Ransomware attacks have become one of the most devastating forms of cybercrime, with cybercriminals using malicious software to lock victims’ files or entire systems and demanding large sums of money in exchange for the decryption keys. As businesses, governments, and individuals face an increasingly sophisticated threat landscape, numerous ransomware gangs have emerged, each with its own tactics, targets, and motives. The threat posed by these gangs continues to grow, especially with the increasing availability of “Ransomware-as-a-Service” (RaaS), which allows less-skilled hackers to launch high-impact attacks with ease.
In this article, we will explore some of the most active ransomware gangs currently wreaking havoc in the cyber world, along with their typical tactics and high-profile attacks.
1. LockBit- LockBit, often referred to as one of the most prolific and sophisticated ransomware gangs, continues to operate as a dominant force in the cybercriminal ecosystem. Initially emerging in 2019, the group is known for its high-speed attacks and strong encryption methods, making it difficult for victims to recover data without paying the ransom.
Tactics and Operations: LockBit operates under a Ransomware-as-a-Service (RaaS) model, meaning it rents its ransomware to affiliate hackers who execute attacks. This allows the group to expand its reach while focusing on development and innovation. LockBit has been known to target large corporations, healthcare institutions, and governmental entities. Its modus operandi includes exfiltrating sensitive data before encrypting it and threatening to release the stolen information publicly if the ransom is not paid.
Notable Attacks: LockBit has targeted organizations across a wide range of industries, including manufacturing and retail. One of its most notable attacks was against the French IT services company Sopra Steria, causing significant disruptions and leading to a multi-million-dollar ransom demand.
2. Conti- Conti ransomware, which has been active since 2020, has earned a notorious reputation for its speed, scale, and effectiveness. The group has been linked to multiple high-profile attacks on businesses and critical infrastructure, and it is considered one of the most advanced and dangerous ransomware gangs in operation today.
Tactics and Operations: Conti operates using the RaaS model as well, allowing affiliates to conduct attacks while sharing profits with the core developers. This gang is known for its double-extortion tactics: not only do they encrypt files, but they also steal sensitive data, threatening to publish it unless the ransom is paid. Conti has developed its own unique encryption techniques, which make it more difficult for victims to recover data even with the help of cybersecurity professionals.
Notable Attacks: Conti’s most notorious attack came in early 2022 when it targeted the Ireland Health Service Executive (HSE). The attack caused widespread disruption to the country’s healthcare system, delaying medical procedures and resulting in significant financial and reputational damage. The group also targeted Kaseya, an IT management firm, in a supply-chain attack that affected hundreds of businesses globally.
3. REvil (Sodinokibi)- REvil, also known as Sodinokibi, gained significant attention following its involvement in several high-profile ransomware attacks. While the group appeared to go dark in mid-2021, it resurfaced in late 2022 under different branding, continuing to wreak havoc on organizations worldwide.
Tactics and Operations: REvil is known for its use of both encryption and data exfiltration, relying heavily on double-extortion tactics. It has been particularly aggressive in targeting large corporations and high-profile entities, including law firms and tech companies. The group often demands massive ransoms, sometimes reaching tens of millions of dollars.
Notable Attacks: One of REvil’s most famous attacks occurred in July 2021 when it targeted Kaseya and its managed service provider (MSP) clients. This attack affected over 1,500 businesses and caused millions of dollars in damages. Additionally, the group has been linked to attacks against JBS Foods, a major meat supplier, which led to significant disruptions in global food supply chains.
4. DarkSide- DarkSide is a ransomware gang that gained significant media attention after its attack on Colonial Pipeline in May 2021. The attack, which led to widespread fuel shortages across the United States, was one of the most disruptive cyberattacks in recent history.
Tactics and Operations: DarkSide operates using a RaaS model, and its tactics focus heavily on extorting high-profile companies for large ransoms. The group is known for carefully selecting its targets and attempting to avoid causing collateral damage—although this doesn’t always work out. DarkSide also steals sensitive data from victims and threatens to release it unless the ransom is paid.
Notable Attacks: The Colonial Pipeline attack was DarkSide’s most impactful, causing fuel shortages across the East Coast of the United States and drawing significant attention from government agencies and law enforcement. In response to mounting pressure, the group publicly stated that it would avoid targeting critical infrastructure in the future, although they continued to operate clandestinely.
5. Clop Ransomware- Clop is a ransomware group that has been active since 2019 and is known for targeting large enterprises and financial institutions. This group has been involved in some of the most significant data breaches of recent years, often demanding large sums of money in exchange for not leaking sensitive data.
Tactics and Operations: Clop ransomware primarily focuses on exploiting vulnerabilities in organizations’ networks and stealing data before launching a ransomware attack. Like many other groups, Clop uses the double-extortion method, threatening to leak sensitive data if the ransom is not paid. The gang operates using a mix of traditional ransomware methods and sophisticated attack vectors.
Notable Attacks: Clop has been behind several high-profile attacks, including those targeting University of California, Synnex Corporation, and Health Service companies in Europe. The group also used the Accellion data breach as a springboard for its ransomware campaigns, exploiting a vulnerability in the company’s File Transfer Appliance (FTA) to steal sensitive data from hundreds of organizations.
6. Hive Ransomware- Hive, emerging around 2021, has quickly become one of the most dangerous ransomware gangs in the world. It has been particularly successful in targeting healthcare organizations, a critical and vulnerable sector.
Tactics and Operations: Hive uses the RaaS model, collaborating with affiliates who carry out the attacks. The group’s preferred tactic is double extortion—encrypting data and threatening to release sensitive information. Hive is also known for its targeted attacks, particularly on healthcare systems, where the group demands high ransoms while exploiting the urgency of their victims.
Notable Attacks: In late 2021, Hive launched a significant attack on MedStar Health, a large healthcare provider in the U.S. This attack disrupted the provider’s internal communications and systems, delaying patient care. Hive also targeted European healthcare providers, forcing many of them to halt services temporarily.
7. BlackCat (ALPHV)- BlackCat, also known as ALPHV, is one of the newer ransomware groups in operation, but it has rapidly become one of the most sophisticated and evasive. The group uses advanced encryption and has been linked to several large-scale ransomware attacks.
Tactics and Operations: BlackCat ransomware operates under the RaaS model and is particularly known for its use of the Rust programming language in its ransomware, which makes it faster and more difficult to detect by traditional security solutions. The group primarily targets high-value organizations, including those in the finance, technology, and healthcare sectors.
Notable Attacks: One of BlackCat’s notable attacks was against Russian aerospace company, which led to the theft of sensitive intellectual property. The group has also targeted global IT infrastructure companies, causing operational disruptions and financial losses.
Conclusion
Ransomware remains one of the most critical threats to businesses, governments, and individuals around the world. These gangs continue to innovate, using increasingly sophisticated tactics to maximize the impact of their attacks and extort large sums of money from their victims. Despite ongoing efforts by law enforcement and cybersecurity organizations to disrupt these operations, the evolution of ransomware-as-a-service platforms and the anonymity of cryptocurrency make these gangs difficult to stop.
Organizations must remain vigilant, invest in robust cybersecurity measures, and ensure they have comprehensive data backup and recovery protocols in place to mitigate the risk posed by ransomware attacks. The fight against these gangs is ongoing, and only through collaboration and continuous adaptation to emerging threats will it be possible to reduce the damage they inflict on the global landscape.
Join our LinkedIn group Information Security Community!
