The underworld of ransomware operators is in a constant state of flux. In February 2024, one of the most prolific ransomware gangs — Lockbit — was dismantled, and as each one goes, new gangs emerge to fill the vacuum.
Techopedia sat with experts to explore the rising new gangs, how they connect with other ransomware sectors, and whether enforcement actions in the ransomware industry actually present new opportunities for new groups.
RedCrypto App: A New Group Warming its Engines
On April 3, 2024, Senior Threat Analyst Rakesh Krishnan of Netenrich published the findings of a new investigation that revealed a new ransomware group.
The group, dubbed Red CryptoApp, began operating in February and March — around the time Lockbit and ALPHV were dismantled or forced to retreat.
To date, RedCrypto App has leaked data of 12 organizations in their “Wall of Shame”. In the report, Krishman explains that the group is trying to create a big impression to build a strong reputation — a common ransomware tactic.
“It’s clear the group leaked the data of all 11 victims on the same date, March 5, 2024. This suggests the group may have kickstarted their operations a while back, but waited for an optimal time to publish all victim data together to make a bigger splash and gain more attention in the ransomware community.”
Krishnan told Techopedia that, currently, this group cannot be linked to any nation.
“Like other ransomware groups, it is just another operation sprang up on the dark web. The main motivation behind this group is financial, as far as we can see. The ransom demand is $5M.”
The Maze Ransomware Connection
It is a common tactic for ransomware or cybercriminal operations to dismantle their operations when law enforcement gets too close. However, later they will make a comeback under a different name.
Even when leading figures of a ransomware group are arrested and face trial and prison time, the remaining elements of the group will often rebrand and get back to business as usual. This leads to many investigations uncovering connections between old and new criminal forces.
Interestingly, Krishnan from Netenrich found connections between Maze and the new group, the RedCypto App group.
The Maze ransomware group allegedly shut down its operations in 2020, however many experts argue it could still be active under a different name.
But Maze is not just any ransomware operator; it was one of the first ransomware families to threaten to leak victims’ confidential data if they refused to pay. This extortion tactic was embraced by all modern ransomware groups.
A portion of the ransomware note written by RedCrypto App is exactly the same as one belonging to a 2020 Maze ransomware attack.
“This group has taken a portion of the ransom note which is the same as Maze Ransomware during their reign in 2020. Apart from this, there are currently no indicators that can tie both ransomware groups together. We need to wait until the sample gets out.”
The Size of the Ransomware World: 11 Top Players, Hundreds of Operators Fighting for Power
Carl Wearn, Head of Threat Intelligence Analysis and Future Ops at Mimecast, told Techopedia that most criminal activity online, as in the offline world, is opportunistic.
“Ransomware groups are cropping up and disappearing rapidly, in some cases over weeks or a few short months.”
“As with any criminal enterprise, they are vulnerable to law enforcement or security service interdiction and shutdown activity, which has significantly increased in tempo over the last year,” Wearn said.
“On an estimation [of specifically ransomware groups], there are at least 11 significant groups known to be currently operating or selling a form of ransomware and leaking data, with numerous further criminal groups cropping up, or disappearing, intermittently monthly as they have varying levels of success.
“Given the popularity of the RaaS [ransomware-as-a-service] model, it’s extremely difficult to provide any confident estimate of the wider ecosystem this is supporting, but this is likely to be in the hundreds globally.”
Techopedia also talked to Bob Erdman, Associate VP of Research and Development at Fortra.
“Maze, RedCryptoApp, and others share many other similarities. Their goal is to exfiltrate data before ransoming the victim,” Erdman said.
“Financial gain is the primary motivation. Notoriety is typically a close second.
“They announced themselves to the world by publishing a Wall of Shame of several victims with a note that there will be more coming.
“It wouldn’t surprise me if they are doing this so they can be part of the Ransomware as a service ecosystem. It is sort of like advertising their skills in hopes that another criminal will want to partner with them and split the ransom.”
Ransomware: The Big Picture
While the industry welcomes international law enforcement actions against ransomware groups, many fear that the disappearance of one group means little compared to the vastness of the ransomware underworld.
Erdman for Forta told Techopedia that a few years ago [July 27, 2021], there was a report by the FBI that they were tracking over 100 ransomware groups.
“The bigger concern is the ecosystem that has been created in the past few years where the criminals are partnering with each other to leverage each other’s skills to improve different parts of the attack campaign to be more effective and efficient.”
Erdman believes that as law enforcement agencies continue to disrupt more established ransomware groups, there are additional opportunities for the remaining threat actors to reconstitute their activities and rebrand under a new name or simply to go off on their own and establish a new operation.
