Ryuk threatened to put healthcare organizations, already overwhelmed by COVID-19 patients, at further risk of disruption last year.
Security researchers had assumed Ryuk's time had come and gone. Ryuk operator activity dropped off between April and August, when Conti ransomware emerged using similar malware code to the second version of Ryuk, according to Emsisoft.
But in early 2021, researchers identified a wormable, Ryuk-like strain, which hinted at a rebrand.
For Emsisoft, it indicated two likely scenarios:
- Conti is in fact a "splinter group" of Ryuk, giving operators the time needed to develop a new strain, or
- Conti and Ryuk are separate entities with coincidental timing
Ransomware groups go dark for a number of reasons — members join other gangs, law enforcement intervenes, or a rival hurts operations — but it's tempting to oversimplify the decisions groups make. When ransomware hits companies, knowing the group behind the attack offers perspective on their goal, whether it was economic disruption, money or simply chaos.
Ultimately, when handling ransomware actors, security professionals need to get inside the mind of a criminal. If a group disappears, whether their ransomware was reverse engineered or a flaw was found, they retreat to overcome the issue.
Either that, or groups are just trying to keep up with their competition.
"Conti continues to be a very active group, but Ryuk has been quiet lately. Interestingly, we've seen some seasonality to the disappearance and reappearance of some groups," said John Shier, senior security advisor at Sophos. "The re-emergence of these groups is simply them coming back from vacation. I've never been to Sochi, [Russia] in the summer, I hear it's nice."
Security researchers do not and cannot fully understand what ransomware groups do what they do, or why they do it. Criminals are not known for telling the truth, and what they say is usually the only explanation for a disappearance.
"We must focus on disrupting these groups as much as possible. If they're constantly having to rebrand, they will be less focused on attacking us," Shier said.
A look back at 2020
In the last three years, ransomware graduated from a criminal nuisance to a national security threat. General Paul Nakasone, commander of U.S. Cyber Command, director of the National Security Agency, and chief of Central Security Service, expects the U.S. to deal with ransomware every single day for at least the next five years, he said during the Mandiant Cyber Defense Summit earlier this month.
Code is repeated across ransomware groups, so researchers will find evidence of "old" gangs in "new" ones. Because of this, the focus of businesses is the mode of operation, not necessarily the group behind the ransomware.
Each ransomware group uses different tactics, techniques and procedures (TTPs). If one group is successful, other groups will copy the TTPs and add flair. Ransomware groups can quickly pivot their methods because they are usually human-operated — another trend that has made ransomware so prolific in recent years.
"Ransomware gangs are significantly more complicated than many people realize and rival corporations in their division of responsibility and structure," said Darren Williams, founder and CEO of BlackFog. "It is not at all surprising that they also have branding challenges as they compete with other gangs and try to stay relevant and successful against their peers."
Top ransomware variants of 2020
| Variant/aliases | Modes of operation | Delivery method (beyond phishing) |
|---|---|---|
| Ryuk | Spray and pray | Commodity malware: Trickbot, Emotet; exploits in endpoint software |
| Maze (ChaCha) | Targeted | RDP; vulnerable external services; exploit kits including Spelevo |
| Defray777 (RansomEXX, Target777) | Targeted | Software vulnerabilities |
| WastedLocker | Targeted | Disguised in malicious software updates |
| GandCrab, REvil | Targeted | RDP |
| NetWalker (MailTo) | Targeted | RDP; exposed VPNs and web apps |
| DoppelPaymer (BitPaymer) | Targeted | Fake software installers; Dridex |
| Dharma (CrySIS, Wadhrama) | Spray and pray | RDP; fake software installers |
| Phobos (Dharma) | Spray and pray | RDP |
| Zeppelin (Buran, VegaLocker) | Spray and pray | RDP |
SOURCE: Palo Alto Networks' Unit 42 2021 Ransomware Threat Report
Ransomware attacks leverage automated vulnerability scans, remote desktop protocol (RDP), password spraying, misconfigurations — all of which could be addressed with foundational security elements.
Nine in 10 million-dollar attacks are preventable, according to Sam Olyaei, director analyst at Gartner, during the virtual Gartner IT Symposium/Xpo last week. "It's preventable by basic hygiene; We're essentially leaving our doors wide open, our windows open."
Enablers
Security researcher Will T. from BushidoToken observed that despite highly successful ransomware, including Maze, Egregor and GandCrab, it's common for "ransomware groups to abruptly stop campaigns," he said in his blog.
