• Platform
    Spring '24 Software Release! Check out our new deep image-based detection, GWS capabilities, and more. Explore the new additions
  • Solutions
    Introducing Weekly Demos! Join us for a live walkthrough of our platform and see the difference firsthand. Register Now
  • Learn
    New Report! Osterman Research releases their 2024 findings on Image-based/QR Code Attacks. Read the report
  • Partner
  • Pricing

Ransomware Gangs

Ransomware is a plague on companies of all shapes and sizes around the globe, with no signs of slowing down. In this guide, we will provide background details about some of the more notorious ransomware gangs and the damage they have inflicted.



Ransomware is a plague on companies of all shapes and sizes around the globe, with no signs of slowing down. While progress has been made by various government agencies to identify, prosecute, and jail key members of various ransomware gangs, new gangs continue to pop up and former gangs reconstitute themselves with a new name but the same nefarious purpose.

In this guide, we will provide background details about some of the more notorious ransomware gangs and the damage they have inflicted.

Black Basta: Operations and Ransomware Analysis

Posts made on two underground hacking forums announced the arrival of Black Basta. These posts alluded to a fee payment in addition to a profit-sharing arrangement in return for providing corporate access credentials to a forum user by the name of Black Basta.

From an operational perspective, the tactics and techniques used in Black Basta attacks are typical of prevailing ransomware trends. The first point of note is that double extortion is a feature of attacks carried out by the gang, which reflects the now default assumption that exfiltrating sensitive data and documents before encrypting either files or devices increase the chance of receiving a ransom payment from victims.

Another notable tactic is the use of QBot malware in the attacks observed so far. Qbot is a family of backdoor trojans that also have worm features, which enable the malware to self-replicate. While Qbot’s initial use was in attacks on banking systems, ransomware actors can leverage several of its features to make their work easier, including keylogging, lateral movement, and establishing persistence.

The ransomware strain eventually gets pushed out to a list of internal IP addresses on the network, most likely previously accessed using Qbot. Once the ransomware runs on a Windows endpoint system, some of the following system changes occur:

  • Volume shadow copies get deleted to prevent the recovery of encrypted files.
  • Windows recovery and repair features are disabled to further prevent any kind of rollback to previous uninfected system states.
  • Two images get dropped into the temporary Windows folder, one of which changes the desktop background to display a message stating the computer’s files have been encrypted.
  • A service hijack takes over the legitimate Windows Fax service and replaces it with a malicious one that defaults to boot in safe mode. A ShellExecute API function then forces a system restart.
  • The system restarts and boots in safe mode with networking, which is when the actual encryption happens.

Multithreaded encryption locks down files rapidly with the extension basta appended to them. The encryption algorithm used in these attacks is ChaCha20 with a public RSA-4096 key. This is a robust type of encryption that doesn’t leave open any possibility of getting files back for free by cracking the key.

Security researchers noted a further tactical evolution in Black Basta operations when they detected variants of the ransomware strain on VMWare ESXi, which is an enterprise-class hypervisor used for running virtual machines (VMs). The variant was specifically spotted on VMs running on top of Linux servers. This targeting of infrastructure often used by enterprises demonstrates the “big game” hunting tactics of Black Basta.

Potential Defenses and Countermeasures

There are divisions in the security landscape on the origins of Black Basta. The professionalism and intricacy of the attacks observed so far suggest a rebranding of defunct gangs. Whatever the case, the danger is clear with Black Basta, and the victim list will only expand over the coming months. Considering the gang’s operations, here are some suggested countermeasures and defenses to have in place:

  • With phishing and spear-phishing emails being a common method for persuading employees to disclose passwords for business accounts/services, use dedicated anti-phishing solutions and ongoing employee cybersecurity training and awareness.
  • The use of stolen dark web credentials for initial network access in these attacks once again reinforces the importance of protecting business accounts with an extra layer of authentication (two-factor or multi-factor).
  • Dark web monitoring is an option that trawls the dark web for stolen employee credentials and enables you to perform hard resets on those accounts.
  • Consider getting an off-site backup solution in place so that even if the ransomware strain manages to delete connected backup options, there’s a way to recover files.
  • Encrypt any sensitive data in your network even if encryption is not necessary for compliance with external regulations; if threat actors can’t read your data, double extortion isn’t effective because leaked data is encrypted.

