How the Ransomware Gangs Stay One Step Ahead

September 21, 2021 | 3 minute read

Editor's Note: Unlock the knowledge, resources and expert guidance you need to successfully prevent ransomware attacks from impacting your organization’s operations with this complimentary Ransomware Toolkit... 

Ransomware attacks increased dramatically in the first half of 2021. As reported by ITProPortal, the volume of global ransomware hit 304.7 million during that six-month period. That’s 0.1 million more ransomware attacks than the entire total in 2020.

During that period, many malicious actors upped their efforts to target government entities, with a 917% increase in ransomware attacks targeting that sector. This was followed by increases in attacks targeting education (615%), healthcare (594%), and retail (264%).

What’s Behind this Rise in Ransomware Attacks?

Understanding the many factors that contributed to this rise is beyond the scope of this article. Instead, let’s focus on the following cause: ransomware actors are vying to stay ahead of defenders by learning from one another and pooling resources.

Take the LockBit gang’s involvement in the Maze ransomware cartel as an example. Back in June 2020, Bleeping Computer learned that Maze’s operators had added the information for an architectural firm to their extortion website. This leak was different in that the LockBit gang was responsible for having targeted the firm and stolen its data. Later, the Maze gang clarified that they were working with LockBit as a “partner” to share their infrastructure and their experience.

Prior to joining up with the Maze operation, those responsible for LockBit had maintained their own data leaks website. The portal shut down around the time that LockBit became a part of the Maze cartel. Several months into that partnership, the LockBit group posted a link to a new data leaks site on a Russian-speaking digital crime forum. At the time, the site listed the information of an automation parts manufacturer and a shipping company, reported Bleeping Computer.

It was in November 2020 when the Maze ransomware group announced that they had ceased operations and that they would no longer be leaking victims’ data. In an announcement obtained by Bleeping Computer, the attackers disputed the claim that they had ever formed a cartel.

“We never had partners or official successors,” the attackers wrote. “Our specialists do not works with any other software. Nobody and never will be able to host new partners at our news website. The Maze cartel was never exists and is not existing now. It can be found only inside the heads of the journalists who wrote about it.” [sic]

In the days that followed, researchers observed some Maze affiliates moving to a new ransomware operation called “Egregor”. The crypto-malware itself appeared to be created from the same software as Maze, raising the possibility that the Maze attackers had simply rebranded their campaign. Whoever was commanding Egregor at the time quickly made waves when someone on Twitter posted about the group having hijacked their victim’s printers to print out physical copies of their ransom note.

What a surprise then, when the LockBit2.0 version arrived with that same capability in July 2021. Coincidence? Not likely.

Despite what the Maze attackers said in their farewell announcement, their cartel was real, and it still functions to this day. Analyst1 found that the cartel consisted of LockBit and three other groups as of April 2021. Together, those gangs use the cartel to share not only infrastructure and expertise but also victims’ stolen information.

This sometimes involves more than one ransomware group publishing the same information on their data leaks site. Other times, this involves groups publishing the data stolen by other cartel members.

On the Need for Better Ransomware Defenses

The case of Maze and LockBit highlights how some ransomware gangs share infrastructure, expertise, and even stolen data. Such collaboration helps ransomware groups to evolve and learn from one another, thus making it more difficult for security teams to defend against them—that is, unless they have the proper anti-ransomware solution in place.

The best strategy for organizations is to prevent a ransomware attack from being successful in the first place. To do that, they need to invest in a multi-layered solution that leverages Indicators of Behavior (IOBs) to detect and prevent a ransomware attack at the earliest stages of initial ingress, prior to the exfiltration of sensitive data for double extortion, and long before the actual ransomware payload is delivered.

The Cybereason Operation-Centric approach provides the ability to detect ransomware attacks earlier based on rare or advantageous chains of malicious behavior. This is why Cybereason is undefeated in the battle against ransomware and delivers the best prevention, detection, and response capabilities on the market, which include:

    • Anti-Ransomware and Deception: Cybereason uses a combination of behavioral detections and proprietary deception techniques surface the most complex ransomware threats and end the attack before any critical data can be encrypted.
    • Intelligence Based-Antivirus: Cybereason block known ransomware variants leveraging an ever-growing pool of threat intelligence based on previously detected attacks.
    • NGAV: Cybereason NGAV is powered by machine learning and recognizes malicious components in code to block unknown ransomware variants prior to execution.
    • Fileless Ransomware Protection: Cybereason disrupts attacks utilizing fileless and MBR-based ransomware that traditional antivirus tools miss.
    • Endpoint Controls: Cybereason hardens endpoints against attacks by managing security policies, maintaining device controls, implementing personal firewalls and enforcing whole-disk encryption across a range of device types, both fixed and mobile.
    • Behavioral Document Protection: Cybereason detects and blocks ransomware hidden in the most common business document formats, including those that leverage malicious macros and other stealthy attack vectors.

Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere - including modern ransomware. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Cybereason Security Team
About the Author

Cybereason Security Team

The Cybereason Security Team champions cyber defenders by providing future-ready attack protection that unifies security from the endpoint, to the enterprise, to everywhere the battle moves. The Cybereason Defense Platform combines the industry’s top-rated detection and response (EDR and XDR), next-gen anti-virus (NGAV), and proactive threat hunting to deliver context-rich analysis of every element of a Malop (malicious operation). The result: defenders can end cyber attacks from endpoints to everywhere.

All Posts by Cybereason Security Team