The FBI estimates that as of January 2022, more than 1,000 victims of attacks associated with Conti ransomware, with total victim payouts exceeding US$150 million. Conti has been the most active ransomware group of the last two years and the most expensive of all time (not including related damages or remediation costs).
Various crucial service providers from the financial services, IT, energy, and government sectors, including Ireland’s public healthcare services and the government of Costa Rica, have been victims of Conti. The US Department of State offered a $10 million reward in May 2022 for information regarding the group’s leaders.
Except for its attack on Accenture in August 2021, LockBit, formerly known as ABCD ransomware, typically targets small- to medium-sized businesses, staying out of the news. A popular RaaS that is attractive to attackers due to its performance and speed is LockBit.
Using ransomware-as-a-service (RaaS) business models, many active ransomware families in 2021–2022 will spread more widely through affiliate networks. Several well-known ransomware families also underwent a rebranding in 2021, including DoppelPaymer becoming Grief, DarkSide becoming BlackMatter, and Avaddon becoming Haron, then Midas (the latter two using the Thanos ransomware builder).
This post will overview 11 different ransomware families and their attack sequences. These ransomware families claimed the most victims in 2021 and 2022 and best represent the current state of ransomware that your organization must defend against.
The ransomware known as Conti was first discovered in February 2020. Although Conti is sometimes categorized as a RaaS, their affiliates are more like staff members who sign up, use a portal to manage the page, and get paid a commission. A similar code between Conti and Ryuk suggests that Conti is most likely the ransomware that Ryuk was replaced by. In 2021, Conti was the most widely used ransomware.
Across numerous campaigns, Conti has utilized a variety of initial access mechanisms, including Spam emails with malicious attachments or links that further download TrickBot, IcedID, BazarLoader, or Cobalt Strike to gain access to the system have been used to spread it. Initial access is also gained by taking advantage of well-known security flaws in applications like Log4j and ProxyShell or shoddy RDP (Remote Desktop Protocol) credentials.
Cobalt Strike, Mimikatz, and other post-exploitation tools are used by Conti after a compromise to steal credentials and gain access to the network. Conti threat actors frequently use red team tools like Metasploit, Netscan, and others to gather knowledge about networks and domain controllers. The threat actors may use AnyDesk, PsExec, or other remote utilities for lateral movement after gathering the required information. Conti threat actors use Rclone or other tools to exfiltrate data, then launch and run the Conti ransomware to encrypt data.
The RSA and AES algorithms were used for encryption in the original version of Conti. However, ChaCha encryption eventually took the place of AES. As part of our ongoing global ransomware tracking efforts, ThreatLabz discovered an updated version of the Conti ransomware in late January 2022. This patch was made available before the massive Conti source code and chat log leak that occurred on February 27, 2022, following the invasion of Ukraine, as reported by a Ukrainian researcher. New command line options were added to Conti in the most recent version, enabling it to restart the computer in Windows Safe Mode while networking is enabled and then begin encryption. As business applications like databases are probably not running, Conti can maximize the number of encrypted files by booting in Safe Mode. Conti added uppercase, lowercase, and numeric characters to the encrypted file extensions. After file encryption, the victim’s desktop wallpaper is also changed.
As ABCD ransomware, named after its “.abcd” extension, LockBit ransomware first appeared in September 2019. Beginning in 2020, a new version was released that ends encrypted files with the “.lockbit” extension. LockBit joined the Maze cartel in 2020 and released victim data on the Maze data leak website. When Maze ceased operations in September 2020, LockBit launched its data leak website.
A new version of LockBit called LockBit 2.0 was released in June 2021. LockBit 2.0 began publishing the information of victim companies on their data leak website in July 2021. The RaaS model is applied. LockBit had authorized network access and actively sought out affiliates working for their target companies. Through spam email campaigns that include harmful attachments or links, LockBit has been spread. LockBit has also been observed using compromised RDP accounts to brute-force RDP or VPN credentials and exploiting the CVE-2018-13379 vulnerability in Fortinet VPN to gain access.
