Up Close and Personal with 5 of the Latest Ransomware Villains | DataLocker Inc. 

02.12.22

Up Close and Personal with 5 of the Latest Ransomware Villains

Ransomware has managed to carve out an incomparable legacy of destruction. In its wake are countless victims, a mess of compromised IT environments, and billions of dollars in damages. To compound the bad news, this global phenomenon is showing no signs of slowing down. 

So, what makes ransomware so difficult to stop? The answer is simple — evolution.

Just when security experts seem to get a handle, a new threat emerges to exploit new vulnerabilities across the IT landscape. This proliferation is largely made possible by ransomware-as-a-service (RaaS), which borrows from the cloud’s subscription-based model in enabling aspiring hackers to execute potent attacks with existing tools. 

Ransomware comes in many forms, and no two variants are the same. This post will give you an idea of what we’re up against by exploring some of the latest threats in the wild. 

1. Conti 

First spotted in May, 2020, Conti typically targets systems via phishing emails linked to infected  Google Drive files. Upon clicking the link, the recipient is informed that the file cannot be previewed in the browser, recommending it be downloaded instead. True to established malware practices, this action invites the malicious executable onto the user’s system. Once executed, Conti installs a backdoor that contacts a control-and-command (C2) server, which then installs additional malware tools. 

Possibly an offshoot of the Ryuk variant, Conti stands out from the ransomware pack by working in concert with various other tools, both legitimate and malicious. For example, the Windows Restart Manager may be used to shut down programs that would otherwise prevent files from being encrypted, thus enabling the malware to expand its reach in the process. Conti has also been known to use the infamous TrickBot Trojan to inflict further damage after the initial infection.

2. Hive 

Ransomware naming conventions are usually inspired by the groups that deploy them. A classic example can be seen in Hive, a relatively new variant that has wreaked havoc on the healthcare sector. The so-called “Hive Gang” is reportedly behind the August, 2021 ransomware attack on Memorial Health System, where it compromised a wealth of sensitive patient data, complete with their names, social security numbers, home addresses, and medical histories. While the initial ransom fee of $240 million seems unlikely, Memorial CEO confirmed that a payment was indeed made to unlock the data.  

Hive is another example of ransomware that uses tried and proven phishing tactics to victimize targeted systems. To evade existing defense mechanisms, the malware disables anti-virus software as well as file copying, backup, and restore functions. Ransom notes are dropped in each infected directory, referencing how victims can purchase the decryption key and reclaim their information. If a ransom isn’t paid, Hive publishes the stolen data on HiveLeaks, a TOR-based website easily accessible to the hacker community.

3. LockBit 2.0 

Due in part to its inclusion on the RaaS marketplace, LockBit emerged as a go-to weapon for cyber criminals. The ransomware enhanced its luster in the community with an updated variant cyber security researchers have dubbed LockBit 2.0. A distinguishing trait associated with the new and improved variant is the out of the box approach the group has adopted to breach access. Members of the gang are known to bribe individuals who can infiltrate the target from within the organization. They have also found success by exploiting vulnerabilities in VPNs and other publicly accessible network servers. 

For ransomware actors, exfiltrating data is as important as encrypting it. In the event that victims refuse to the pay up, LockBit 2.0 can call on a number of complementary technologies to enact its own twisted brand of vengeance. LockBit’s in-house Trojan StealBit and legitimate C2 server Cobalt Strike are among the tools that have been linked to the ransomware.

4. Yanluowang 

Some hackers take a more philosophical approach to labeling their ransomware attacks. Take, Yanluowang, for instance. Inspired by Yanluo Wang, a deity of Chinese religious lore who passes judgment on the dead, this particular variant was spotted in October, 2021, and has since been tied to attacks on several large firms in the US. Although it seems to favor the financial sector, the ransomware has been implicated in attacks against the consultancy, engineering, and IT services industries as well. 

Upon further analysis, cyber security researchers determined that Yanluowang’s files were digitally signed, a trend that threat actors recently adopted to slip past anti-virus scanners and built-in defense mechanisms. Once executed, it terminates various system processes, enabling the ransomware to unlock access to virtual machines, databases, and backup files. Finally, it appends a “yanluowang” extension to encrypted files before serving up the ransom note, which warns the victim not to contact authorities before making payment arrangements.

5. DarkSide 

Most hackers prefer to operate in the shadows, limiting their visibility to the cybercriminal community. Others can’t resist the opportunity to lap up the limelight. DarkSide rose to infamy in the summer of 2020, going as far to publish the arrival of its ransomware in a professionally written press release. The gang behind the attack claims that it does not target hospitals, schools, or non-profits. Instead, it prefers to go after large, high revenue earning organizations that can afford to pay their lofty ransom demands.    

DarkSide is known its effective use of stealth. The ransomware is tailored for individual targets, complete with custom code and connection hosts, making the attacks difficult to trace. Further, it exercises patience before file encryption, taking the time to first scope out the environment. This process entails hijacking privileged accounts, harvesting credentials and other valuable data, and deleting backups. The sophistication of the attacks and high-profile targets prompted the US government to offer a $10 million reward for details leading to the arrest of DarkSide’s leaders. 

Timeless Ransomware Defense Measures 

As the list of ransomware attacks continues to grow, the capabilities of these disruptive threats is sure to evolve right alongside of them. While each variant presents unique challenges, there are some basic guidelines you can follow to reduce the risks and potential impact. 

Adopt an endpoint security strategy: Cyber criminals will attempt to exploit every possible entry point. Protect your network by applying robust security technologies from USB ports and system logins to applications and mobile devices. 

Keep systems up to date: Running outdated software is akin to leaving the door to your facility wide open. Make sure your core systems and applications steadily receive updates to address known vulnerabilities, and security tools are configured to detect the latest threats. 

Create a contingency plan: When filing through scores of ransomware horror stories, one common theme stands out — victims who prepared for the worst, were better equipped to bounce back from an attack. Backup your system data, keep multiple copies in multiple locations, and test those backups on a regular basis to ensure they can be recovered in crisis situations. 

Stay alert: For better or worse, ransomware is embedded into the fabric of digital society. Take the time to make sure your staff is educated on how to identify, avoid, and mitigate a potentially crippling attack. There are plenty of resources available to help sharpen your awareness on established and emerging threats alike. 

Data Locker’s encrypted USB drives can strengthen your resilience against any ransomware attack. Contact our customer service team to arrange a custom demo today.