This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Revealed! Top Three Most Prolific Ransomware Gangs
This year ransomware attacks have shut down Vegas casinos, halted Royal Mail shipments and stolen NHS data. Their targets are without borders and include China’s biggest banking system and India’s largest health repository.
When we describe these gangs, we tend to talk in terms of the ransomware and the programming language they use, rather than the anonymous individuals behind these attacks. But does it help to know?
The most notorious groups at present, according to the security experts we consulted with, are three Russian-orientated outfits: BlackCat, Cl0p, and Lockbit, which have taken claim to some of the major attacks of this year.
In terms of other ransomware groups, the list is interchangeable. The challenge with even trying to nail down the top three is that ransomware groups tend to be fluid and swap and change according to their circumstances.
The once-prolific Conti, for instance, made headlines in previous years, but after their internal communications were leaked, following its public support for Russia during the Ukraine conflict, their tactics and structure became exposed and the group disbanded. Politics, as ransomware gangs have found time and time again, is just bad for business.
According to Rafe Pilling, a senior researcher at Secureworks’ Counter Threat Unit, “Conti was likely comprised of people in both Russia and Ukraine, and that caused a sort of nationalist split and the implosion of the group.”
Still, former Conti members have persisted and continue their criminal activities under different names or within other ransomware groups, reflecting the dynamic and adaptive nature of cybercriminal organisations.
The top three take on their affiliates through underground forums and it is those affiliates that keep the gangs active, as detailed in this report.
BlackCat
This gang operates under three names: BlackCat, ALPHV, and Noberus, and made its first appearance in 2021. According to Pilling this ransomware group “tries to send out the message that they want to stay out of politics, and that they are about making money.”
This could be because members of this gang, in a previous guise, suffered the consequences of not being selective enough with its targets.
The FBI has noted that many of BlackCat’s developers and money launders originated from the DarkSide Ransomware platform, which fell apart in 2021 after it disrupted the Colonial gas pipeline in 2021.
Hacking a critical infrastructure company and causing a mass service outage crossed a red line, especially when the US government had to step in. The repercussions of this attack rippled further than it intended, and this group now appears to have splinted into other gangs, including BlackCat.
As well as ensuring their activities are strictly about business and not politics, BlackCat also prides itself on taking a moral standpoint, according to Secureworks’ Pilling. “They’ll say they don’t target healthcare, although usually that will mean when there’s no risk to life.”
Indeed, its moral code didn’t stop the gang from hacking into Lehigh Valley Health Network’s computer system earlier this year leaking naked images of breast cancer patients along with medical questionnaires, passports, and other sensitive patient data.
Other notable attacks include stealing customer documentation from law firm HWL Ebsworth, hacking into the NHS to steal employee IDs.
One of the group’s many affiliates, Scattered Spider, also lay claim to one of this year’s biggest cyber news stories: the MGM Resorts hack, which reportedly cost the leisure operator a $100m loss from business disruptions.
Unlike most RaaS operations, BlackCat has created a data leaks website on the public internet rather than the dark web, perhaps to showcase all its data breach victims, so that new targets will be more inclined to pay up.
Business model
According to Kevin Curran, senior member of IEEE and cyber security professor at Ulster University the business models hackers use is like many legit software houses.
BlackCat uses a Ransomware as a Service (RaaS) model, where the developers provide the malware to affiliates like Scattered Spider, who conduct the attacks, and in return, the developers receive a portion of the ransom payments.
It’s been widely reported (and marketed by BlackCat) that its affiliate share is high: Most RaaS operations allow affiliates to keep 70% of their profits. With BlackCat, however it can be as much as 80 to 90%.
Since the group is Russian speaking, most experts feel its safe to assume it’s Russian-based, but it takes a cautious approach to recruiting, according to Securework’s Pilling.
“There are various forums, where different groups can make contact with each other,” he explains. Though, “there are also relationships between some of these organised criminal groups that occur off forums, so completely out of sight of the general public,” he observes.
If an affiliate is to use their services in an attack that provokes political or moral outrage, BlackCat is likely to distance itself from that attack and refrain from claiming it, notes Pilling.
Most of the ransomware it licenses to affiliates is written in Rust (another differentiator from RaaS gangs), enabling BlackCat to target a wider range of systems including both Windows and Linux.
To gain access to a system, the group primarily uses stolen credentials, often obtained through initial access brokers, then they move laterally to escalate privileges and exfiltrate sensitive data.
At MGM Resorts, Scattered Spider simply called up the help desk, claiming to be IT support, stating that malicious software had been identified on the victim’s machine and that they needed remote access that required the targeted user, found on LinkedIn, to download a tool that would then give the gang access.
Malware sharing group, VX-underground posted on X: “All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk.”
“A company valued at $33,900,000 was defeated by a 10-minute conversation.”
The gang might also gain access to a system through using exploits such as Emotet malware or through vulnerabilities such as Log4J,.
From there, they can redirect users to malware-laden pages via hijacked legitimate websites where they might use ransomware exfiltration tools like ExMatter to steal sensitive data, Curran explains.
The ransomware itself is designed to avoid detection and once activated, conducts network discovery, deleted recovery points, encrypts files, and demands ransom in cryptocurrency.
Pilling says Secureworks can usually identify which gang has carried out an attack from the tools that were used and the type of malware. “I mean, we saw the MGM attack, for example and it all presented as BlackCat,” he says.
After an attack, BlackCat may negotiate the ransom amount, threaten to leak stolen data, and upon payment, provide a decryption key, “though recovery is not guaranteed,” warns Curran. He adds those who pay up may be targeted in future attacks, marking the group’s “blend of technical skill and psychological pressure tactics.”
Tomorrow: LockBit, Cl0p and other gangs to watch
#BeInformed
Subscribe to our Editor's weekly newsletter