History’s Most Notorious Ransomware Gangs

In a recent study, titled Ransomware: The True Cost to Business, we found that the costs of ransomware have increased for organizations. We learned that two-thirds of organizations experienced significant revenue loss following a ransomware attack, for instance.

Slightly fewer respondents told us that a ransomware incident had damaged their brand and reputation at 53%. This was followed by instances of C-Level talent loss, employee layoffs, and business closures at 32%, 29%, and 26%, respectively.

The costs discussed above reflect the increasingly professional nature of ransomware as a form of digital crime. Some gangs have helped to drive this development more than others. Let’s discuss four of those ransomware groups:

REvil/Sodinokibi Ransomware Gang

We began tracking the REvil (aka Sodinokibi or Sodin) back in April 2019. Connected to the authors of GandCrab ransomware, the REvil/Sodinokibi operation launched its first campaigns in Asia before spreading to Europe and other regions.

Those early intrusions leveraged vulnerabilities in servers and other enterprise assets, but in time, the attackers began using phishing kits and other infection vectors. Such changes emboldened Sodinokibi to expand its reach to the likes of Acer, Apple, and Kaseya, as well as demanding tens of millions of dollars from its victims.

Following the Kaseya supply chain attack, REvil abruptly ceased operations. The group’s clear web and dark web sites went offline on July 12, reported Bleeping Computer. Around that same time, an admin for the Russian digital crime forum XSS banned “Unknown,” an individual who is believed to have been a public representative for the REvil operation.

Wizard Spider Ransomware Gang

Wizard Spider is one of those ransomware groups that’s decided to actively develop and distribute multiple ransomware strains at once. In 2018, for example, Wizard Spider began using Ryuk to infect unsuspecting victims. The threat actor innovated new tactics, techniques, and procedures (TTPs) for Ryuk in the years that followed. Those new attack methods included forming partnerships with other digital crime operations such as Trickbot and Emotet.

It was in 2020 when the security community witnessed the emergence of a new ransomware strain called Conti. This threat shared a similar code base to Ryuk, leading some to wonder whether Conti was Ryuk’s successor.

Ryuk eventually re-emerged in its own attack campaigns, however. This indicates that Wizard Spider had created Conti (and BazarLoader after that) to infect even more victims than it could with Ryuk alone.

DarkSide Ransomware Gang

DarkSide first emerged in August 2020. In the months that followed, the threat underwent several rounds of changes that included the creation of an affiliates program and the incorporation of double extortion as one of its attack techniques.

Such modifications, among others, helped the ransomware strain to earn a name for itself targeting organizations in English-speaking countries and demanding ransoms from its users as high as $2 million.

Which brings us to DarkSide’s attack on Colonial Pipeline Company in early May. The ransomware’s developers said that an affiliate had been responsible for the attack and that they would screen their partners’ targets going forward. However, those assurances didn’t prevent DarkSide from closing its doors after someone seized its infrastructure and emptied its payment servers of funds used to pay its affiliates, wrote KrebsonSecurity at the time.

TA505 Ransomware Gang

We set our sights on tracking Cl0p, a ransomware strain created by the TA505 threat actor, back in the second half of 2020. In the attacks we observed, the attackers deployed two payloads prior to Cl0p so that they could move laterally across a compromised network. This enabled TA505 to encrypt as much of a target’s network using Cl0p as possible.

This went on until June 2021 when an international effort arrested some of Cl0p’s members. In the process, law enforcement seized approximately $180,000 in funds, computer equipment, and high-end cars from the attackers. The Cl0p operation responded by laying low for a week. After that, however, it resumed its activities by releasing data for new victims on its data leaks site.

Ransomware Demands an Effective Defensive Strategy

Today’s ransomware operations, or RansomOps, are more complex than the commodity-style “spray and pray” attacks of yesterday. They are highly targeted and leverage unique TTPS, so trying to detect them using known Indicators of Compromise (IOCs) is ineffective.

The best way to minimize the potential impact from ransomware attacks is to detect and block them earlier in the attack sequence. The actual ransomware payload is the very tail end of a RansomOps attack, so there are weeks or even months of detectable activity prior to the payload delivery where an attack can be intercepted before there is any serious impact to the targeted organization.

The Cybereason Predictive Ransomware Protection solution detects the earliest indications of a ransomware operation and eliminates the threat with automated prevention in just milliseconds. With the ability to block obfuscated ransomware--plus the addition of artificial intelligence on every endpoint, encryption prevention, rollback capability and visibility from the kernel to the cloud--the Cybereason Predictive Ransomware Protection represents the most capable ransomware defense available on the market.

This is why Cybereason is the only security provider that remains undefeated in the fight against ransomware, protecting every customer from threats like the DarkSide Ransomware that shut down Colonial Pipeline, the REvil Ransomware that disrupted meatpacking giant JBS and IT services provider Kaseya, the LockBit Ransomware that struck Accenture and every other ransomware family.

Predictive protection means that Cybereason ends ransomware attacks against your network with the highest degree of confidence based on subtle behaviors and attacker activity. We see what others miss and infer the attacker’s next move without manual input from Defenders.

Cybereason is dedicated to teaming with defenders to end ransomware attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Learn more about the Cybereason Predictive Ransomware Protection solution, browse our ransomware defense resources, or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed