Ransomware is a significant threat vector, costing businesses, corporations, and infrastructure operators billions of dollars annually. Behind these threats lie professional ransomware gangs creating and distributing malware that makes the attacks possible.
Some of these groups attack victims directly, while others run the popular Ransomware-as-a-Service (RaaS) model that enables affiliates to extort specific organizations.
With the ransomware threat constantly rising, knowing the enemy and how they operate is the only way to stay ahead. So, here’s a list of the top five deadliest ransomware groups disrupting the cybersecurity landscape.
The REvil ransomware group, a.k.a. Sodinokibi, is a Russia-based ransomware-as-a-service (RaaS) operation that first appeared in April 2019. It’s considered one of the most ruthless ransomware groups with links to the Russian Federal Service Agency (FSB).
The group quickly attracted the attention of cybersecurity professionals for its technical prowess and the audacity to go after high-profile targets. 2021 was the most profitable year for the group as it targeted multiple multinational enterprises and disrupted several industries.
In March 2021, REvil attacked the electronics and hardware corporation Acer and compromised its servers. The attackers demanded $50 million for a decryption key and threatened to increase the ransom to $100 million if the company didn’t meet the group’s demands.
A month later, the group carried out another high-profile attack against the Apple supplier, Quanta Computers. It attempted to blackmail both Quanta and Apple, but neither company paid the demanded $50 million ransom.
The REvil ransomware group continued its hacking spree and targeted JBS Foods, Invenergy, Kaseya, and several other businesses. JBS Foods was forced to temporarily shut down its operations and paid an estimated $11 million ransom in Bitcoin to resume operations.
The Kaseya attack brought some unwanted attention to the group as it directly affected more than 1,500 businesses worldwide. Following some diplomatic pressure, the Russian authorities arrested several group members in January 2022 and seized assets worth millions of dollars. But this disruption was short-lived as the REvil ransomware gang has been back up and running since April 2022.
Conti is another infamous ransomware gang making headlines since late 2018. It uses the double extortion method, meaning that the group withholds the decryption key and threatens to leak sensitive data if the ransom is not paid. It even runs a leak website, Conti News, to publish the stolen data.
What makes Conti different from other ransomware groups is the lack of ethical limitations on its targets. It conducted several attacks in the education and healthcare sectors and demanded millions of dollars in ransom.
The Conti ransomware group has a long history of targeting critical public infrastructures such as healthcare, energy, IT, and agriculture. In December 2021, the group reported that it compromised Indonesia’s central bank and stole sensitive data amounting to 13.88 GB.
In February 2022, Conti attacked an international terminal operator, SEA-invest. The company operates 24 seaports across Europe and Africa and specializes in handling dry bulk, fruit and food, liquid bulk (oil and gas), and containers. The attack affected all the 24 ports and caused significant disruptions.
Conti had also compromised the Broward County Public Schools in April and demanded $40 million in ransom. The group leaked stolen documents on its blog after the district refused to pay the ransom.
More recently, the Costa Rican president had to declare a national emergency following attacks by Conti on several government agencies.
The DarkSide ransomware group follows the RaaS model and targets big businesses to extort large amounts of money. It does so by gaining access to a company’s network, usually through phishing or brute force, and encrypts all the files on the network.
There are several theories regarding the origins of the DarkSide ransomware group. Some analysts think it’s based in Eastern Europe, somewhere in Ukraine or Russia. Others believe the group has franchises in multiple countries, including Iran and Poland.
The DarkSide group makes huge ransom demands but claims to have a code of conduct. The group claims that it never targets schools, hospitals, government institutions, and any infrastructure that affects the public.
However, in May 2021, DarkSide carried out the Colonial Pipeline attack and demanded $5 million in ransom. It was the largest cyberattack on oil infrastructure in US history and disturbed the supply of gasoline and jet fuel in 17 states.
The incident sparked conversations about the security of critical infrastructure and how governments and companies must be more diligent about protecting them.
Following the attack, the DarkSide group tried to clear its name by blaming third-party affiliates for the attack. However, according to The Washington Post, the group decided to shut down its operations after mounting pressure from the United States.
The DoppelPaymer ransomware is a successor of the BitPaymer ransomware that first appeared in April 2019. It uses the unusual method of calling victims and demanding a ransom in bitcoins.
DoppelPaymer claims to be based in North Korea and follows the double extortion ransomware model. The group’s activity declined weeks after the Colonial Pipeline attack, but analysts believe it rebranded itself as the Grief group.
DopplePaymer frequently targets oil companies, automakers, and critical industries such as healthcare, education, and emergency services. It’s the first ransomware that caused the death of a patient in Germany after the emergency service personnel couldn’t communicate with the hospital.
The group made headlines when it published voter information from Hall County, Georgia. Last year, it also compromised the customer-facing systems of Kia Motors America and stole sensitive data. The group demanded 404 bitcoins in ransom, roughly equivalent to $20 million back then.
LockBit has lately been one of the most prominent ransomware gangs, thanks to the decline of other groups. Since its first appearance in 2019, LockBit has seen unprecedented growth and evolved its tactics significantly.
LockBit started as a low-profile gang initially but gained popularity with the launch of LockBit 2.0 in late 2021. The group follows the RaaS model and employs the double extortion tactic to blackmail victims.
LockBit is currently an impactful ransomware group, accounting for over 40 percent of all ransomware attacks in May 2022. It attacks organizations in the US, China, India, and Europe.
Earlier this year, LockBit targeted Thales Group, a French electronics multinational, and threatened to leak sensitive data if the company didn’t meet the group’s ransom demands.
It also compromised the French Ministry of Justice and encrypted their files. The group now claims to have breached the Italian tax agency (L’Agenzia delle Entrate) and stolen 100 GB of data.
Protecting Against Ransomware Attacks
Ransomware continues to be a thriving black market industry, generating billions of dollars in revenue for these notorious gangs each year. Given the financial benefits and the increasing availability of the RaaS model, the threats are only bound to increase.
As with any malware, being vigilant and using appropriate security software are steps in the right direction to combat ransomware. If you aren’t ready to invest in a premium security tool yet, you can use Windows’s built-in ransomware protection tools to keep your PC safe.