Finding and Analyzing Ransomware Groups in 2023: A Guide

You don’t need to be an expert in cybersecurity to know that ransomware, which gets plenty of coverage in the media, is a threat – and one that’s getting worse. Cyberint’s research shows that Q2 2023 alone saw 1386 new ransomware cases, a 67 percent increase in ransomware victims compared to the preceding quarter. This number was surpassed in Q3 with a whopping 1420 cases.

Finding and analyzing ransomware groups is a central part of the Cyberint research team’s focus. We are constantly scanning Dark Web forums and apps like Telegram and Discord (among other sources) to detect activity by ransomware groups. We check Deep and Dark Web marketplaces for signs of new ransomware-related activity and analyze onion sites where ransomware gangs hide.

This is not easy work. Every ransomware group is different, and the level of threat that a given ransomware operation poses to legitimate companies can vary widely. Plus, since most ransomware gangs like to brag about how big and bad they are, simply assessing what threat actors say about themselves provides little insight into how much risk they actually pose.

That’s why we follow a systematic process for evaluating each new ransomware group that we discover. 

Analyzing ransomware groups: A peek into our process

Whenever Cyberint discovers a new ransomware group – something that happens multiple times a week – our research team constructs a profile that provides insight into what you might call the “business profile” of the organization. The profile is based on factors like the following:

• Ideology or agenda: What is the chief motive of the group? Are they just out to make money? Are they hacktivists pursuing an ideological cause? Are they state-sponsored attackers motivated by geopolitical competition? This insight is critical for understanding which types of businesses, industries, geographic regions and so on, the threat actors might target, as well as what they might do with compromised data.
• Leadership: Knowing who’s operating or directing a ransomware group is another way to infer what their potential targets are.
• Technology: The more we know about which technologies ransomware groups are using, the better we can anticipate how they will operate and how to block them. For instance, if they are going to use a certain type of publicly known malware, we can use that information to provide guidance to potential targets about how to block the malware.
• Tactics, techniques and procedures: Learning the TTPs of ransomware groups – such as how they typically gain initial access to a corporate network or how they escalate privileges once they have compromised a machine – is also crucial for anticipating and blocking attacks.
• Infrastructure: Identifying the infrastructure of the threat actor group is crucial, as it is yet another source of context about how they operate and how to block them.
• Quality: Assessing how good a group’s tools and infrastructure are provides a measure of how sophisticated the threat actors are likely to be, and how well they can circumvent defenses. For example, a group that writes its own unique malware is considered far more advanced than a group that uses only existing malware available on darkweb marketplaces.
• Connections: We want to know which other groups threat actors are associated with. This is another way to predict how they’ll operate and how sophisticated they are, while also gauging how strong of a reputation they have within the threat actor community.

This information allows us to establish a baseline understanding of the group.

The fluidity of ransomware groups

Getting the information to establish a ransomware group profile is challenging, in part, because ransomware actors are not usually forthcoming with the data. But it’s also difficult because it can be hard to determine who exactly belongs to the group, and who is merely associated with them but is not a core member.

Ransomware groups are fluid and although there may be only a handful of core members in the group, there are often collaborators who we need to research alongside the group itself. So, in addition to determining who belongs to the core group, we also need to identify outside collaborators.

Affiliates

Affiliates are people who use the tools and infrastructure that the ransomware groups develop. They are often the ones who carry out the actual attacks on organizations. They are not members of the group themselves. Affiliates of ransomware are often less well known than the RaaS operators on whose behalf they operate.

For example, the core ransomware group might develop encryption software, sometimes even provide the initial access and support infrastructure while an affiliate tests the ransomware product to ensure its quality. In return, the affiliate may receive a cut of the profits, but little of the fame.

Or the ransomware group might develop the malware but the affiliate launches the attack. The affiliates share the profit from that attack, but, again often the ransomware group themselves, not the affiliate would garner the news stories.

In recent years, affiliates have played a vital role in the proliferation of ransomware-as-a-service offerings such as REvil/Sodinokibi, Ryuk, Conti, Hive, DoppelPaymer, and Lockbit.

Knowing who a group’s affiliates are and what they do helps us identify additional ways to undercut the group’s operations.

Initial access brokers

Initial access brokers are people who break into corporate networks and set up a persistent backdoor, allowing access to the IT estates of the businesses they are targeting. They then sell the information needed to exploit the access to ransomware groups.

