What's New with Ransomware Gangs?

The looming threat of new ransomware models was the top concern of executives in the fall of 2021, reported Gartner. Less than a year later, organizations find themselves facing an escalation of that very threat. 

While the threat landscape is filled with many of the same old actors, new ransomware gangs have surfaced within the past few months, bringing new techniques with them. As ransomware continues its quick pace of evolution, understanding the risk from complex RansomOps attacks and their impact to the business is key to implementing cybersecurity solutions that can prevent them.

New Ransomware Players, Trends and Tactics

While groups like PYSA and REvil have appeared to stop hacking (especially after REvil’s alleged “shutdown” earlier this year), new ransomware gangs have been quick to pop up. Some are using new methods, while others still capitalize on the old ones.

Between January and March 2022, two prolific ransomware gangs were quite active: Lockbit 2.0 and Conti. With Lockbit 2.0 responsible for 38% of ransomware attacks within that time frame, with Conti making up another 20%, you can expect to see their familiar tactics in action (regardless of what they are calling themselves). Both groups are known for threatening to post compromised data on leak sites in double extortion schemes unless the ransom is paid.

Inside the past year, we’ve also seen these less active (but no less dangerous) ransomware gangs disrupting organizations around the world: 

  • BlackCat/ ALPHV, a Ransomware as a Service (RaaS) platform, has been around since last November and plays off stolen user credentials while consistently implementing a double extortion strategy as well as occasionally resorting to triple extortion with a DDoS attack. Believed to be a descendent of BlackMatter and targeting no less than 60 organizations in March alone, BlackCat caused enough trouble to warrant its own FBI flash alert
  • Hive, not to be outdone, apparently outranked even BlackCat in the growth of its operations, ranking third in activity in March 2022 with 188% growth overall since February. It focuses over 30% of its efforts on the industrial sector, but is not afraid to target schools and healthcare, even forcing a hospital to use paper charts last June that caused the cancellation of urgent medical procedures. The FBI and CISA had to step in to help respond to the incident, which ultimately resulted in the hospital paying the ransom demand. Hive also employs a double extortion scheme, encrypting victims’ data and threatening to release it on its Tor site in the event of non-payment.
  • Vice Society, around since June of 2021 is also responsible for attacks on hospitals that have culminated in leaked patient information. It is similar to Hive in that both run a site where leaked data will be published if the ransom isn’t paid.
  • BlackByte took down the San Francisco 49ers’ corporate IT network a day after the FBI released a warning about the group. The attackers gained access via a known vulnerability within Microsoft Exchange, resulting in lateral movement across the network and file exfiltration and encryption. It falls under the category of Ransomware as a Service (RaaS) and does not target Russia or former Soviet Bloc regions.
  • Hello Kitty, also known as Five Hands, was responsible for a ransomware note left with game developer CD Projekt Red, the studio behind Cyberpunk 2077 and the Witcher trilogy. Their method: demand a ransom, then run DDoS interference if the victim refuses to pay, compromising their ability to organize an effective response.
  • Lapsus$ was also very active in the first quarter of this year. While the group made it widely into the media, they are suspected of having exaggerated claims and made dubiously backed allegations to increase their notoriety and put increased pressure on victims. Largely an extortionist gang (as opposed to one that would encrypt files), they were known for leaking victim information on their Telegram chat.
  • Night Sky, first observed during the last week of 2021, is yet another ransomware gang capitalizing on the double extortion model made popular by Maze in 2019 and in use ever since by at least 16 different groups. They exfiltrate your data, encrypt it and, as if that wasn’t enough, threaten to leak or sell your data should you refuse to pay.
  • Stormous is another ransomware group making headlines in 2022, largely by publicly pledging to support the Russian government in the wake of the Russian-Ukrainian conflict. Known as a “scavenger operation,” the group targets past victims of successful ransomware attacks by other groups and seeks to extort them again, but some security researchers were unable to verify many of their claims to compromise.
  • Zeon, yet another double extortion operator, was discovered by Twitter user dnwls0719 (a cybersecurity analyst) and is known for encrypting the victim’s files then fairly reliably delivering the decryption key upon payment.
  • Pandora is another ransomware gang that has made headlines. Over a weekend in March of this year, multibillion dollar automotive company Denso reported being attacked by the group, resulting in unauthorized access and the subsequent shutdown of all affected devices on the network. It is yet another in the growing pool of double-extortion attackers.
  • Sugar, another Ransomware as a Service (RaaS) platform, targets individual computers and is known to some as Encoded01. This particular gang was discovered by the Walmart Security Team and has been active since November of last year. RaaS is a light-weight service option for cybercriminals lacking heavy skills to leverage cheap ransomware attack services. 
  • And last but not least, the recently emerged Quantum Locker ransomware. First seen in August of 2021, their attacks are known for being incredibly fast, leaving their victims virtually defenseless. “The threat actors are using the IcedID malware as one of their initial access vectors, which deploys Cobalt Strike for remote access and leads to data theft and encryption using Quantum Locker,” states Bleeping Computer. 

As Gartner states, “the ransomware business model has become more specialized and otherwise efficient, including ‘ransomware-as-a-service,’ and demand for bitcoin payouts, resulting in a proliferation of attacks. The technology for the attacks themselves also evolves, with viruses that linger and infect backup systems, do not rely on phishing as a vector, harder-to-identify viruses such as ‘fileless’ and ‘crypto-jacking’ attacks.” 

For that reason, it becomes key to secure your ecosystem with solutions that can detect, prevent, and remediate ransomware at the source. 

Defending Against Ransomware Attacks

“While new models of ransomware attacks are frightening in their own right, the consequences for organizations are even worse,” says Matt Shinkman, vice president with the Gartner Risk and Audit practice. “Prolonged operational delays, data loss and exposure, as well as the reputational damage that follows, present potential existential risks to an organization that executives are all too well aware of, especially if the attacks occur as a result of inadequate cybersecurity controls.” 

Ransomware purveyors continue to move away from high-volume attacks with low ransom demands for more focused, custom attacks aimed at individual organizations selected for the ability to pay multi-million dollar ransom demands. These more complex ransomware operations, or RansomOps, involve highly targeted, complex attack sequences by sophisticated threat actors.

Cybereason recently published a whitepaper titled RansomOps - Inside Complex Ransomware Operations and the Ransomware Economy, which details this trend in more advanced, targeted ransomware attacks and the thriving ransomware ecosystem supporting them, as well as detailed guidance on how to prepare your organization to defend against these attacks.

Ransomware attacks are intensifying and becoming more sophisticated in their techniques. You can’t afford to give up any advantage by giving adversaries blind spots in which to hide or letting them overwhelm and distract your security teams when you fail to organize your tools or automate your tasks. If you lack the expertise or peoplepower, consider a Managed Security Service Provider (MSSP).


Cybereason is dedicated to teaming with Defenders to end ransomware attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Learn more about Cybereason AI-driven XDR here, browse our ransomware defense resources, or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed