• Why IRONSCALES
    OUR VALUE
    • Protect Better
      Protect Better

      Gain protection against advanced email attacks like BEC, ATO, social engineering, and more

    • Simplify Operations
      Simplify Operations

      Turn hours-a-day to minutes-a-month combatting phishing with customizable security automation

    • Empower Your Org
      Empower Your Org

      Triple your org's email security awareness with real-world phishing simulation testing and training

    CUSTOMERS
    • Customers
      Customers

      Check out the benefits provided to our customers and their stories

    • flag
      Case Studies

      Explore inspiring success stories from our 13,000+ global customers

    • star
      Reviews

      Uncover honest reviews with authentic insights from Gartner, G2, Capterra, and more

    NEWS
    • mic
      Press

      Read our latest press releases, news publications, and media highlights

    • award
      Awards

      Explore our awards and industry recognition achievements

    Thumbnail-google-workspace-and-ironscales-a-complete-email-security-solution
    Press: New Research

    New Osterman study reveals orgs with high confidence still lack capabilities against QR code attacks

    header-card-image-3
    Case Study: Webhelp

    Learn how Webhelp saved over 450 SecOp hours and is protecting 36,000 mailboxes

    header-card-image-1
    Awards: INC. 5000

    IRONSCALES earns 'Fastest Growing Email Security Company' for 3rd straight year

  • Platform
    Spring '24 Software Release! Check out our new deep image-based detection, GWS capabilities, and more. Explore the new additions
    CAPABILITIES
    • Inbound Email Protection
      Inbound Email Protection

      Get Adaptive AI email security against advanced attacks missed by other security controls​

    • Account Takeover Protection
      Account Takeover Protection

      Eliminate the risk of ATO with advanced prevention, detection, and response

    • Image-Based Attack Protection
      Image-Based Attack Protection

      Protect your organization from image-based attacks like malicious QR codes

    • SOC Automation
      SOC Automation

      Put SecOps workloads on auto-pilot with automated email remediation and more

    • Phishing Simulation Testing
      Phishing Simulation Testing

      Send your employees customized simulations built from real-world threats

    • Security Awareness Training
      Security Awareness Training

      Build a security-centric culture with automated personalized awareness campaigns

    • Crowdsourced Threat Intelligence
      Crowdsourced Threat Intelligence

      Leverage insights from 20,000+ security analysts in our community for email remediation

    • Collaboration Tool Protection
      Collaboration Tool Protection

      Protect your collaboration tools including Microsoft Teams® from advanced threats

    Take an Interactive Platform Tour
    TECHNOLOGY
    • Adaptive AI Engine
      Adaptive AI Engine

      Learn how we level up our AI with advanced ML models and Human Insights

    • Human Insights
      Human Insights

      See how we uniquely enhance our adaptive AI with real-time Human Insights

    • Generative AI
      Generative AI

      Discover how we use Gen-AI, large language models, and techniques for email security

    • Ecosystem Integrations
      Ecosystem Integrations

      Maximize your existing security tools with our seamlessly integrated platform

    Take an Interactive Platform Tour
  • Solutions
    USE CASE
    • BEC & Executive Impersonation
      BEC & Executive Impersonation

      Stop advanced attacks like BEC, VEC, and VIP impersonation

    • Advanced Malware/URL Attacks
      Advanced Malware/URL Attacks

      Continuously protect against malicious links and attachments

    • Credential-Theft
      Credential Harvesting

      Block attackers from stealing your sensitive business data

    • Account Takeover Attacks
      Account Takeover Attacks

      Prevent, detect, and respond to ATO attacks in real time

    • QR Code Attacks
      QR Code Attacks

      Decipher image-based attacks from weaponized QR codes

    • Generative AI Attacks
      Generative AI Attacks

      Safeguard your organization against GPT-crafted attacks

    • Phishing Simulation Testing
      Phishing Simulation Testing

      Test your employees with real-world email attacks

    • Security Awareness Training
      Security Awareness Training

      Build a security-first organization with integrated SAT campaigns

    Get A FREE Email Health Scan
  • Learn
    New Report! Osterman Research releases their 2024 findings on Image-based/QR Code Attacks. Read the report
    LEARN
    • Blog
      Blog

      Stay informed with our insights and updates

    • Guides
      Guides

      Explore our multi-chapter email security guides

    • bookmark
      Glossary

      Decode cybersecurity jargon with our glossary​

    • Resource Library
      Resource Library

      Rich content hub including whitepapers, reports, and more

    • Get Started
      Get Started

      Get started today with a 14-day free trial

    • Platform Tour
      Platform Tour

      Navigate our platform directly with an interactive guided tour

    • Engineering Corner
      Engineering Corner

      Explore articles and lessons from our R&D team members​

    CONNECT
    • Events
      Events

      View our upcoming in-person and virtual events

    • LinkedIn_icon-vector
      LinkedIn

      Join the evolving email security discourse with us on LinkedIn

    • Newsletter
      Newsletter

      Join our LinkedIn newsletter for security news and best practices

    See all resources
    FEATURED
    Email Security in the Age of AI
    Email Security in the Age of AI

    Understand the role of AI in fortifying defenses against evolving threats.

    QR Code Phishing
    QR Code Phishing

    QR codes serve as a new bypass method to evade detection.

    The ABCs of MFA
    The ABCs of MFA

    MFA is your digital doorman that keeps the malicious actors at bay.

    Phishing Prevention
    Phishing Prevention

    Dive into our complete 13-chapter guide on phishing prevention best practices

    Spear Phishing Thumbnail
    Spear Phishing

    Understand the inner workings of highly specialized phishing tactics and how to stop them

    Voice Phishing
    Voice Phishing

    See how attackers leverage new methods and channels to defraud businesses

  • Partner
    BY TYPE
    • Resellers
      Resellers

      Elevate your business with exclusive reselling opportunities

    • MSPs / MSSPs
      MSPs / MSSPs

      Unlock powerful email security capabilities for your end clients

    • Technology Partners
      Technology Partners

      View our industry-leading technology partners

    ENGAGE
    • Become Partner
      Become Partner

      Apply to become an IRONSCALES partner today

    • Partner Portal
      Partner Portal

      Check out valuable tools and resources for partners

    Become a Partner

    Partner with IRONSCALES Today
  • Pricing
  • headset_icon user Get a Demo
headset_icon user Get a Demo

Ransomware Gangs

Ransomware is a plague on companies of all shapes and sizes around the globe, with no signs of slowing down. In this guide, we will provide background details about some of the more notorious ransomware gangs and the damage they have inflicted.

Download Full Report
IRONSCALES_Resource_Thumbnail_WP_Ransomware_Gangs_336x222

Introduction

Ransomware is a plague on companies of all shapes and sizes around the globe, with no signs of slowing down. While progress has been made by various government agencies to identify, prosecute, and jail key members of various ransomware gangs, new gangs continue to pop up and former gangs reconstitute themselves with a new name but the same nefarious purpose.

In this guide, we will provide background details about some of the more notorious ransomware gangs and the damage they have inflicted.

Black Basta: Operations and Ransomware Analysis

Posts made on two underground hacking forums announced the arrival of Black Basta. These posts alluded to a fee payment in addition to a profit-sharing arrangement in return for providing corporate access credentials to a forum user by the name of Black Basta.

From an operational perspective, the tactics and techniques used in Black Basta attacks are typical of prevailing ransomware trends. The first point of note is that double extortion is a feature of attacks carried out by the gang, which reflects the now default assumption that exfiltrating sensitive data and documents before encrypting either files or devices increase the chance of receiving a ransom payment from victims.

Another notable tactic is the use of QBot malware in the attacks observed so far. Qbot is a family of backdoor trojans that also have worm features, which enable the malware to self-replicate. While Qbot’s initial use was in attacks on banking systems, ransomware actors can leverage several of its features to make their work easier, including keylogging, lateral movement, and establishing persistence.

The ransomware strain eventually gets pushed out to a list of internal IP addresses on the network, most likely previously accessed using Qbot. Once the ransomware runs on a Windows endpoint system, some of the following system changes occur:

  • Volume shadow copies get deleted to prevent the recovery of encrypted files.
  • Windows recovery and repair features are disabled to further prevent any kind of rollback to previous uninfected system states.
  • Two images get dropped into the temporary Windows folder, one of which changes the desktop background to display a message stating the computer’s files have been encrypted.
  • A service hijack takes over the legitimate Windows Fax service and replaces it with a malicious one that defaults to boot in safe mode. A ShellExecute API function then forces a system restart.
  • The system restarts and boots in safe mode with networking, which is when the actual encryption happens.

Multithreaded encryption locks down files rapidly with the extension basta appended to them. The encryption algorithm used in these attacks is ChaCha20 with a public RSA-4096 key. This is a robust type of encryption that doesn’t leave open any possibility of getting files back for free by cracking the key.