In the first LockBit 2.0 attack that was noticed, the attacker gained access to the intended system using a compromised RDP account. They next used a network scanner to locate domain controllers and recover network information. The threat actor terminated services and processes related to the database and other tools using Process Hacker, PC Hunter, and StealBit to exfiltrate the data. Security software was uninstalled, Windows event logs were turned off, and Defender features were disabled using a batch file. Finally, LockBit distributed and ran the LockBit 2.0 ransomware using Windows group policies.
LockBit’s effectiveness is what makes it so popular. It uses the quickest encryption method, which encrypts each file with just 4 KB of data using a multi-threaded approach. To encrypt files, it combines the RSA and AES algorithms. In October 2021, LockBit made a version for Linux and VMware ESXi available. For data encryption, this combines the Advanced Encryption Standard (AES) and elliptic-curve cryptography (ECC) algorithms.
In October 2019, PYSA ransomware, also known as Mespinoza, was first discovered. They target various global industries but are infamous for attacking “soft targets” like schools and hospitals.
PYSA first gains access to a computer through spam email or stolen RDP credentials. The threat actors then use scanning tools like Port Scanner and the Advanced IP Scanner created by Famatech Corp. to gather network information. To steal credentials and move laterally, the attackers use post-exploitation tools like Mimikatz, PowerShell Empire, Koadic, and PsExec. The data was removed from the victims’ systems using the WinSCP tool. To prevent victims from recovering their data, a PowerShell script disables security software and deletes shadow copies and system restore points. The attacker then launches the PYSA ransomware, runs it, and encrypts the victim’s data. PYSA encrypts files using a mix of the RSA and AES-CBC algorithms. If a victim does not pay a ransom, PYSA will post the stolen data on its leaked website.
The REvil ransomware (also known as Sodinokibi) was discovered for the first time in April 2019 and has since become one of the most active threat actors. REvil also uses a RaaS ecosystem. In January 2020, REvil began using double extortion; the first data were posted on a hacking forum. The Sodinokibi attackers launched the data leak site in February 2020.
They also tried selling stolen data for auction on their leak site, but that didn’t work out either. In July 2021, the REvil threat group infamously took advantage of a zero-day vulnerability in the Kaseya VSA server. A malicious script was sent to every client managed by the infected Kaseya VSA server.
Russian law enforcement detained REvil members in January 2022. When REvil attacks resumed in April 2022, the infrastructure went back online after the ransomware was updated.
Affiliates of REvil have used a range of initial access methods, such as hacked RDP accounts, spam emails, exploit kits, and vulnerability exploits. A spam email that contains a malicious attachment is how a campaign might begin. When the malicious attachment is opened, a trojan, such as IcedID, which serves as a pivot point for lateral movement, is downloaded. REvil affiliates employ programs like Cobalt Strike, SharpSploit, Mimikatz, and other post-exploitation tools to steal credentials. Additionally, affiliates gather network data using tools for network discovery, such as Netscan, BloodHound, and AdFind. The attackers use PsExec or RDP access to move laterally. There have been instances of data exfiltration using FileZilla, Rclone, MEGAsync, or FreeFileSync. Affiliates of REvil are known to end security software-related processes and services using scripts like PC Hunter, Process Hacker, KillAV, and/or others before deploying ransomware. The threat actor then uses REvil ransomware to encrypt data. REvil employs asymmetric elliptic-curve cryptography to encrypt files, combining Curve25519 and Salsa20.
In June 2020, when it was first discovered, Avaddon ransomware was already very active. Another ransomware family that utilized the RaaS ecosystem was Avaddon. As part of its triple extortion strategy, Avaddon added DDoS to its operations in January 2021. To persuade the victim to bargain with the operators of the victim’s website or network and raise the ransom amounts, Avaddon launched DDoS attacks against those targets.
Avaddon was able to gain access through various affiliates, who used various vectors for the initial compromise. The most common ways that Avaddon was distributed were through spam campaigns and exploit kits, but some affiliates also gained access to networks through brute force attacks or stolen RDP and VPN credentials. In one attack chain, BlackCrow and DarkRaven web shells were used by Avaddon to access a first broker that had been compromised by compromised credentials and gain access to the target system. Avaddon used SharpDump and Mimikatz to steal credentials after using SystemBC to access compromised hosts. The threat actor conducted post-exploitation network scanning using SoftPerfect Network Scanner, PowerSploit, and Empire. Affiliates of Avaddon used Windows Scheduled Tasks for persistence and RDP for lateral movement. The threat actors terminated processes and services related to security software before releasing the primary ransomware payload and using MEGAsync to exfiltrate data. The threat actor then dropped, executed, and encrypted the Avaddon payload on the targeted systems.
