The Most Infamous Ransomware Groups in the World

Ransomware groups have become a menace to the cybersecurity field. All the hackers are programming experts. They develop malware, which contains a script to access all the files and redirect them to a remote website. They embed this malware into an exe file or any other software. Then they target the victim and attempt to infect their system. They further collect data and leverage it with the organization’s head to demand ransom. That’s why these attacks are known as “ransomware attacks.”

Many ransomware groups are becoming infamous for their evolving and new methods of attack. These ransomware groups are known for their sophisticated methods of carrying out ransomware attacks and extorting money. The primary motive of ransomware groups is to extort money from organizations, making these attacks the most damaging ones. Ransomware groups are extremely aggressive in the pursuit of payments by leveraging the stolen data and information against the organization.

What is Ransomware Attack?

Ransomware is a kind of malware that takes over the system and freezes it for users. The ransomware groups infect the system with malware and get access to the organization’s storage system. This malware contains an address of threat actors, where all the data is delivered and exposed. The threat actors demand a ransom from the organization to free the data. Sometimes, this malware freezes the whole cyber system of the organization and encrypts all the data. Then ransomware groups demand a ransom to provide a decryption key. These two mechanisms of malware-based attacks are known as ransomware attacks.

Read more about: Shining Light On The Deadly Wiper Malware

Top Ransomware Groups

IOCP Ransomware (Conti)

Among all the ransomware groups, Contii is infamous for its widespread and damaging attacks. The FBI has associated Contii with over 400 cyber attacks on organizations globally, with a demand for ransom as high as $25 million.

Apart from being an ambitious and disastrous ransomware gang, Conti is also the most unpredictable and untrustworthy. In several cases, they have refused to give data back to their victims even after a ransom has been paid. Conti uses TrickBot malware, which is an excel sheet that contains a malicious macro to deploy malware attacks.

One of the most high-profile attacks by the Conti ransomware gang was on Florida’s Broward County Public Schools, where the hackers demanded a ransom of a whopping $40 million. The group also attacked the Irish Health Service Executive, causing delays in the cancellation of patient appointments and COVID-19 tests in Ireland. It is also known for attacking a government board in New Zealand and a government agency in Scotland.

Conti employs the popular double extortion technique to get the victim organizations to pay up. This involves encrypting all their files and data as well as threatening to leak it if the ransom isn’t paid. 

One of the biggest leaks by Conti was of 3 GB of data from Advantech, a renowned manufacturer of chips for IoT devices. Also, the Conti gang leaked 20 files belonging to the Scottish Environment Protection Agency (SEPA), claiming it was only a fraction of what was actually stolen.

Read more about Recent Cyber Attacks on Government Agencies

REvil (Also Called Sodinokibi)

REvil AKA Ransomware Evil is also known as “Sodinokibi”. It is a Ransomware-as-a-Service (RaaS) operator which is alleged to be Russia-based or operated by a Russian-speaking group. After encrypting the files and systems, the group would threaten to publish the sensitive information on their page, called “Happy Blog” unless the ransom amount is paid.

As per an article by Dark Reading, REvil was the most common ransomware variant responsible for 25% of ransomware attacks from January 2021 to July 2021. 

The malware was first identified on April 17, 2019. The group deploys the malware via exploit kits, RDP servers, backdoored software installers, and scan-and-exploit techniques. Moreover, REvil also recruits affiliates to spread ransomware for them.

According to an article by Cyber Talk, In 2021, at least 360 US-based organizations have been attacked by the REvil ransomware group and the gang has earned over $11 million.

These threat actors have carried out several high-profile attacks on famous enterprises like meat supplier JBS, Apple supplier Quanta Computer Inc., tech giant Acer, renewable energy company Invenergy, and software provider Kaseya.

Read more about Notorious Ransomware Attacks by REvil in 2021

Maze Ransomware

Maze ransomware was previously known as “ChaCha ransomware”. Jerome Segura discovered it, and the malware has since been known to target organizations all over the world. Initially, Maze ransomware hacking groups used exploit kits like Fallout and Spelvo to deploy the malware.

They use a 32-bit binary file that is delivered in the form of a .exe or .dll file. Upon deployment, this file encrypts the user’s files and sends a demand for a ransomware payment. The ransomware group copies the data with the intention of selling it over the dark web.