Security researchers noted a further tactical evolution in Black Basta operations when they detected variants of the ransomware strain on VMWare ESXi, which is an enterprise-class hypervisor used for running virtual machines (VMs). The variant was specifically spotted on VMs running on top of Linux servers. This targeting of infrastructure often used by enterprises demonstrates the “big game” hunting tactics of Black Basta.

Potential Defenses and Countermeasures

There are divisions in the security landscape on the origins of Black Basta. The professionalism and intricacy of the attacks observed so far suggest a rebranding of defunct gangs. Whatever the case, the danger is clear with Black Basta, and the victim list will only expand over the coming months. Considering the gang’s operations, here are some suggested countermeasures and defenses to have in place:

  • With phishing and spear-phishing emails being a common method for persuading employees to disclose passwords for business accounts/services, use dedicated anti-phishing solutions and ongoing employee cybersecurity training and awareness.
  • The use of stolen dark web credentials for initial network access in these attacks once again reinforces the importance of protecting business accounts with an extra layer of authentication (two-factor or multi-factor).
  • Dark web monitoring is an option that trawls the dark web for stolen employee credentials and enables you to perform hard resets on those accounts.
  • Consider getting an off-site backup solution in place so that even if the ransomware strain manages to delete connected backup options, there’s a way to recover files.
  • Encrypt any sensitive data in your network even if encryption is not necessary for compliance with external regulations; if threat actors can’t read your data, double extortion isn’t effective because leaked data is encrypted.

Read Full Report

Egregor: Operations and Ransomware Analysis

Egregor is a ransomware-as-a-service gang that has so far managed to claim at least 70 victims and extort tens of millions of dollars during a prolific yet short spell of operations. The Egregor ransomware strain first surfaced in September 2020, and most attacks occurred within a three-month period, ending in December 2020.

As with many ransomware gangs, double extortion is a feature of Egregor’s operations. Affiliates carry out attacks using Egregor’s ransomware, and the leaders of the operations receive a percentage commission from any successful attack that uses their ransomware strain.

The actual ransomware strain appears to be a copy of the Sekhmet strain, which was previously used by the Maze cartel. Many industry commentators have noted that after Maze winded up its operations, several of the gang’s affiliates switched to Egregor. There’s a strong possibility that Egregor is a rebranding of Maze by some of the operation’s former leaders.

Initial access stems from a variety of methods, including using stolen credentials, hacking remote access technology, and conducting spear-phishing campaigns with malicious attachments targeted at specific employees. Threat actors use the threat emulation toolkit Cobalt Strike to covertly discover information about their victim’s network and move laterally.

The code itself uses obfuscation techniques to evade analysis and detection by security solutions. PowerShell scripts attempt to uninstall or disable popular endpoint security solutions. After exfiltrating data, the payload executes, and victims receive a ransom note demanding payment within a three-day window to avoid having their data leaked online.

Blocking Spear Phishing

Like many ransomware gangs, Egregor has used phishing emails to gain initial access to networks. These emails have been highly targeted spear-phishing emails sent to specific individuals about whom the threat actors gleaned information on social media, company web pages, and other sources. Typically, these emails come with attachments containing malicious payloads that enable hackers to infiltrate a network.

Successfully blocking phishing emails provides robust defense against today’s ransomware attacks. A dedicated email security platform with anti-phishing capabilities can prove a game-changer in becoming the next ransomware victim or keeping hackers at bay.

DoppelPaymer: Operations and Ransomware Analysis

DoppelPaymer is a ransomware gang that extracts data from victims’ systems and then encrypts those same systems. Named after the strain of ransomware that the gang deploys, DoppelPaymer has demonstrated ruthlessness in its choice of victims with no industry safe from its targeting. This article analyzes DoppelPaymer’s operations, ransomware strain, and some of its high-profile attacks.

DoppelPaymer first emerged in 2019, and security researchers immediately noted that the ransomware strain appeared to build on BitPaymer, which began targeting healthcare organizations in 2017. Some security analysts link DoppelPaymer back to the Russian threat-actor TA505.

In terms of how the gang operates, threat actors favor malicious email attachments as the initial vector for infiltrating a victim’s network. Typically, these are highly targeted spear-phishing emails that make victims more likely to open attachments under the guise that the emails come from a trusted source.

When someone at a target organization opens the malicious email attachment, the Dridex trojan downloads onto their system. Leveraging Dridex and opening affected systems to incoming connections, the threat actors then download other tools, including a PowerShell exploitation agent, a credential dumping tool, and threat emulation software.

