Beware of Low-Profile Ransomware Gangs Chasing Your Money

Why Trust Techopedia

Ransomware attacks are one of the dominant themes in cybersecurity news, with headlines often highlighting the activities of large, well-established groups. While these operations are a serious concern, they represent only a fraction of the ransomware ecosystem.

A lesser-known but more widespread threat is brewing from smaller ransomware groups — operating on the fringes and targeting less well-defended organizations.

Unlike their established counterparts, they often lack the resources and notoriety, relying on rudimentary tactics and sometimes empty threats. Yet it doesn’t stop them succeeding.

This article explores the under-reported threat groups’ characteristics and potency. We also interview cybersecurity experts to understand the broader impact and best defense practices.

Key Takeaways

  • Lesser-known ransomware groups pose a significant threat, often operating under the radar and targeting less well-defended organizations.
  • These immature groups rely on simpler tactics like exploiting known vulnerabilities, compromised credentials, or brute-force attacks, but can still cause disruption and financial losses.
  • SMBs are the primary targets for these groups due to their lower defenses, high number of potential victims, faster payouts, and limited visibility.
  • Implementing basic security measures like strong passwords, multi-factor authentication, regular patching, solid backups, and security awareness training can significantly reduce the risk of falling victim to these attacks.
  • Seeking external support from Managed Security Service Providers (MSSPs) can be a strategic solution for organizations struggling to maintain robust cybersecurity defenses.

The Elusive Nature of Low-Profile Ransomware Gangs

For many years, the exploits of known ransomware groups like LockBit and BlackCat have raised eyebrows. While nearly all countermeasures have been directed at these groups for many years, their lesser-known counterparts operate under the radar.

This was part of the findings in research by cybersecurity network Guidepoint, who have marked the key indicators that characterize these low-profile ransomware groups.


Guidepoint classified these groups as:

Using Anonymity as their Shield

Unlike established Ransomware-as-a-Service (RaaS) groups with a cultivated brand, these are ‘immature’ groups operating in the shadows. They may have no name at all, or use throwaway aliases, making it difficult to track their history and warn potential victims. This allows them to avoid consequences for past actions, like failing to deliver decryption tools after an attack.

Simpler Tactics, Similar Impact

Established groups are known for their cutting-edge exploits and deception tactics. However, Guidepoint in their research, suggests that the immature groups rely heavily on simpler tactics – exploiting known vulnerabilities, compromised credentials, or brute-force attacks. Their attacks may also be less thorough, leaving tools behind or achieving incomplete encryption and data exfiltration, if any.

Limited Resources and Reach

The lesser-known groups lack the infrastructure and resources for established operations. Since their tools may be of lower quality, unknown ransomware groups may use readily available ransomware strains and rely on non-dedicated communication channels like email or Telegram.

Oren Koren, Co-Founder and CPO at Veriti told Techopedia that the smaller ransomware groups may lack the resources and attack engine but ride on the back of the infrastructures already built by the known groups to pull off their attacks.

He said:

“As in any development cycle, you need to have development teams, research and QA; however, the immature groups are not in that position. The bigger groups that built the infrastructures like RaaS as the “engine behind the technology” are one of the reasons behind their success.”

Known Immature Ransomware Actors in Action

According to Guidepoint, two groups, Phobos and DATAF LOCKER, demonstrate the disruption and lingering anxieties newbie ransomware actors can inflict, even without the technical prowess of their established counterparts.

Phobos – The Re-Extortionist: While Phobos’ attacks may utilize readily available ransomware strains, their true weapon is fear. Their tactic of re-extortion, demanding additional payments after an initial ransom is paid, throws victim organizations into a cycle of disruption and uncertainty. Beyond the initial financial loss, the threat of leaked data or further attacks can have a significant impact on morale and productivity. The hidden cost here lies in the wasted time and resources spent negotiating with an unreliable actor, and the constant fear of future attacks hindering normal operations.

DATAF LOCKER: DATAF LOCKER’s technical shortcomings often result in incomplete encryption or the potential for data recovery without paying the ransom.  However, this doesn’t negate the hidden impact of their attacks. The initial discovery of encrypted data creates a sense of panic and urgency within organizations. This period of disruption, while data recovery efforts are underway, can be costly. Even if the data is recovered, the hidden cost lies in the lost productivity, the shaken confidence in IT security, and the lingering fear that the attackers might return with improved capabilities.