To encrypt files, Avaddon combined the RSA and AES algorithms. A researcher discovered a flaw in a decryptor in February, which Avaddon then fixed. Emsisoft created an Avaddon decryptor after Avaddon stopped operating and released the victim’s decryption keys in June 2021.
Avaddon launched its data leak website in August 2020, following the lead of the other ransomware families previously discussed. The threat group restarted attacks using the Thanos ransomware builder after Avaddon shut down in June 2021. The threat group rebranded Avaddon as Haron, and in October 2021, Midas was used as the new name for the ransomware.
The clop ransomware first came to light in February 2019. In March 2020, Clop began employing double extortion, leaking stolen data from compromised organizations that had not been paid ransoms to their data leak sites.
The Clop group concentrates its efforts primarily on big businesses. The Clop ransomware group has been seen by ThreatLabz to make eight-figure ransom demands and even reject offers of multimillion-dollar ransom payments.
The clop ransomware was initially released by the threat groups TA505 and FIN11. Threat actor TA505 has widely disseminated Clop via spam campaigns. The SolarWinds Serv-U CVE-2021-35211 vulnerability, which permits remote code execution with elevated privileges for initial access, has been the target of several Clop attacks, according to ThreatLabz. Multiple vulnerabilities in the Accellion File Transfer Appliance (FTA) tracked as CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, and CVE-2021-27104 have been exploited by the FIN11 threat group. The DEWMODE web shell is then dropped by FIN11, which exfiltrates data before executing the Clop ransomware.
A spam email with an HTML attachment served as the point of compromise for one example of TA505’s attack. The attachment’s redirect further dropped the Get2 loader to an XLS document file. The loader downloaded additional payloads like SdBot, FlawedAmmy, FlawedGrace, and Cobalt Strike. The threat group installed and ran the Clop ransomware after gaining access to the network and stealing and leaking data. To encrypt files, Clop combines the RSA and AES algorithms.
DoppelPaymer, whose activity significantly decreased in May 2021 due to the Colonial Pipeline attack, was rebranded as Grief ransomware. DoppelPaymer and Grief’s similarities include using the same ransomware code and data leak websites.
The Grief ransom portal differs from the DoppelPaymer portal in a few ways. In particular, payments for ransom demands are made using the Monero cryptocurrency rather than bitcoin. This shift in cryptocurrency may react in the FBI recovering some of the bitcoin ransom payments for the Colonial Pipeline.
On previously infected systems with Dridex, the attacker has installed and executed the Grief ransomware payload. This was done using Cobalt Strike. Grief encrypts files using a 2048-bit RSA and 256-bit AES combination.
RaaS-based Hive ransomware was discovered for the first time in June 2021. It employs various techniques, such as phishing emails, leaked VPN credentials, and vulnerability attacks on resources with an external facing. Utilizing Microsoft Exchange Server’s ProxyShell vulnerabilities is how the initial infection begins. The Microsoft Exchange Server remote code execution vulnerability, the Microsoft Exchange Server elevation of privilege vulnerability, and the Microsoft Exchange Server security feature bypass vulnerability are all present in ProxyShell exchange vulnerabilities.
The attacker creates an attachment containing the encoded web shell as a draft email item inside of a mailbox. The attacker then exports the entire mailbox—including any malicious draft emails—to a PST file with an ASPX extension. As a result, vulnerable servers can receive web shells from attackers. The web shell downloads the PowerShell script containing the Cobalt Strike payload encoded. Additionally, it downloads more stagers and gains access to the victim’s system. Then, it employs a pass-the-hash strategy to gain access to the domain control account after using Mimikatz to steal NTLM hashes. Hive uses stolen credentials to perform additional lateral movement over RDP. Using the SoftPerfect Network scanner scans the network and gathers more data. Ultimately, it launches the Hive ransomware, runs it, and encrypts the data.