Egregor: Operations and Ransomware Analysis

Egregor is a ransomware-as-a-service gang that has so far managed to claim at least 70 victims and extort tens of millions of dollars during a prolific yet short spell of operations. The Egregor ransomware strain first surfaced in September 2020, and most attacks occurred within a three-month period, ending in December 2020.

As with many ransomware gangs, double extortion is a feature of Egregor’s operations. Affiliates carry out attacks using Egregor’s ransomware, and the leaders of the operations receive a percentage commission from any successful attack that uses their ransomware strain.

The actual ransomware strain appears to be a copy of the Sekhmet strain, which was previously used by the Maze cartel. Many industry commentators have noted that after Maze winded up its operations, several of the gang’s affiliates switched to Egregor. There’s a strong possibility that Egregor is a rebranding of Maze by some of the operation’s former leaders.

Initial access stems from a variety of methods, including using stolen credentials, hacking remote access technology, and conducting spear-phishing campaigns with malicious attachments targeted at specific employees. Threat actors use the threat emulation toolkit Cobalt Strike to covertly discover information about their victim’s network and move laterally.

The code itself uses obfuscation techniques to evade analysis and detection by security solutions. PowerShell scripts attempt to uninstall or disable popular endpoint security solutions. After exfiltrating data, the payload executes, and victims receive a ransom note demanding payment within a three-day window to avoid having their data leaked online.

Blocking Spear Phishing

Like many ransomware gangs, Egregor has used phishing emails to gain initial access to networks. These emails have been highly targeted spear-phishing emails sent to specific individuals about whom the threat actors gleaned information on social media, company web pages, and other sources. Typically, these emails come with attachments containing malicious payloads that enable hackers to infiltrate a network.

Successfully blocking phishing emails provides robust defense against today’s ransomware attacks. A dedicated email security platform with anti-phishing capabilities can prove a game-changer in becoming the next ransomware victim or keeping hackers at bay.

DoppelPaymer: Operations and Ransomware Analysis

DoppelPaymer is a ransomware gang that extracts data from victims’ systems and then encrypts those same systems. Named after the strain of ransomware that the gang deploys, DoppelPaymer has demonstrated ruthlessness in its choice of victims with no industry safe from its targeting. This article analyzes DoppelPaymer’s operations, ransomware strain, and some of its high-profile attacks.

DoppelPaymer first emerged in 2019, and security researchers immediately noted that the ransomware strain appeared to build on BitPaymer, which began targeting healthcare organizations in 2017. Some security analysts link DoppelPaymer back to the Russian threat-actor TA505.

In terms of how the gang operates, threat actors favor malicious email attachments as the initial vector for infiltrating a victim’s network. Typically, these are highly targeted spear-phishing emails that make victims more likely to open attachments under the guise that the emails come from a trusted source.

When someone at a target organization opens the malicious email attachment, the Dridex trojan downloads onto their system. Leveraging Dridex and opening affected systems to incoming connections, the threat actors then download other tools, including a PowerShell exploitation agent, a credential dumping tool, and threat emulation software.

Leveraging stolen credentials, lateral movement, and evasive detection techniques, the DoppelPaymer ransomware eventually executes on systems. The gang uses a tool known as ProcessHacker to terminate different services on endpoint devices. Multiple systems are locked simultaneously, and victims receive a ransom note with payment instructions linking to a dark web payment portal.

Preventing Successful Spear Phishing Attacks

Given the information known about how the DoppelPaymer threat actors operate, it was interesting to note that the FBI’s alert didn’t contain any reference to spearphishing when discussing mitigation strategies. In fact, the word phishing didn’t appear at all in the document.