Leveraging stolen credentials, lateral movement, and evasive detection techniques, the DoppelPaymer ransomware eventually executes on systems. The gang uses a tool known as ProcessHacker to terminate different services on endpoint devices. Multiple systems are locked simultaneously, and victims receive a ransom note with payment instructions linking to a dark web payment portal.

Preventing Successful Spear Phishing Attacks

Given the information known about how the DoppelPaymer threat actors operate, it was interesting to note that the FBI’s alert didn’t contain any reference to spearphishing when discussing mitigation strategies. In fact, the word phishing didn’t appear at all in the document.

Given the widespread use of malicious Office documents as email attachments in instigating DoppelPaymer attacks, it’s worth addressing spear-phishing as a mitigation strategy. If you can prevent people from opening malicious attachments, you can stop adversaries in their tracks before they infiltrate your network.

Traditional security solutions struggle to detect spear-phishing emails. Furthermore, because of their highly targeted nature, these emails are very convincing. Threat actors can leverage company profiles and social networking platforms to obtain information about specific employees, such as executives.

Dealing with the threat of spear phishing requires a multi-pronged approach, but such an approach can make the difference in avoiding the devastating effects of ransomware attacks. Phishing simulation and training can help employees at all levels of seniority to better recognize phishing emails. While training and simulation aren’t guaranteed to stop people from being duped, they are effective methods to reduce that risk.

Another crucial tenet of dealing with spear phishing is having a dedicated email security platform that automatically detects, investigates, orchestrates, and responds to suspicious emails. Ideally, your email security solution would have sandbox engines to identify and isolate emails that contain malicious links and attachments.

Read Full Report

REvil: A Brief Background

REvil (Ransomware Evil) is a private group that runs a ransomware-as-a-service operation. They are a notorious ransomware gang responsible for multiple high-profile cyber attacks targeting companies of all sizes. This article explores REvil’s origins, the types of malware payloads they use, and some of the most infamous attacks featuring the gang’s malware variants.

The service model of their ransomware works as follows:

  • The gang’s developers create one or more functioning ransomware variants.
  • The gang makes these ransomware variants available to paying customers—threat actors seeking to compromise organizations—for some form of payment.
  • The type of payment can be a monthly subscription fee or an affiliate model in which the gang receives a percentage of any ransom payments received by customers.
  • The developers focus most of their efforts on creating more effective ransomware strains.
  • A typical service offering comes bundled with other features, such as 24/7 support, to further attract customers.

REvil’s members speak Russian and are likely to be Russian citizens. In 2019, security researcher Brian Krebs speculated that REvil was a probable rebranding by a group formerly known as GandCrab. Subsequent investigations have found that both REvil and GandCrab ransomware operations were run by the Russian-based group PINCHY SPIDER.

REvil: Malware Analysis

The execution of ransomware strains on multiple machines is the final phase of a complex chain of events that starts with infiltrating a network. The payload used to carry out ransomware attacks involving REvil is known as Sodinokibi (Ransom. Sodinokibi). This payload encrypts multiple local files on the affected system and displays a ransomware note demanding payment to remove the encryption.

Sodinokibi malware has inbuilt features that help it evade detection, such as deleting the virus definition database used by Windows Defender. The malware uses a complex combination of symmetric and asymmetric encryption to lock down files. Ransom demands appear on the desktop background of infected systems with instructions to make payment using Monero cryptocurrency. Monero has additional privacy features, such as hidden addresses, that other cryptocurrencies lack, which makes payments much harder to trace.

Preventing Initial Network Intrusions

The initial intrusion into a network is the start of all ransomware attacks. Compromised credentials obtained through phishing attacks often provide an entry point into applications and systems. Here are some tips to prevent network intrusions and ensure groups like REvil can’t install ransomware strains on your network:

  • Combat against the threat of phishing emails with an anti-phishing email security solution that blocks these deceptive emails from reaching users and convincing them to give up their passwords or download malicious files.
  • Consider using non-standard ports for services such as RDP that threat actors regularly try to break into.
  • Use multifactor authentication for business services and applications so that even if hackers manage to guess, obtain, or steal the right password, they can’t get into a targeted system without an additional piece of evidence.
  • Regularly remind employees and users about the importance of good password hygiene, which means using longer passwords that combine upper and lower cases with symbols while avoiding reusing passwords across multiple apps and services.

Closing Thoughts

Ransomware gangs will come and go, but the threat will always be present. Companies need to treat ransomware as a high-risk incident that they are exposed to at all times. Recovery can be incredibly painful, so it’s best to get in place the right mindset, tools, and processes to prevent ransomware before it can cause damage. 

Read Full Report