Groups ransomware continue to evolve their tactics and techniques to deploy file-encrypting malware on compromised systems, despite law enforcement’s disruptive actions against gangs Cybercrime to prevent them from falling victim to other companies.
“Be it law enforcement, infighting between groups, or people abandoning variants altogether, RaaS [ransomware-as-a-service] The groups that dominate the ecosystem at this point are completely different than they were just a few months ago,” Intel 471 researchers said in a report published this month. However, even with a change in variants, overall ransomware incidents are still on the rise.”
Law enforcement raids carried out by government agencies in recent months have brought about a rapid change in the RaaS landscape and turned the tide for ransomware organizations such as Avaddon, BlackMatter, Cl0p, DarkSide, Egregor, and REvil, force actors to slow down or shut down their businesses in general.
But just as these variations were fading, other futurists stepped in to fill the void. Intel 471 findings uncovered a total of 612 ransomware attacks between July and September 2021 that could have been caused by 35 different ransomware variants.
Around 60% of the infections observed involved just four variants – topped by LockBit 2.0 (33%), Conti (15.2%), BlackMatter (6.9%), and Hive (6%) – and primarily affects the manufacturing, consumer and industrial products, professional services and consulting, and real estate sectors.
Avos Locker is one of many corporations that have not only seen an increase in attacks, but also adopted new tactics to pursue their financially motivated schemes, mainly among it’s the ability to disable endpoint security products on targeted systems and boot into Safe Mode by Windows to execute ransomware. Also installed AnyDesk remote administration tool to maintain access to the machine while running in Safe Mode.
“The reason for this is that many, if not most, endpoint security products do not run in Safe Mode – a special diagnostic configuration in which Windows disables most drivers. and third-party software, and can make protected machines unsafe,” said SophosLabs principal of security researcher, Andrew Brandt. “The techniques deployed by Avos Locker are simple yet clever, with attackers ensuring that the ransomware has the best chance of running in Safe Mode and allowing attackers to maintain access from away into the machine during the attack.”
For its part, Hive’s RaaS program has been dubbed “aggressive” for using pressure tactics to force victim organizations to pay ransoms, with Group-IB linking tension to attacks attacked 355 companies as of October 16 since it emerged in the late June 2021 scene. Meanwhile, the Russian Everest ransomware group is taking its extortion tactics to the next level with threatening to sell off access to targeted systems if their needs are not met, the NCC Group said.
“While ransomware-as-a-service sales have been common in the last year, this is a rare case of a group denying ransom demands and providing access to IT infrastructure. – but we could see clone attacks in 2022 and beyond,” the UK-based cybersecurity firm pointed out.
Furthermore, a relatively new ransomware family called Pysa (aka Mespinoza) marked Conti as one of the top ransomware threat groups for November along with LockBit 2.0. Ransomware has seen a 50% increase in the number of companies targeted and a 400% spike in attacks on government systems compared to October.
Intel 471 researchers said. “As long as the developers can stay in the countries where they are granted safe harbor, the attacks will continue, albeit with different variations.”