The same week in late February that Russian troops rolled into it Ukraine, one of the most powerful Kremlin-affiliated hacking gangs in the world, threatened to attack US and NATO allies. The so-called Conti Group, notorious for using ransomware to blackmail millions of hospitals and emergency services, now threatened to attack America’s critical infrastructure — vital systems like the power grid and water supply.
For three tense days, cyber defense professionals eagerly awaited the group’s next move. Then, without warning, the gang exploded.
Conti’s network was allegedly infiltrated by a Ukrainian security researcher who leaked the group’s secrets Twitter, including chat records, ransomware code, and financial details. The leak revealed that Conti was disorganized and prone to internal squabbles. They were also one of the most profitable hacking crews in the world.
Image: Unit 42
“Ransomware-as-a-Serviceknown as RaaS, has grown in popularity in recent years, with criminal gangs extorting cash extorted from healthcare providers, retailers, manufacturers, colleges, local governments, and many other organizations. Such systems are up 85% over the past year from 2020, and individual claims are up 144% to $2.2 million. The average payment rose 78% to about $541,000, according to a new report from Unit 42, a threat research team at Palo Alto Networks.
“The vast majority of ransomware actors are financially motivated. RaaS makes it much easier to launch attacks by lowering the barrier to entry and extending the reach of ransomware,” Unit 42’s Ryan Olson told CBS News. “The more organizations that pay ransoms, the more these actors invest in their ransomware organizations and are motivated to continue their efforts.”
Many hacking groups operate like a business run “by criminals for criminals, with agreements that set terms, often in exchange for monthly fees or a percentage of the ransom paid,” Olson said, adding that the groups are often divided into departments are that focus on tasks such as administration, coding, marketing, and security testing.
These three organizations accounted for more than a third of ransomware activity last year:
Conti
Conti’s growth has been astronomical and unprecedented, Olson said. In the two years before the leaks that led to the group’s implosion, their activities increased. Conti was responsible for more security incidents than any other ransomware gang. The group stole and released private information from over 600 companies and government organizations. Their average ransom demand has grown from just $178,000 in early 2020 to almost $1.8 million last year.
“They are ruthless,” Olson said, citing the group’s willingness to target more vulnerable targets such as hospitals, healthcare providers, local governments and law enforcement. “They work without a code of honor.”
In a dark web forum in February, Conti announced its “full support” for the Russian government and threatened to use its “full retaliatory capacity” if NATO allies cyberattacked Russia’s infrastructure.
Image: Conti / Krebs on the subject of safety
REvil
REvil is best known for challenging $70 million in 2021 from software infrastructure provider Kaseya, largest ransomware attack ever. The group did pioneering work Ransomware-as-a-Servicea business model that allows cybercriminals to sell their hacking expertise and launch attacks using their own proprietary ransomware software.
REvil’s software infected and locked down networked office workstations, often shutting down the affected company until a ransom demand was paid. REvil’s requirements varied depending on the size of the company and the type of data stolen. When a company didn’t pay, REvil doubled its ransom demands and released the stolen data. Analysts at Unit 42 noted that REvil’s average demand for 2021 has grown to $2.2 million, more than four times the $500,000 previously requested. Their highest ransom demand last year was $5.4 million.
The group was reportedly recently disbanded by Russia’s internal security agency at the request of multiple international law enforcement agencies, including US agencies.
Hello Kitty
The HelloKitty group may be less famous than rival ransomware gangs, but they are pioneers. In early 2020, a Linux variant of its ransomware targeted VMWare’s software used in data centers. HelloKitty is best known for allegedly stealing and releasing source code from Polish video game developer CD Projekt Red.
The gang, also known as FiveHands, prioritized corporate targets and deployed a multi-pronged attack, often threatening to release stolen data on the dark web and pounding victims with denial-of-service attacks if ransom demands were not met. Law enforcement officials believe the group operated out of eastern Ukraine prior to the Russian invasion.
While not as successful financially as other major ransomware gangs, HelloKitty’s tactics and technologies were innovative and inspired more famous ransomware operators.
“Cybercrime is a game of cat and mouse,” Olson said. “There are always ways to prevent attackers from being successful. However, attackers will evolve and innovate their tactics. It’s important to be prepared for the latest threats and know how to protect your business.”
Dan Patterson
