New Ransomware Groups Emerge Despite Crackdowns
New ransomware groups are emerging as financial gain continues to outweigh the risks for cybercriminals, a new report by Rapid7 has found.
Since the start of January 2024, the cybersecurity firm has observed 21 new or rebranded groups entering the scene.
These are operating along with seasoned gangs like LockBit, which continues to operate despite law enforcement takedown, Operation Cronos.
Overall, Rapid7 said in the first half of 2024 it observed a total of 68 distinct ransomware groups actively posting ransomed datasets to their individual leak sites.
A new ransomware strain, according to Raj Samani, Chief Scientist at Rapid7, involves a level of new code base and new features.
During Black Hat USA, Samani told Infosecurity there is innovation happening with these groups.
“A year ago we would talk about initial entry vectors around emails and remote desktop protocols (RDPs), now we’re talking about the exploitation and the burning of zero-days at scale.”
“What I suspect we’re seeing is a fluidity in the [ransomware] marketplace. That’s where we’re seeing that growth,” he added.
He also noted that ransomware groups are now leaking data, whereas until recently they were not doing this.
“It is a constant battle in terms of understanding what the threat actors are doing and how we put development of detection in place,” he said.
Some of the new operators include groups using the names Space Bears, Rabbit Hole, Qiulong, DoNex and Arcus Media.
An example of a completely new group that surfaced in April is FSociety, Rapid7 noted. Their ransomware is called FLocker. The group has its leak site on Tor, but it is also active on its own Telegram channel.
This is a group that does not hesitate to attack the healthcare or medical services sector, Rapid7 noted in its report.
Ransomware Family Links
Rapid7 researchers disputed links between two well-known groups, ALPHV (Blackcat) and RansomHub.
It has been suggested that the two were linked after ALPHV had its servers disrupted in March 2024, not long after it targeted Change Healthcare in a cyber-attack.
After the ALPHV attack against Change Healthcare, RansomHub extorted the healthcare organization for a second time.
However, Rapid7 does not believe the two groups are linked because ALPHV ransomware was written in the Rust language where RansomHub is written in GoLang.
Rapid7 did nevertheless discover some links between some groups. For example, there is a strong connection between the Pay and the Morok ransomware families.
The number of unique ransomware families observed in public incidents has decreased since the beginning of 2022, Rapid7 observed.
This suggests a move toward more specialized and highly effective ransomware variants, solely extortion operations, rather than a broad array of less sophisticated malware.
Rapid7 also examined the most active ransomware groups in terms of number of leak site posts in 2024.
January 2024 saw a 117% year-over-year increase in the number of groups actively posting ransomed datasets to their leak sites.
The Ransomware and Advanced Malware Protection (RAMP ) forum continues to be the most well-known platform hosting access brokers. RAMP demands a $500 registration fee and facilitates ransomware-as-a-service (RaaS) operations as it offers ransomware kits and comprehensive guides and tutorials for cyber-attacks.
Small Companies a Big Target for Ransomware
Rapid7 found through its analysis of RAMP that companies with revenues in the $5m range appear twice as often as those in the $30-50m range and five times more frequently than those with a $100m revenue.
“Behind the headlines of the big breaches is an entire economy of where smaller companies are being targeted exponentially higher than any other firm,” said Samani.
Companies based in the West commanded a higher price due to their perceived wealth and easier access to resources for payment.
Rapid7 noted a total of seven encryption algorithms used by the ransomware samples, with AES, Cha Cha and RC4 topping the list.
This suggests a strategic choice by ransomware groups to optimize performance and security evasion.