Complex Made Simple

Here are ransomware groups that businesses need to watch our for

PALO ALTO observed four emerging ransomware groups that are currently affecting organizations and show signs of having the potential to become more prevalent in the future

AvosLocker was observed promoting its RaaS program and looking for affiliates on dark web discussion forums HelloKitty targeted VMware’s ESXi hypervisor, widely used in cloud and on-premises data centers LockBit 2.0 has impacted multiple industries – 52 victims are listed on the group’s leak site

By Doel Santos and Ruchna Nigam

As part of Unit 42’s commitment to stop ransomware attacks, we conduct ransomware hunting operations to ensure our customers are protected against new and evolving ransomware variants.  During our operations, we have observed four emerging ransomware groups that are currently affecting organizations and show signs of having the potential to become more prevalent in the future:

  • AvosLocker is ransomware as a service (RaaS) that started operations in late June, using a blue beetle logo to identify itself in communications with victims and “press releases” aimed at recruiting new affiliates. AvosLocker was observed promoting its RaaS program and looking for affiliates on dark web discussion forums and other forums. Like many of its competitors, AvosLocker offers technical support to help victims recover after they’ve been attacked with encryption software that the group claims is “fail-proof,” has low detection rates, and is capable of handling large files. This ransomware also has an extortion site, which claims to have impacted six organizations in the following countries: the US, the UK, the UAE, Belgium, Spain, and Lebanon. Initial ransom demands ranged from $50,000 to $75,000.

  • Hive Ransomware is double-extortion ransomware that started operations in June. Since then, Hive has impacted 28 organizations that are now listed on the group’s extortion site, including a European airline company and three U.S.-based organizations. Hive uses all tools available in the extortion toolset to create pressure on the victim, including the date of initial compromise, countdown, the date the leak was actually disclosed on their site, and even the option to share the disclosed leak on social media.
  • HelloKitty is not a new ransomware group; it can be tracked as early as 2020, mainly targeting Windows systems. However, in July, a Linux variant of HelloKitty targeted VMware’s ESXi hypervisor, which is widely used in cloud and on-premises data centers. There were two clusters of activity. Across the observed samples, some threat actors preferred email communications, while others used TOR chats for communication with the victims. The observed variants impacted five organizations in Italy, Australia, Germany, the Netherlands, and the US The highest ransom demand observed from this group was $10 million, but at the time of writing, the threat actors have only received three transactions that sum up to about $1.48 million.
  • LockBit 2.0 (previously known as ABCD ransomware) is a three-year-old RaaS operator that has been linked to some high-profile attacks lately following the June launch of a slick marketing campaign to recruit new affiliates. It claims to offer the fastest encryption on the ransomware market. LockBit 2.0 has impacted multiple industries – 52 victims are listed on the group’s leak site. Its victims include organizations in the US, Mexico, Belgium, Argentina, Malaysia, Australia, Brazil, Switzerland, Germany, Italy, Austria, Romania, and the UK.

To access the full report, please click here