By Cian Heasley, Threat Lead at Adarma
Ransomware is one of the most significant cyber threats to organisations today, disrupting schools, hospitals, governments, and businesses and endangering critical national infrastructure. All the while enriching a handful of elite cybercrime groups, with victims paying a staggering $1 billion last year alone.
As we observe Ransomware Awareness Month, it’s crucial to understand the evolution of ransomware and how criminals exploit it. To help raise awareness, we will explore Ransomware as a Service (RaaS), a business model revolutionising cybercrime, and highlight the top five most notorious RaaS groups responsible for some of the most damaging attacks.
RaaS is a business model that enables criminals to launch ransomware attacks without technical expertise. By purchasing RaaS kits from the dark web, attackers can access tools and support similar to what you’d expect from legitimate Software as a Service (SaaS) providers. These kits often include 24/7 support, bundled offers, user reviews, and forum or support channels on platforms such as Telegram, making it easy for anyone to become a cybercriminal. Some also come with sophisticated RaaS portals, which allow threat actors to manage attacks, view infected assets, calculate total payments, post stolen data and more.
There are several RaaS revenue models:
- Monthly subscriptions
- Affiliate programs with profit-sharing
- One-time license fees
- Pure profit sharing
Clop: Sometimes stylised as “Cl0p,” has been a prominent name in the ransomware world since its emergence in 2019. Originating from the prolific TA505 cybercrime group, Clop initially targeted organisations through phishing campaigns and malicious email attachments. In 2023, Clop made headlines by exploiting CVE-2023-34362, a vulnerability in Progress Software’s MOVEit Transfer tool. This exploit enabled a widespread onslaught of data thefts, affecting numerous organisations worldwide and solidifying Clop’s reputation as a major cyber threat.
LockBit: Active since 2019, LockBit advertises primarily to Russian speakers and has a history of threatening to leak victim data to fellow criminals. The gang was responsible for 25% of ransomware attacks globally last year, targeting thousands of victims over the years including over 200 UK businesses. Due to stricter law enforcement, the group has undergone multiple iterations in an effort to remain a prominent RaaS provider. Some of the group’s most prominent victims include Boeing, the Industrial Commercial Bank of China (ICBC), the UK’s Royal Mail, sandwich chain Subway, and DP World.
REvil: Also known as Sodinokibi, REvil is infamous for its high ransom demands and sophisticated data leak strategies. Emerging in 2019, the group is associated with the criminal group PINCHY SPIDER. Its victims include Kaseya, JBS, Travelex, and Grubman Shire Meiselas & Sacks. Despite purported shutdowns by the Russian Federal Security Service following attacks on critical infrastructure, organisations should remain vigilant. Regrouping and implementing robust strategies to prevent similar attacks in the future remains crucial.
DarkSide: This group first emerged in August 2020 and has since targeted major enterprises. They gained notoriety for the Colonial Pipeline attack, which caused widespread disruption and resulted in a ransom payment of $4.4 million. DarkSide operators traditionally focused on Windows machines but have expanded to Linux environments, particularly targeting unpatched VMware ESXi hypervisors and stealing vCenter credentials. Having gone through various rebrands, they continue to exploit vulnerabilities in enterprise systems, emphasising their adaptability and persistent threat to critical infrastructure.
Qilin: Also known as Agenda, is believed to be a Russian ransomware group. It represents the newer, smaller, less centrally managed type of loosely organised criminal ransomware gangs that have proliferated in the last few years. Its ransomware family includes several variants, such as those written in Golang and Rust for targeting Windows systems. Since December 2023, a specially developed version has been created to attack Linux virtual machines on VMware ESXi hypervisors. Most recently, the group was linked to the attack on third-party medical testing and diagnostics provider, Synnovis (the largest in Europe) that resulted in major health providers across London to issue an emergency declaration to postpone non-emergency patient care and defer operations requiring blood transfusion to other unaffected hospitals (for more details please see Adarma’s Threat Briefing on Qilin).
Protecting against RaaS involves a comprehensive approach that integrates technical defences, employee awareness, and robust incident response planning. Firstly, organisations should prioritise regular and secure backups of critical data stored in isolated environments, ensuring they can recover without paying ransom in case of an attack. Implementing strong access controls and multi-factor authentication (MFA) can mitigate unauthorised access attempts, a common entry point for ransomware operators.
Secondly, organisations must keep all software and systems up-to-date with the latest patches and security updates to prevent RaaS operators from exploiting known vulnerabilities. Deploying advanced endpoint protection solutions, including anti-malware software and intrusion detection systems, can help detect and block ransomware before it can execute. Network segmentation and monitoring are also critical to limit the spread of ransomware within an organisation’s infrastructure and quickly identify suspicious activities.
Thirdly, fostering a culture of cybersecurity awareness among employees is crucial. Regular training sessions on phishing attacks, safe browsing habits, and recognising suspicious emails or attachments can significantly reduce the likelihood of a successful ransomware attack. Encouraging a proactive reporting culture where employees feel comfortable reporting potential security incidents promptly enhances overall organisational resilience against RaaS threats.
Ultimately, preparing and regularly testing an incident response plan tailored to ransomware scenarios is essential. This plan should include clear steps for containment, mitigation, and recovery, with defined roles and responsibilities for key personnel. Conducting tabletop exercises and simulations can help refine these processes and ensure readiness to swiftly respond to and recover from ransomware attacks, minimising operational disruption and financial impact.
Adarma provides customised cybersecurity solutions to assist businesses in achieving future-ready cyber resilience. Our approach enables organisations to decrease cyber risks by implementing effective threat intelligence, exposure management, and detection and response capabilities. We offer tailored threat intelligence, technological solutions, and strategic consultations that cater to our customer’s specific security requirements and business goals. Our expertise guarantees a balanced approach between security and operational efficiency, safeguarding our customers’ most crucial infrastructure and data.
Discover our tailored services and find out why we are the preferred security partner for FTSE 350 firms.
If you would like to learn more about how Adarma can support your organisation’s cyber resilience, please get in touch with us at hello@adarma.com.
To hear more from us, check out the latest issue of ‘Cyber Insiders,’ our c-suite publication that explores the state of the threat landscape, emerging cyber threats, and most effective cybersecurity best practices.
You can also listen to our new podcast, which explores what it’s really like to work in cybersecurity in today’s threat landscape.
Stay updated with the latest threat insights from Adarma by following us on X and LinkedIn.
![adarma_logo_twgt-black[11615449]](https://adarma.com/wp-content/uploads/2022/10/adarma_logo_twgt-black11615449.png){kind=logo}