New Ransomware Groups, New Tech: AI and Hackers
As new disruptive technologies such as generative AI continue to advance, bad actors seize the opportunity to automate their attacks.
RedCrypto App is one of the new groups that uses artificial intelligence. According to the victim base, the group is more focused on infecting targets in the IT software and manufacturing industries, as well as other industries such as education, construction, and hospitality.
Krishnan from Netenrich explained that analyzing the group tactics he found that RedCrypto App uses AI tools to curate instructions found in the victims´ panel.
“Instructions such as the ransom note appear to be human-written. We can assume that the group is just beginning to make use of AI tools for its ransomware operations.”
RaaS vs. Ransomware Operators and AI
Wearn from Mimecast spoke about the industrialization of ransomware-as-a-service and how criminal platforms help bad actors streamline all aspects of an attack, from research to payment or leak.
“Key tailorable content with any RaaS or dedicated ransomware provider/actor is normally a tailorable ransom note or phishing message.
“These threat actors have likely been using limited AI processes for some time, preceding the recent hype and concerns that have entered public consciousness due to OpenAI and others,” Wearn said.
“The most likely short—to mid-term impact of threat actors’ increasing use of AI is time and cost savings and the ability to iterate and proliferate versions of their ransomware more quickly and easily, particularly in any RaaS model.
“It’s important to differentiate hacking groups from ransomware-as-a-service operators, as increasingly these operations are diffused,” Wearn added.
“The criminal ecosystem is evolving, and clearly attempting to utilize individual skillsets (which are in short supply globally), as effectively as possible.”
“As with all automated processes, we’ll see the use of AI increasingly, but this is likely to make individual criminals more productive in areas like opportunistic phishing as an initial vector for compromise.
“AI processes for obfuscation and security scanning detection have already been automated in malware for some time,” Wearn added.
“AI likely presents the most opportunity to them in terms of the victim contact/management process, given their ransomware tool would likely be deployed globally by disparate affiliates, and for the management of those affiliates as a gatekeeping/operational security device.”
Identifying New Ransomware Groups and Their Tech
From dark web and underground forum monitoring to deep web analysis, ransomware leak sites, and attack forensics — identifying new ransomware groups is an ongoing battle for cybersecurity researchers.
These groups are constantly evolving their tactics and techniques, making it a challenge to stay ahead of the curve.
Richard Watson, Global and Asia-Pacific Cybersecurity Consulting Leader at EY — a multinational professional services network — spoke to Techopedia about the issue.
“Identifying ransomware groups is increasingly complex and complicated as they employ more sophisticated tools and techniques to avoid detection.
“They are continually evolving their tactics, techniques, and procedures (TTPs) to outpace security measures which can pose a challenge for cyber professionals when trying to track or anticipate their activities,” Watson said.
“Operating in secrecy, ransomware groups obscure their identities and locations using pseudonyms and anonymity tools, further complicating efforts to uncover their motives and individuals involved — and they can be situated anywhere worldwide, complicating law enforcement efforts to locate and apprehend their members”
Regarding what tech new groups are using, Watson from EY said that attackers are incorporating novel technologies into their arsenals, including Man-in-the-Middle attacks, spying software, and memory-scraping malware on Point-of-Sale (POS) systems — enabling them to intercept data, track touch screen interactions, and extract specific information.
“On top of this, there is a rising trend of cybercriminals using generative AI for fraudulent activities, with 85% of security experts attributing the surge in cybercrime to this technology.”
Ransomware groups are also shifting towards data theft extortion instead of traditional ransomware attacks, underscoring the evolving nature of cyber threats.
“Integrating human and potentially automated content enables the creation of highly personalized and sophisticated ransom notes that may be better at evading detection by traditional security software,” Watson said.
“The adoption of AI tools by ransomware groups represents a troubling trend, complicating the task of security researchers in identifying and analyzing ransomware attacks.”
The Bottom Line
The world of ransomware is in flux, with hundreds of groups believed to be operating in the shadows.
While law enforcement crackdowns have disrupted established groups like Lockbit, these actions have created space for new players.
New entrants, like RedCrypto App, are always eager to make a name for themselves, often leveraging tactics like data exfiltration and extortion alongside encryption. Additionally, they embrace a concerning new trend; the increased use of AI.
The fight against ransomware remains an ongoing battle. Identifying new groups and their evolving tactics requires constant vigilance across the dark web, leak sites, and forensics. The question remains: can law enforcement and security professionals keep pace with the ever-evolving threat landscape of ransomware?