Posted by Trevagh Stankard on Tue, Jul 13th, 2021
The ‘hacking group’ has risen to infamy as cyber-attacks take on epic proportions. But why do these nefarious characters huddle together to form these groups? What’s in it for them? Is this about a brotherhood or sisterhood in arms? Or is it more about the collective being more effective than an individual at exerting pressure to pay huge ransoms or takedown DNS servers to debilitate the internet, and so on?
With names like REvil and DarkSide, these criminal collaborations seem to be everywhere and are taking ransomware to new heights of success. This post will look at three examples of these hacking groups that have been responsible for some of the most damaging ransomware attacks of recent times.
Why Form Ransomware Hacking Groups?
The meme of the lone hacker, hunched over, wearing a hoodie, and creating malicious code entered our cultural lexicon for a reason - hackers were often individuals. However, the last couple of decades has seen the emergence and cementing of groups of hackers that work together, often using symbiotic skills, to deliver complex cyber-attacks.
A hacker group is equivalent to a criminal gang in the real world. The language associated with hacking groups can often believe the fact that these individuals are simply criminals. Possible one deviation from the criminal gangs is that hackers tend to romanticize their actions, often comparing themselves to some form of a superhero.
The criminalization of hacking is emphasized in the crime of ransomware. Ransomware is about money. This cybercrime is a far cry from any possible notion of ‘hacktivism’ or cyber-attacks representing “anger against the system”. No, ransomware is purely and simply a way to extort vast amounts of money from legitimate companies.
By coming together as a group of individuals, hacking groups create a dream team or possibly more accurately, a dream supply chain. This team works together for a common goal, to develop, deliver, extort, and cash in on ransomware attacks.
Three of the Most Notorious Ransomware Hacking Groups
Perhaps the best way to describe how a hacking group operates is to look at some examples of ransomware delivered via a hacking group.
REvil
REvil recently attacked the French electronics manufacturer Asteelflash. The ransom demand was a whopping $24 million. REvil not only encrypted data during the attack but also stole large amounts of data as a lever to put pressure on the company to pay the ransom. This tactic of double-extortion is the latest trick in the tale of ransomware gangs. REvil takes this stolen data and posts it on a site known as “Happy Blog”. Some U.S. cybersecurity experts believe that REvil (along with other ransomware hacking groups) is protected by Russian intelligence or the Russian government. One striking characteristic of modern ransomware groups is the scale of operations. This is achievable by using a collective approach and an affiliate business model, based on an ‘at-a-Service’ delivery of the ransomware components, to build momentum.
REvil demonstrates well, the business efficiency and operational capability of ransomware attacks carried out by a collective of individuals, who are working towards a common goal of making a large amount of money. This business-like approach to cybercrime is demonstrated in an expose on REvil by CNBC. An interview with a researcher from Arete Incident Response talks about a job advert for a position with the gang; the job was to gain access to networks.
Egregor
Egregor started out as the Maze ransomware gang. Maze is less of a gang and more of a collection of affiliates who are using ransomware, as, as-a-service, to target specific industry sectors.
Ransomware gangs often like to glamorize what they do by using names associated with mythology and the like. Sophos researchers recently noted the rebranding of Maze as Egregor, which according to Sophos, is a word derived from the Greek word ἑγρήγορος used to describe a ‘group mind’. The Egregor ransomware has been used to target schools, with around 130 schools attacked by the ransomware in 2021.
DarkSide
The DarkSide hacking group was behind the massive Colonial Pipeline ransomware attack. The attack shut down 5,500 miles of pipeline badly impacting the U.S. critical infrastructure. The attackers demanded a ransom of $5 million equivalent in bitcoin. DarkSide is a highly sophisticated hacking group that even runs a press center called “DarkSide Leaks”.
DarkSide is known to go after big targets and use the Ransomware-as-a-Service (RaaS) model. DarkSide and its RaaS affiliates are masters of reconnaissance. They will explore their targets, find out about their revenue, look for vulnerabilities and misconfigurations, and calculate their likelihood of success at extracting a large payout.
DarkSide has said that they will only target large organizations and have said that affiliates will not go after smaller organizations or those in healthcare and the public sector. The group has even said they will donate to charity making this claim on their press center. However, some countries, including the USA, preclude charities from taking money obtained illegally.
Protecting Your Company Against Ransomware Hacking Gangs
Hacking gangs will stop at nothing to steal data and extort large sums of money. They work as a collective, bringing together their symbiotic minions and an extended supply chain with all the skills needed to work on a global scale. Their mentality is one of getting business done and they will even attempt to justify their actions by offering charitable donations. But this pretense at altruism does not hide their nefarious aims of theft and extortion.
Organizations must prepare to shut down the ransomware gang at the source. The main ways that ransomware infects a network is via:
Malicious attachments: Phishing emails are used to deliver malware directly into an organization.
Via the supply chain: Chinks in a supply chain can lead to a ransomware infection. Several ransomware attacks have recently focused on Managed Services (MSP) as an entry point into a larger organization.
Server vulnerabilities: Zero-day vulnerabilities such as those found in Microsoft Exchange have led to ransomware infections.
Remote work and RDP (Remote Desktop Protocol) connections: The increased use of RDP connections because of remote work has opened a gateway for ransomware to exploit vulnerabilities.
Preventing ransomware infection via sophisticated hacking groups is a challenge, but certain measures can help prevent the infection from taking hold:
The hacking group REvil is believed to have made around $100 million from ransomware activities. This level of success means that hacking groups will continue to wreak havoc on businesses the world over. Fortunately, as these gangs become flushed with success, smarter technologies, coupled with knowledgeable employees, provide the protection needed to stop ransomware in its tracks.
Protect your organization from ransomware groups with layered security. Talk to a security expert today and discover how TitanHQ can protect your organization from ransomware attacks. Talk to a Security Expert Today