In earlier iterations of the Hive ransomware payload, files were encrypted using a combination of the RSA and AES algorithms and were programmed in the Go programming language. More recent versions of Hive use the file encryption algorithms Curve25519 and ChaCha20 and are programmed in the Rust programming language. Before file encryption, Hive affiliates also steal data from their victims.
Another RaaS group that made a big impression in July 2021 was BlackByte. Around September 2021, it underwent a rewrite in the Go programming language from the original C# code. The commands used to carry out privilege escalation, file encryption, and lateral propagation in the Go-based version are very similar to those used in the C# version. The first step in BlackByte campaigns is to take advantage of the ProxyShell flaws in Microsoft Exchange Server.
Within a mailbox, the attacker creates a draft email item. The web shell is encoded and attached to the email. The attacker then exports the entire mailbox—including any malicious draft emails—to a PST file with an ASPX extension. As a result, vulnerable servers can receive web shells from attackers. The web shell then drops the Cobalt Strike beacon on the targeted Exchange server. Cobalt Strike and other post-exploitation tools are employed to access service accounts and steal credentials.
BlackByte also sets up the AnyDesk RDP application. The infected domain controller is attacked with Cobalt Strike using AnyDesk for lateral movement. The BlackByte ransomware is then deployed and carried out by Cobalt Strike.
Initial access was gained by dropping a web shell on the Exchange server using ProxyShell vulnerabilities. The web shell downloads the Cobalt Strike beacon. After stealing credentials, Cobalt Strike installs the AnyDesk RDP tool. Cobalt Strike is dropped by AnyDesk in the infected domain controller while being used for lateral movement. The BlackByte ransomware is then released and put into action using Cobalt Strike.
To encrypt files, BlackByte combines the RSA and AES algorithms. The most recent iterations of BlackByte use ChaCha20 for symmetric file encryption and Curve25519 ECC for asymmetric encryption. Before file encryption, the BlackByte threat actors steal data from their victims.
The RaaS group known as AvosLocker first gained notoriety in July 2021. Like Hive and BlackByte, the initial infection begins with the Microsoft Exchange server’s ProxyShell vulnerabilities CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 being exploited.
Within a mailbox, the attacker creates a draft email item. The web shell is encoded and attached to the email. The attacker then exports the entire mailbox—including any malicious draft emails—to a PST file with an ASPX extension. As a result, vulnerable servers can receive web shells from attackers. The web shells drop Cobalt Strike on the compromised exchange server. Cobalt Strike and Rclone exfiltrate data to distant servers while stealing credentials. Installing AnyDesk RDP allows the attack to move laterally and access numerous systems. It includes several batch scripts for editing and erasing security software-related registry keys. Additionally, Windows Update and Windows Defender are turned off.
Finally, AvosLocker restarts the computer in Windows Safe Mode, at which point the ransomware begins to encrypt files. AvosLocker can increase the number of encrypted files by starting the computer in Safe Mode because it’s likely that business applications like databases won’t run. These programs won’t have any open file handles, which could prevent file encryption. In addition, when the system runs in Safe Mode, many security software programs (such as antivirus software) won’t be loaded by default. Other ransomware families, such as Conti, REvil, and BlackMatter, have been observed to have the capability of encrypting files while Windows Safe Mode is active. To encrypt files, AvosLocker combines the RSA and AES algorithms. Targeting VMware ESXi, AvosLocker developed a ransomware variant for Linux. In some cases, the attacker threatens and launches a DDoS attack on the victim’s network during negotiation after the attack by threatening to publish the victim’s data to a data leak site.
A RaaS operation known as BlackCat, ALPHV, was discovered around November 2021. RUST, a programming language, has been used by BlackCat to enhance performance and ensure reliable concurrent processing.
When accessing victims’ network systems using stolen credentials, the infection process begins. Cobalt Strike, PowerShell scripts, and batch scripts are initially used to gain access to the victim’s network. Once inside, it compromises Active Directory admin accounts. It additionally employs malicious Group Policy Objects (GPOs) to distribute and run ransomware. The attack also makes use of Microsoft Sysinternals and other administrative tools. BlackCat expanded its operations to include DDoS techniques. BlackCat launches DDoS attacks against the victim’s network or website to persuade them to negotiate with the site’s operators and demand higher ransom payments.