Notable ransomware rebrands
| Ransomware | Alternate names |
|---|---|
| GandCrab | REvil |
| WastedLocker | Hades, Phoenix, Macaw |
| BitPaymer | DoppelPaymer, Grief |
| Maze | Sekhmet, Egregor |
| DarkSide | BlackMatter |
| Defray777 | RansomEXX |
| MountLocker | AstroLocker, XingLocker |
| Babuk | Payload.bin, Groove |
| Prometheus | Spook |
| Nemty | Nefilim, Karma |
SOURCE: BushidoToken
Avaddon operators released decryption keys for more than 2,900 victims in June. However, there were only 180 victims leaked on Avaddon's darknet leak site.
"The number of keys versus the number of victims leaked to Avaddon Tor site also highlights that our visibility into ransomware campaigns is foggy. Each of the 40 (or so) groups that has a darknet leak blog is also likely launching much larger campaigns than the number of leaks lead on," BushidoToken said.
The security community remains wary of why a group would drop decryption keys. Some experts believe the mounting pressure international law enforcement is putting on ransomware gangs is forcing them underground. This creates "a very complex web to try and understand from the outside," Williams said.
In Ryuk and Conti's case, Williams suggested that the group may have realized it made a mistake in the rebrand. "They already had some brand name recognition, so they switched back to a name people recognized."
CrowdStrike tracked "eCrime enablers," who work with a variety of criminal actors, showing just how often prolific ransomware strains overlap. These malware as a service operators either distribute, sell, develop, collaborate, or are affiliated with many large players in ransomware, according to CrowdStrike's 2021 Global Threat report.
Ransomware ecosystem has overlapping affiliates
| eCrime enabler | Operates | Likely operates | Affiliate of | Distributes |
|---|---|---|---|---|
| Wizard Spider | Ryuk, Conti, BazarLoader, Anchor, Sidoh, MagneticScraper | |||
| Twisted Spider | Maze | Egregor | ||
| Mummy Spider | Emotet | |||
| Carbon Spider | DarkSide | REvil | Zloader | |
| Doppel Spider | DoppelPaymer, DoppelDridex |
SOURCE: CrowdStrike's 2021 Global Threat report
REvil's disappearance, reappearance and disappearance
REvil/Sodinokibi is one Russia-based group that keeps the security community guessing. It has the resources to constantly evolve, for any reason the group wants.
"These cybercriminals are effectively mercenaries that will work with whoever they choose, often multiple gangs at once," Williams said.
About two weeks after the group disrupted Kaseya and its customers in July, REvil's Happy Blog was wiped from the internet. The security community speculated as to why REvil disappeared. Some theorized the FBI disrupted its servers and reportedly secretly held onto its decryption keys (which was later confirmed) and Bitdefender announced the availability of a universal decryptor for REvil by Sep. 16.
But the group rebounded by restoring its infrastructure through backups in early September.
"We don't really know for sure why REvil disappeared even and halted their attacks," said Brett Callow, threat analyst for Emsisoft, who spoke on a Recorded Future webcast Oct.12. The group is either "supremely arrogant or supremely stupid, which remains to be seen, I suppose," said Callow.
With international law enforcement agencies attempting to track and disrupt the gang, it seems like it would have been a bad idea for REvil to "restart their exact same infrastructure that they had before," said Allan Liska, intelligence analyst for Recorded Future, during the webcast. "I don't think they're stupid, but it seems like a really dumb move."
Researchers got some clarification on Oct. 17 when one of REvil's administrators, "0_neday," resumed the group's operations because they believed one of its leaders, "Unknown," disappeared, according to Shier. On Oct. 17, 0_neday wrote on an online forum, signaling a second shutdown for REvil, according to Recorded Future intelligence analyst Dimitry Smilyanets. "The server was compromised, and they were looking for me."
The operator claimed Unknown was thought to be dead in July, but "someone brought up the hidden-services of a landing and a blog with the same keys as ours," the operator wrote. "For now, we're off."
In this case, the first note suggested the initial shutdown might have been because of a rift among the operators, which is a legitimate reason ransomware gangs disbanded.
"The latest disappearance is allegedly due to them losing control of their infrastructure," said Shier. But "there is no confirmation as to what caused this" — until Oct.21.
A multi-nation effort pushed REvil offline, confirming 0_neday's messaging — that an unknown entity breached REvil's servers and law enforcement was looking for them. For the FBI and U.S. Cyber Command, "REvil was top of the list," said Tom Kellermann, head of VMware's cybersecurity strategy and U.S. Secret Service adviser, Reuters reported.