SMBs Are the Main Target of Immature Ransomware Groups

While both large organizations and SMBs are susceptible to ransomware attacks, the GuidePoint Security report suggests up-and-coming ransomware groups primarily target smaller businesses.

This revelation coincides with a report by the Identity Theft Resource Center (ITRC), which found that a staggering 73% of small business owners in the US reported cyberattacks last year.

Their choice of SMBs boils down to several key factors:

Lower Defenses Mean Easier Entry

Larger organizations often invest heavily in cybersecurity measures like firewalls, intrusion detection systems, and security awareness training. Immature groups, lacking the sophistication to bypass these defenses, find it easier to exploit weaknesses in smaller businesses with fewer resources dedicated to cybersecurity.

Exposed ports, outdated software, and a lack of employee training create exploitable vulnerabilities for these less-equipped attackers.

Higher Number of Potential Victims

Ransomware groups increasingly target SMBs not only because they lack adequate security but also because of the sheer number of potential victims. This was the opinion of Nick Hyatt, Director of Threat Intelligence at Blackpoint Cyber, when he spoke with Techopedia.

He said:

“Targeting small businesses can be a lucrative enterprise – there are more than 33 million SMBs in the United States alone, making them a much larger target than enterprises.”

He explains that by going after a “wider swathe of businesses, less mature ransomware groups can extort many smaller payments” instead of seeking massive ransoms from larger companies. The economics incentivize casting a wide net across SMBs.

Faster Payouts with Less Risk

Immature groups may not have the patience or resources to engage in lengthy negotiations or complex extortion tactics typically employed by established RaaS groups. Smaller businesses, with less complex data structures and limited media attention, may be more likely to cave to initial ransom demands to minimize disruption and avoid negative publicity. This faster turnaround translates to quicker payouts for the attackers with a lower risk of getting caught.

Limited Visibility means Lower Stakes

Unlike high-profile attacks on major corporations that garner significant media attention, immature groups targeting SMBs operate under the radar. This lower visibility allows them to fly under the law enforcement radar and potentially repeat their tactics against multiple smaller victims before raising red flags.

Defending Against the Immature Threat: Essential Safeguards

In the face of this type of threat, businesses struggling to maintain robust cybersecurity defenses are advised to seek external support from specialized providers.

Paul Laudanski, Director of Security Research at cybersecurity firm Onapsis, advocates leveraging Managed Security Service Providers (MSSPs) as a strategic solution.

He told Techopedia:

“If companies are under-resourced, probably a step in the right direction is to take advantage of an MSSP, a company specializing in offering services such as mapping out the threat landscape, putting in appropriate monitoring and detection capabilities, running a vulnerability management program.”

Hyatt of Blackpoint Cyber advocates a back-to-basics approach as a critical line of defense.

“Businesses should focus on security basics,” Hyatt states, outlining a set of essential measures that can significantly reduce the risk of falling victim to these debilitating attacks. His recommended practices include unique, complex passwords; multi-factor authentication; a routine patch schedule; solid, tested backups; and security awareness training.”

Hyatt acknowledges that while there is no foolproof solution to prevent ransomware infections entirely, implementing these security fundamentals diligently can prove invaluable.

He added:

“Being diligent about basic security hygiene can reduce the risk of an attack causing catastrophic damage.”

The Bottom Line

The rise of less mature ransomware groups highlights the ever-evolving threat landscape and the critical need for a multi-layered cybersecurity approach.

Headlines may focus on the exploits of established ransomware operations, but these under-the-radar actors pose a significant, often underestimated threat, particularly for unprepared organizations.

First in the security line is identifying these groups, and Guidepoint has provided us with a clue about their characteristics. Next, organizations should build a comprehensive defense strategy. Some of the experts we spoke to have pointed out some strategies, and by following them, organizations can reduce the risk of falling victim to these groups.


Related Reading

Related Terms

Franklin Okeke
Technology Journalist
Franklin Okeke
Technology Journalist

Franklin Okeke is an author and tech journalist with over seven years of IT experience. Coming from a software development background, his writing spans cybersecurity, AI, cloud computing, IoT, and software development. In addition to pursuing a Master's degree in Cybersecurity & Human Factors from Bournemouth University, Franklin has two published books and four academic papers to his name. His writing has been featured in tech publications such as TechRepublic, The Register, Computing, TechInformed, Moonlock and other top technology publications. When he is not reading or writing, Franklin trains at a boxing gym and plays the piano.