Given the widespread use of malicious Office documents as email attachments in instigating DoppelPaymer attacks, it’s worth addressing spear-phishing as a mitigation strategy. If you can prevent people from opening malicious attachments, you can stop adversaries in their tracks before they infiltrate your network.

Traditional security solutions struggle to detect spear-phishing emails. Furthermore, because of their highly targeted nature, these emails are very convincing. Threat actors can leverage company profiles and social networking platforms to obtain information about specific employees, such as executives.

Dealing with the threat of spear phishing requires a multi-pronged approach, but such an approach can make the difference in avoiding the devastating effects of ransomware attacks. Phishing simulation and training can help employees at all levels of seniority to better recognize phishing emails. While training and simulation aren’t guaranteed to stop people from being duped, they are effective methods to reduce that risk.

Another crucial tenet of dealing with spear phishing is having a dedicated email security platform that automatically detects, investigates, orchestrates, and responds to suspicious emails. Ideally, your email security solution would have sandbox engines to identify and isolate emails that contain malicious links and attachments.

REvil: A Brief Background

REvil (Ransomware Evil) is a private group that runs a ransomware-as-a-service operation. They are a notorious ransomware gang responsible for multiple high-profile cyber attacks targeting companies of all sizes. This article explores REvil’s origins, the types of malware payloads they use, and some of the most infamous attacks featuring the gang’s malware variants.

The service model of their ransomware works as follows:

  • The gang’s developers create one or more functioning ransomware variants.
  • The gang makes these ransomware variants available to paying customers—threat actors seeking to compromise organizations—for some form of payment.
  • The type of payment can be a monthly subscription fee or an affiliate model in which the gang receives a percentage of any ransom payments received by customers.
  • The developers focus most of their efforts on creating more effective ransomware strains.
  • A typical service offering comes bundled with other features, such as 24/7 support, to further attract customers.

REvil’s members speak Russian and are likely to be Russian citizens. In 2019, security researcher Brian Krebs speculated that REvil was a probable rebranding by a group formerly known as GandCrab. Subsequent investigations have found that both REvil and GandCrab ransomware operations were run by the Russian-based group PINCHY SPIDER.

REvil: Malware Analysis

The execution of ransomware strains on multiple machines is the final phase of a complex chain of events that starts with infiltrating a network. The payload used to carry out ransomware attacks involving REvil is known as Sodinokibi (Ransom. Sodinokibi). This payload encrypts multiple local files on the affected system and displays a ransomware note demanding payment to remove the encryption.

Sodinokibi malware has inbuilt features that help it evade detection, such as deleting the virus definition database used by Windows Defender. The malware uses a complex combination of symmetric and asymmetric encryption to lock down files. Ransom demands appear on the desktop background of infected systems with instructions to make payment using Monero cryptocurrency. Monero has additional privacy features, such as hidden addresses, that other cryptocurrencies lack, which makes payments much harder to trace.

Preventing Initial Network Intrusions

The initial intrusion into a network is the start of all ransomware attacks. Compromised credentials obtained through phishing attacks often provide an entry point into applications and systems. Here are some tips to prevent network intrusions and ensure groups like REvil can’t install ransomware strains on your network:

  • Combat against the threat of phishing emails with an anti-phishing email security solution that blocks these deceptive emails from reaching users and convincing them to give up their passwords or download malicious files.
  • Consider using non-standard ports for services such as RDP that threat actors regularly try to break into.
  • Use multifactor authentication for business services and applications so that even if hackers manage to guess, obtain, or steal the right password, they can’t get into a targeted system without an additional piece of evidence.
  • Regularly remind employees and users about the importance of good password hygiene, which means using longer passwords that combine upper and lower cases with symbols while avoiding reusing passwords across multiple apps and services.

Closing Thoughts

Ransomware gangs will come and go, but the threat will always be present. Companies need to treat ransomware as a high-risk incident that they are exposed to at all times. Recovery can be incredibly painful, so it’s best to get in place the right mindset, tools, and processes to prevent ransomware before it can cause damage.