Ransomware: These four rising gangs could be your next major cybersecurity threat

Cybersecurity researchers at Palo Alto Networks detail four extortion groups that have gained traction in recent months, as the threat of ransomware continues to plague businesses.

The ransomware threat is growing: What needs to happen to stop attacks getting worse?

Cybersecurity researchers have warned of four emerging families of ransomware that could pose a significant cybersecurity threat to businesses.  

Ransomware remains one of the key cybersecurity threats facing businesses around the world as cyber criminals try to compromise networks and encrypt them to demand ransom payments, which can amount to millions. 

This lure of potentially easy money attracts cyber criminals of all levels towards ransomware, from specialist ransomware gangs who keep the malware for themselves, to ransomware-as-a-service groups who lease out their illicit product to low-level malicious hackers who want to get in on the action. 

In recent months, some significant ransomware operators have seemingly disappeared. But that doesn't mean that ransomware is any less of a problem – new groups are emerging to fill the gaps. 

Cybersecurity researchers at Palo Alto Networks have detailed four upcoming families of ransomware discovered during investigations – and under the right circumstances, any of them could become the next big ransomware threat. 

One of these is LockBit 2.0, a ransomware-as-a-service operation that has existed since September 2019 but has gained major traction over the course of this summer. Those behind it revamped their dark web operations in June – when they launched the 2.0 version of LockBit – and aggressive advertising has drawn attention from cyber criminals. 

According to researchers, LockBit has compromised 52 organisations around the world since June. Perhaps most notably, criminals using LockBit compromised Accenture, although the company was able to restore from back-ups without needing to pay a ransom. 

The rise of LockBit hasn't gone unnoticed, as Australia's Cyber Security Centre has posted an alert warning organisations about the threat. 

But LockBit isn't the only form of ansomware that's on the rise – AvosLocker ransomware first appeared in July and offers a ransomware-a-as-service scheme that includes the operators taking care of negotiating ransoms.  

The group has compromised several organisations around the world, including law firms in the United States and the United Kingdom. Like other ransomware groups, AvosLocker leaks stolen data if a ransom isn't paid

SEE: A winning strategy for cybersecurity (ZDNet special report) 

Ransom demands following AvosLocker attacks are relatively low for ransomware in 2021, standing at between $50,000 and $75,000. But unlike many other ransomware groups that demand a payment in Bitcoin, AvosLocker asks for it in Monero – a cryptocurrency designed to be anonymous. Monero isn't as high-value as Bitcoin, but the added anonymity means that it's more difficult to trace cyber criminals who use it. 

Another new player in the ransomware market is Hive ransomware, which was first seen infecting organisations in June 2021. The attackers behind it also leverage stolen data and double extortion to coerce victims into paying the ransom.  

In total, Hive has so far claimed 28 victims –  including healthcare providers – in attacks that have the potential to disrupt patient care. This sort of cavalier attitude to the wellbeing of the general public could make Hive a dangerous ransomware threat. 

The fourth emerging threat detailed by researchers is a twist on an established form of ransomware. Hello Kitty ransomware first appeared in December 2020 and primarily targeted Windows systems. Now, researchers have identified a new version of Hello Kitty that targets Linux systems, opening a whole new platform for cyber criminals to target. 

"Ransomware not only is after Windows systems – now with the Hello Kitty variant targeting ESxi, they are trying to get a whole different market that wasn't explored before," Doel Santos, threat intelligence analyst at Unit 42, Palo Alto Networks told ZDNet. 

Organisations around the world have been targeted with this variant of Hello Kitty, which alters ransom demands depending on the target. The criminals have demanded as much as $10 million in Monero from one victim – although the operators are also open to accepting payment in Bitcoin. 

The rise of these ransomware groups just goes to show that, even as established groups seemingly disappear, new players rise to take their place. Many of these will adopt the tactics and techniques of successful ransomware outfits that came before them to make attacks as effective as possible. 

"Many more prevalent groups paved the way for these smaller groups to emerge, giving them a business model to follow to carry out operations. That's another reason why we see these emerging ransomware groups leverage double extortion approaches, which has become the standard since Maze ransomware," said Santos. 

No matter what type of ransomware cyber criminals are using, it represents a major threat to businesses. To help protect networks from falling victim to ransomware attacks, it's recommended that security patches are applied in a timely manner to prevent criminals exploiting known vulnerabilities. Multi-factor authentication should also be applied to all users to provide an extra barrier to attacks exploiting stolen or leaked usernames and passwords as an entry point. 

It's also recommended that businesses regularly update and test their backups – and store them offline – so if the network does fall to a ransomware attack, there's the ability to restore it without having to pay the ransom.

MORE ON CYBERSECURITY