Cyber-security firm Group-IB says it identified a group of low-skilled hackers operating out of Iran that has been launching attacks against companies in Asia and attempting to encrypt their networks with a version of the Dharma ransomware.
Group-IB says that despite attacking companies in the private sector, this particular Iranian hacking group has not demanded ransoms in the realm of hundreds of thousands or millions of US dollars -- which has become the norm for most ransomware gangs today.
Instead, the group has requested small ransom payments ranging from 1 to 5 bitcoin ($10k to $50k), most likely to ensure they're getting paid and that they go under the radar, while authorities focus on the bigger gangs ransoming companies for millions.
In the grand scheme of things, this "newbie" group is a far cry from Iran's most infamous ransomware gang: the operators of the SamSam ransomware.
SamSam was a professional hacker group that developed a very advanced ransomware strain that they used to target large corporations and government entities. The group wreaked havoc across the US in 2018 before disappearing after the US Department of Justice charged two of its members in December 2018.
However, even if this newer group is not as advanced and skilled as SamSam, companies shouldn't ignore the risk they pose. Since 2017-2018, the cybercrime ecosystem has evolved to automate, simplify, and monetize the entire process of breaching companies and deploying ransomware.
While in 2017-2018, an group needed talented hackers to pull off a ransomware attack, today, even "newbie" groups like the ones in the Group-IB report can download hacking tools and follow tutorials shared on hacking forums to orchestrate their own intrusion and ransom attacks in a matter of days.
While some security experts will pin the blame on the proliferation of offensive hacking tools and hacking tutorials, the actual problem is entirely with companies, many of which are still failing at basic security hygiene, such as securing RDP systems they expose online with proper passwords, or patching servers and edge networking equipment, leaving glaring holes that even low-skilled hackers can exploit.