DarkSide Ransomware Gang

The DarkSide ransomware group is new to the market, and they have successfully made their place amongst the infamous gangs of the current time. They are believed to have originated in Eastern Europe. The DarkSide ransomware group made its first appearance in August 2020 and donated $10,000 stolen from organizations to charity. Their mode of operation was ransomware-as-a-service (RaaS). This group has already targeted organizations across 15 countries and numerous industry verticals.

DarkSide is known for targeting large and high-revenue organizations, and encrypting and stealing their sensitive data. One of the most devastating attacks launched by this ransomware group was on the Colonial Pipeline, which was forced to shut down operations for several days. In addition to locking the systems at Colonial Pipeline, the group also stole more than 100 GB of corporate data. 

Read more about Scareware Attack: Malware Attack via Web App Exploitation

Clop Ransomware Group

Clop is another prominent name on the list of the most notorious ransomware groups that are terrorizing organizations across the world. They have been linked to various high-profile hacks. The Clop ransomware group is responsible for the attacks on companies like the jet manufacturer Bombardier, residential mortgage servicer Flagstar Bank, security firm Qualys and the Universities of Miami and Colorado. 

Just like several other ransomware gangs, Clop steals the data and encrypts the data and network. Then they threaten the victim to leak the stolen information if the demanded ransom is not paid. However, the group has also started using a new tactic to apply maximum pressure on the victims for paying the ransom.

Ryuk Ransomware

Ryuk is a family of ransomware that first appeared in mid-August 2018. It is believed that this Russian cybercriminal group is also known as “wizard spider”. They operate through a malware distribution campaign. The malware has been targeting businesses, hospitals, government institutions, and other organizations.

Ryuk mostly targets organizations instead of going after individual consumers. And similar to other ransomware groups, they demand ransom payments to release the data their malware has made useless by encryption.

Netwalker (Also Called Mailto)

Netwalker is one of the most dangerous ransomware groups haunting organizations worldwide. The gang has received more than $30 million in ransoms since their cyber attacks began. They are responsible for crippling the cyber systems of several hospitals, schools, and government agencies throughout the world.

Some of the most notable victims of the Netwalker ransomware include the Crozer-Keystone Health System, the Australian transport company Toll Group, California University’s COVID research sector, the Austrian city of Weiz, Argentina’s official immigration agency, and Pakistan’s largest private power utility, K-Electric. 

Netwalker launches a successful attack, presenting the victim company with a ransom note that demands a certain amount of money in exchange for decrypting the compromised data. The group instantly published a sample of the stolen data on its dark website as proof of the breach. The exposed data provides evidence for the victims and threatens to publish the rest of the data if the ransom isn’t paid.

WannaCry Attacker Group

Wannacry is one of the most ravaging ransomware attacks in history. The attack terrorized the internet in the year 2017. Thousands of companies worldwide were infected including FedEx, Nissan, and Renault. The virus was spread through a phishing email and was delivered in the form of a dropper.

WannaCry is considered one of the most dangerous ransomware attacks as it can spread the virus across multiple networks of the organization by exploiting critical vulnerabilities in Windows operating systems.

Ransomware as a Service

Ransomware attacks have always been a big deal in the cyber world which is evolving and becoming sophisticated. Many threat actors have devised an affiliate-based system for providing ransomware attacks as a service. In this case, the affiliate provides the services of a ransomware attack to a vendor who wants to levy damage on the competitor organization. Similarly, a vendor can seek an affiliate to land a ransomware attack on a target organization. Ransomware as a service attack is becoming more dangerous as they have created a business model for cyber attacks that are more damaging. The affiliates are the handlers and promoters of the RaaS attack. RaaS is based on a software subscription model.

Prevent Ransomware Attacks By Cybersecurity Awareness

The most damaging aspect of ransomware attacks is that they use malware to infect and paralyze the system. But again, the mechanism of delivering this malware is mostly done through social engineering tactics. That’s why cybersecurity awareness training for employees is the best solution that every organization can employ. The primary goal of this solution is to educate employees about different types of cyber attacks and how to prevent them. Empowered and cyber-aware employees can be the best defense for the organization.