Unmasking the Top 10 Ransomware Gangs That Dominated 2023

Top 10 Ransomware Gangs That Dominated 2023: Ransomware groups are constantly evolving at a rapid pace by employing a variety of advanced techniques, such as double extortion and other illicit tactics.

The threat actors use a double extortion strategy, encrypting data as well as threatening their victims with the release of sensitive information or data.

Recently, security researchers have noted that hackers are increasingly targeting high-profile victims to maximize their profits by using the following methods:

• Sophisticated malware

• Demands a larger ransom payment

As well as this, some groups also collaborate or share their resources, making it harder for law enforcement and other security experts to effectively combat their activities.

Ransomware types

Below are a list of all the types of ransomware used by threat actors to achieve their illicit goals:-

• Locker Ransomware

• Crypto-Ransomware

• Scareware

• Leakware

• Ransomware As a Service (RaaS)

Two types of ransomware are very popular and widely used by threat actors:

• Locker ransomware

• Crypto ransomware

Motivations of ransomware gangs

Below we have listed all the motivations:

• Financial Gains

• Ease of Use

• Powerful Monetisation

• Evolving Technologies

• Politics

Top 10 Ransomware Gangs That Dominated 2023:

Below, we have listed the top 10 notorious ransomware gangs of 2023 that we have discussed in this blog:

• LockBit

• Alphv/BlackCat

• Clop

• Royal

• BlackByte

• Black Basta

• Ragnar Locker

• Vice Society

• Everest

• BianLian

Here are the top 10 notorious ransomware gangs of 2023:

LockBit

In September 2019, LockBit, a notorious ransomware group, emerged using a global ransomware-as-a-service model.

They targeted global companies and released versions 2.0 and 3.0 in June 2021 and 2022, respectively, featuring:

• BlackMatter-based encryptors

• New payment methods

• A bug bounty program

Despite their innovations, LockBit Black suffered a setback when a developer leaked its builder online, compromising its credibility.

Alphv/BlackCat

Ransomware group BlackCat/AlphV operated in Rust to avoid detection and successfully encrypt victims’ files, and this ransomware group targeted:-

• Western Digital

• Sun Pharmaceuticals

Rust-written ALPHV/BlackCat ransomware requires an access token and features encrypted configurations, including:

• Services/Processes lists

• Allowlisted directories/Files

• Stolen credentials

In addition to this, it erases Volume Shadow Copies, exploits privilege escalation, and changes file extensions to “uhwuvzu” using AES and RSA encryption.

Clop

This stealthy group has managed to extort $500 million from several companies worldwide using their collaborative ransomware-as-a-service (RaaS) model.

These operators exploit the following things to target a wide range of entities:-

• Software vulnerabilities

• Phishing

Their most notable attack was the hacking of Accellion’s File Transfer Appliance in 2020, which affected global organizations.

In addition to encrypting files with a “.clop” extension, Clop teases data leaks as a means of denying access. As part of the Clop extortion tactics, the operators threaten their victims by exposing or selling their sensitive data, along with requesting high cryptocurrency demands, indicating a sharp shift from typical ransomware trends.

Royal

As one of the most terrifying campaigns of 2022, Royal Ransomware emerged as a sophisticated threat.

Under the code name Dev-0569, they primarily targeted high-profile victims, such as the following to demand millions of dollars:

• Silverstone Circuit

• A major US telecom

As opposed to typical ransomware, Dev-0569, operated by a private group, purchases network access directly and employs double extortion tactics.

BlackByte

In July 2021, BlackByte surfaced, attracting the attention of the FBI and the United States Secret Service as a threat to US critical infrastructure.

BlackByte has evolved with multiple keys and continued operations despite the Trustwave decrypter released in October 2021, possibly due to Conti’s rebranding.

Despite its persistence in global attacks, it avoids Russian entities such as:

• LockBit

• RansomEXX

Black Basta

This ransomware appeared in February 2022 with several unique characteristics. It erases Volume Shadow Copies and replaces them with:-

• JPG wallpaper

• ICO file

With the ChaCha20 algorithm, it encrypts with a hard-coded RSA public key, unlike other solutions that encrypt indiscriminately.

As well as this, the file size determines whether the file is encrypted fully or partially, with a .basta extension.

Ragnar Locker

Ragnar Locker ransomware and its operators have been targeting global infrastructure since December 2019.

• Portuguese carriers

• Israeli hospital

Utilizing Remote Desktop Protocol, the group exploited Windows to extort huge amounts of money.

Furthermore, threat actors also threaten victims with decryption tools and sensitive data release. Ragnar Locker is considered one of the most dangerous ransomwares due to the fact that it targets critical infrastructure.

Vice Society

The Vice Society is a Russian-speaking hacking group that began operating in 2021. This threat group specializes in ransomware attacks against the following sectors:-

• Healthcare

• Education

• Manufacturing

Independently, they have approached Europe and the United States with a double extortion approach, demanding over $1 million during their initial ransom and agreeing to settle for around $460,000.

Besides exploiting internet-facing apps and compromised credentials, they also move laterally using SystemBC, PowerShell Empire, and Cobalt Strike.

Additionally, it exploits the Windows service, PrintNightmare, and evades detection by using disguised malware and process injection.

Greater Manchester’s Hottest Gigs with Liam Gallagher and More in 2024

Everest

Since December 2020, Everest has transitioned from data exfiltration to ransomware, and now it focuses on Initial Access Broker services.

Among the industries that the group targets are the Americas, capital goods, health, and the governmental sector. It is well known for attacking AT&T and South American government entities, as well as the following ransomware:-

• EverBe 2.0

• BlackByte

The group operates discreetly, and has managed to list nearly 100 organizations on its dark website. It acts as an Initial Access Broker, which is a shift from direct ransomware attacks.

BianLian

The BianLian ransomware first emerged in June 2022 and is written in the Go programming language. However, it exfiltrates data via the following channels:-

• RDP

• FTP

• Rclone

• Mega

Primarily it targets the following sectors:-

• Financial institutions

• Healthcare

• Manufacturing

• Education

• Entertainment

• Energy

They initially used encryption for ransom, but later introduced data exfiltration, threatening disclosure. In January 2023, Avast’s decryptor shifted its focus to data theft, terminating file encryption.

Through spearphishing, the malware connects to its command server, downloads tools, and secures a lasting hold on the system.