Ransomware is a constantly changing threat. It's like a game of whack-a-mole for researchers: as soon as you think you've understood one group, they rebrand or change tactics.
Ransomware Groups: Names and Tactics
Ransomware groups often change their names and tactics. It's like how fashion trends change, but much more dangerous. For example, a group might start as "Group A," then change to "Group B" after a few months. This makes it hard for researchers to keep track.
Each group has its own tactics, techniques, and procedures (TTPs). These are like the group's signature moves. Over time, these TTPs can change, making it even harder to track them.
Tracking Ransomware Groups
Researchers use various methods to track these groups. One helpful resource is the "Ransomware Playbook," a Google Sheet maintained by Seongsu Park. This sheet lists the TTPs of different groups. You can check it out here.
However, it’s not always straightforward. Affiliates (the people who help spread the ransomware) don't stick to one group. They might use the same TTPs for different groups, adding to the confusion.
Group Evolution Over Time (2024 Update)
Original Group | Evolution 1 | Evolution 2 | Evolution 3 | Evolution 4 | |
Cerber | GandCrab | REvil (Sodinokibi) | - | - | |
BitPaymer | Doppel Paymer | Grief | - | - | |
Wasted Locker | Hades | Phoenix | Macaw | - | |
MAZE | Sekhmet | Egregor | - | - | |
DarkSide | BlackMatter | BlackCat/ALPHV | - | - | |
Defray777 | RansomEXX | - | - | - | |
Mount Locker | Astro Locker | Xing Locker | - | - | |
Vasa Locker | Babuk | Payload.bin | Groove | - | |
SynACK | El_Cometa | - | - | - | |
Prometheus | Spook | - | - | - | |
Nemty | Nefilim | Karma | - | - | |
Hermes | Ryuk | Conti | BlackBasta, Karakurt, & others | - | |
Quantum | DAGON Locker | - | - | - | |
Chaos | Yashma | ONYX | SolidBit | - | |
MedusaLocker | Medevil | - | - | - | |
SunCrypt | MoonCrypt | - | - | - | |
FiveHands | EvilCorp | - | - | - |
Key Changes in 2024:
Phoenix evolved into Macaw.
BlackCat/ALPHV emerged from BlackMatter.
ONYX evolved into SolidBit.
Groove emerged from Payload.bin.
BlackBasta, Karakurt continued evolving from Conti.
New Ransomware Groups in 2024:
Raspberry Robin: New ransomware variant targeting industrial control systems.
HydraCrypt: Known for its sophisticated encryption methods and targeting financial institutions.
NightSky: Focuses on healthcare and has caused significant disruptions in hospitals.
PolarBear: Targeting cloud infrastructure with advanced evasion techniques.
SilverStorm: Primarily targets government entities and critical infrastructure.
Top Five Industries Hit in 2024:
Healthcare
Financial Services
Manufacturing
Education
Government
Top Five Active Ransomware Groups in 2024:
BlackCat/ALPHV: Continues to evolve with new tactics and significant impact.
BlackBasta: Increased activity targeting a variety of sectors.
Conti: Despite setbacks, remains active with new offshoots like Karakurt.
Raspberry Robin: New but highly disruptive, especially in industrial sectors.
SilverStorm: Notable for targeting critical infrastructure with advanced methods.
Few more known ransomware groups as per 2024:
Akash Patel
Comments