Determining who is helping ransomware groups gain access to the resources they target is important for blocking ransomware activities.

Ransomware groups think like businesses

When researching ransomware groups, it’s important to understand that most of them have the mindset of business operators. What they are doing is illegal and illicit, but most groups think of themselves as a sort of business, and they share goals with legitimate businesses.

“Cyber-criminal gangs are mirroring the practices of legitimate businesses,” as Beth Maundrill puts it in Infosecurity Magazine.

For example, ransomware groups care deeply about their brand reputation. After all, getting victims to pay ransoms is easier if you are a widely known group that has followed through on ransom threats in the past – and, likewise, has given victims their data back in exchange for ransoms.

Ransomware groups also include many different people with varying roles, just like a legitimate company. Gaining insight into their organizational structure helps us determine who does what to facilitate attacks and how we targets can block them.

We mention these points because it can be easy to dismiss ransomware groups as radical, incoherent organizations that are out to cause chaos but have no consistent plan in doing so. The reality is quite the opposite. Ransomware groups care about their reputations, and they care about having well-structured, efficient operations. Understanding these facts makes it easier to understand how each ransomware group behaves and mitigate the harm it may cause.

Cross-checking

Performing cross-checks to analyze the relationships between ransomware groups is another important part of our process. This process involves, above all, checking check code samples, which allows us to gain insight into where their code came from and what it says about their relationships.

For example, we might see a group using a version of the LockBit ransomware that overlaps with another group’s tool. From there, we make an assessment of whether the group is simply a rebrand of the other group, or they represent an offshoot. Making this judgment requires deep expertise and awareness of happenings in the ransomware world; for example, if we know that the piece of code in question was leaked a few months ago and picked up by many other groups, we’re more likely to conclude that the new group we’ve found is not just a rebrand of the original group but is instead its own, separate operation.

Validation of new ransomware groups

Using our sources often offers most of the proof and information we need to know if a ransomware group is a potential threat to our clients. If, however, we feel we need more information, members of the Cyberint research team often go undercover and communicate with the threat actors directly to extract more information. By doing this we often find out information about the groups make up and validity.

Why We do what we do: Assessing ransomware groups in 2023

Why do we spend so much time and energy finding and analyzing ransomware groups, you ask?

Part of the answer, of course, is that it’s our business. We generate insights about ransomware risks (among other types of threats) to keep our clients safe.

But our mission goes deeper than that. We’re also interested in helping the world at large become ransomware-free. In that respect, we don’t see ourselves as competitors with other threat intelligence companies that also research ransomware groups. Instead, we’re collaborators and colleagues working together to help organizations take a proactive stance against ransomware threats.

That’s why, for example, we often reveal ransomware actors to law enforcement, so that they can take appropriate action. Our main goal is not to find information and hoard it for ourselves and our clients alone; it’s to help protect everyone against ransomware threats.

Ransomware group discovery: A real-world example

As an example of how the process we’ve described above plays out in real life, where we analyzed and revealed the new Cloak ransomware group, which we analyzed and revealed publicly this year.

In this instance, we worked with other sources who identified the group’s advertising activity in underground forums. From there, research led us to the organization’s onion site, which we began exploring to determine who the group includes, which forums they use and which infrastructure they depend on. 

Fortunately, they were working to recruit new members, so we had a fair amount of posting activity to draw on. Indeed, in general, it’s easiest to find data about ransomware groups when they are in their early stages.

With these insights, we were able to establish the primary motive of the group (financial gain), their main areas of focus (Europe, although they had significant operations elsewhere as well) and which data they had compromised to date.

This is exactly the kind of data you’d need to determine whether your business is likely to be targeted by the Cloak ransomware group, and how the attack may happen. With that information, you can take steps to protect yourself – which is exactly what we want to help every organization do.

Threat Intelligence & Mitigating Ransomware Threats

It would be nice if ransomware attackers announced their identities, motives and strategies publicly. But they don’t. Unlike legitimate businesses, ransomware groups issue no quarterly reports or press conferences.

They do, however, elicit plenty of information that skilled analysts can use to establish a profile of their operations, then leverage that data to mitigate threats. That’s what we do all day long at Cyberint.

To learn more about how our threat intelligence research helps protect businesses against ransomware and other risks, request a demo.