange for a share of the profits. The group has also used social media and public forums to advertise its services and recruit new affiliates.
NetWalker is believed to be a Russian-based criminal organization, although its exact origins and membership are unknown. The group has been linked to several high-profile attacks, including the University of California, San Francisco attack in June 2020. In August 2021, the U.S. Department of Justice announced that it had disrupted the group’s operations and charged one of its members with conspiracy to commit extortion.
Egregor
Egregor is a ransomware group that first emerged in September 2020 and has quickly gained notoriety for its aggressive tactics and high-profile targets. Like other ransomware groups, Egregor infects victims’ computers with ransomware and demands payment for the decryption key. The group is known for its fast encryption process and willingness to target large organizations.
Egregor typically gains access to victims’ networks through phishing emails or exploiting vulnerabilities in software. Once inside a network, the group will often conduct surveillance to identify valuable data and systems to target for encryption. Egregor has been known to demand large ransom payments, sometimes in the millions of dollars, and will threaten to release the victim’s data if the ransom is not paid.
One of the unique features of Egregor is its use of a “double extortion” tactic. In addition to encrypting victims’ files and demanding payment, Egregor will threaten to release stolen data on its leak site if the ransom is not paid. This tactic has convinced many victims to pay the ransom to avoid the public release of their sensitive data.
Although its origins and membership are unknown, Egregor is believed to be a Russia-based criminal organization. The group has been linked to several high-profile attacks, including the attack on Barnes & Noble in October 2020. In February 2021, French and Ukrainian law enforcement agencies announced they had disrupted the group’s operations and arrested several members.
Babuk Locker
Babuk Locker is a ransomware group that emerged in January 2021 and has gained attention for its sophisticated techniques and high-profile targets. The group is believed to be operated by Russian-speaking cybercriminals, but its origins and membership are unknown.
Like other ransomware groups, Babuk Locker infects victims’ computers with ransomware and demands payment for the decryption key. The group is known for its custom-built malware, which uses a unique encryption method to lock victims’ files. Babuk Locker has also been known to exfiltrate victims’ data and threaten to release it if the ransom is not paid, similar to Egregor’s double extortion tactic.
One of the unique features of Babuk Locker is its focus on large corporations and high-profile targets. The group has targeted several organizations in the transportation, healthcare, and energy sectors. In addition to its ransomware attacks, Babuk Locker has also been known to offer “hacker-for-hire” services, which will carry out targeted attacks on behalf of clients.
In May 2021, Babuk Locker announced that it was discontinuing its ransomware operations and shifting its focus to offering its custom malware to other criminal groups. However, it is unclear whether the group has ceased its ransomware activities or is simply rebranding itself under a new name.
LockBit
LockBit is a ransomware group that emerged in September 2019 and has gained notoriety for its sophisticated techniques and high-profile targets. The group is believed to be operated by a Russia-based criminal organization, although its origins and membership are unknown.
Like other ransomware groups, LockBit infects victims’ computers with ransomware and demands payment for the decryption key. The group is known for using automated tools and tactics to quickly spread its malware throughout victims’ networks. LockBit has also been known to exfiltrate victims’ data and threaten to release it if the ransom is not paid, similar to Egregor’s double extortion tactic.
One of the unique features of LockBit is its use of a “pay-or-get-breached” tactic. In addition to encrypting victims’ files and demanding payment, LockBit will threaten to publicly release stolen data if the ransom is not paid. This tactic has convinced many victims to pay the ransom to avoid the public release of their sensitive data.
LockBit has targeted several large corporations and organizations in various sectors, including healthcare, finance, and energy. The group has also used social engineering tactics, such as impersonating job applicants or vendors, to access victims’ networks.
In October 2021, the U.S. Department of Justice announced that it had disrupted LockBit’s operations and charged several members with conspiracy to commit computer fraud and extortion.
Avaddon
Avaddon is a ransomware group that emerged in February 2019 and gained notoriety for its widespread attacks on businesses and organizations worldwide. The group is believed to be operated by a Russian-speaking criminal organization, although its origins and membership are unknown.
Like other ransomware groups, Avaddon infects victims’ computers with ransomware and demands payment for the decryption key. The group is known for using multiple attack vectors, including phishing emails, exploit kits, and Remote Desktop Protocol (RDP) attacks, to access victims’ networks.
Avaddon has also been known to exfiltrate victims’ data and threaten to release it if the ransom is not paid, similar to Egregor’s double extortion tactic. The group has been linked to several high-profile attacks, including the attack on the Irish healthcare system in May 2021.
One of the unique features of Avaddon is its use of a “name-and-shame” tactic. In addition to encrypting victims’ files and demanding payment, Avaddon will also publish the names and details of victims on its leak site if the ransom is not paid. This tactic has pressured victims to pay the ransom to avoid reputational damage.
In June 2021, the Avaddon group announced that it was shutting down its operations and releasing its victims’ decryption keys. However, it is unclear whether the group has ceased its ransomware activities or is simply rebranding itself under a new name.