Microsoft: We are tracking these 100 active ransomware gangs using 50 types of malware

Microsoft warns that phishing, fake software updates, and unpatched vulnerabilities are being exploited for ransomware attacks.
Written by Danny Palmer, Senior Writer
Image: Getty / Bojan89

More than 100 different cyber-criminal gangs are actively conducting ransomware attacks, deploying over 50 different ransomware families in campaigns that see them encrypt networks and demand a ransom payment for the decryption key. 

Those figures come from analysis by Microsoft Security Intelligence, which notes that some of the most prominent ransomware attacks of recent times include Lockbit, BlackCat, Vice Society, and Royal

The attacks are also being helped along by how ransomware groups offer ransomware-as-a-service (RaaS) schemes, enabling cyber criminals who don't develop their own ransomware to get in on the action. 

Access to RaaS schemes is sold on underground forums, providing aspiring ransomware attackers with all the tools they need to conduct and manage attacks and extort ransom payments. In many cases, the author of the ransomware takes a cut of any ransom payments the attackers receive. 

Some of the most disruptive ransomware attacks have been carried out by attackers using affiliate schemes, with high-profile attacks involving the likes of Conti and LockBit ransomware being conducted by affiliates. 

According to Microsoft, phishing attacks are the most common means of attackers gaining initial access to networks.  

Also: Ransomware has now become a problem for everyone, and not just tech

Targeting usernames and passwords with phishing emails or brute force attacks provides cyber criminals with access to networks using legitimate credentials that are less likely to arouse suspicion -- and it's become easier for cyber criminals to access networks in this way since the rise of hybrid and remote working. 

The attackers can move around the network, potentially even using the compromised account to conduct phishing attacks against other users, gaining the permissions and control required to compromise as much of the network with ransomware as possible, before eventually triggering the encryption process, locking files and servers, and demanding a ransom payment. 

But while phishing is the most common method used by ransomware gangs to access networks, it isn't the only one. 

For example, Microsoft warns about the rise of malvertising as the initial stage of attacks, where cyber criminals buy online adverts -- commonly to promote false software downloads -- which, if downloaded and installed, will infect the user with trojan malware that the attackers then use to distribute ransomware.  

Cyber-criminal affiliates using Royal ransomware have been seen using malvertising to deliver the payload. 

Fake software updates have also become a common means of delivering ransomware. These false warnings, which claim your software needs to be updated, typically come from malvertising links or drive-by-downloads -- downloads that happen in the background without the user knowing.  

Also: The real cost of ransomware is even bigger than we realised

The aim of the false update alerts is to scare victims into downloading the malware -- all while they believe they're doing the right thing to protect their system. 

Cyber criminals are also using the tried and tested method of abusing unpatched cybersecurity vulnerabilities to access networks. 

"Even as they evolve, ransomware attacks continue to rely on common security weaknesses that allow them to succeed," said Microsoft, which recommends that computers and networks should be updated with the latest security patches as a matter of urgency to prevent cyber criminals from exploiting known vulnerabilities to access networks. 

It's also important that security updates are only downloaded from official sources, to avoid the possibility of a fake software update infecting your computer with ransomware. 

Meanwhile, organizations can try to prevent phishing attacks by ensuring that accounts are secured with strong, preferably unique, passwords and that accounts are secured with multi-factor authentication

This additional layer of protection can help to stop attackers from accessing accounts, even if they've gained access to the correct username and password. 


Editorial standards