The Top 10 Ransomware Groups of 2023

This article takes an in-depth look at the rise in ransomware attacks over the past year and the criminal groups driving the surge in cyber extortion. It profiles the top 10 ransomware groups of 2023 currently plaguing companies worldwide, examining their hacking techniques, most popular targets, the disruption they cause, and how they’ve impacted the global economy to the tune of an estimated $30 billion.

LockBit has established itself as one of the most notorious ransomware operations since emerging on the scene in late 2019. Operating as a ransomware-as-a-service (RaaS) provider, LockBit sells access to its ransomware and infrastructure to affiliates who then conduct attacks. Small and medium-sized businesses have been particularly hard hit by LockBit and its double extortion tactics of encrypting data and threatening to leak it if ransoms are not paid.

Through various infiltration methods like exploiting unpatched vulnerabilities, purchasing access to networks, insider threats, and zero-day exploits, LockBit affiliates gain initial access. They have released several ransomware variants over the years, with the latest version 3.0 uncovered just this past June.

With reported ties to pro-Russian cybercrime rings, LockBit is known for sophisticated attacks. The FBI estimates they have carried out around 1,700 US attacks since 2020, collecting approximately $91 million in ransom.

Some significant LockBit attacks include breaching Boeing’s networks in November and threatening to leak a “tremendous amount” of sensitive data. They also claimed credit for hitting India’s National Aerospace Laboratories, threatening to publish stolen documents. At the time, the lab’s website was down globally though it’s unclear if the ransomware caused the outage.

BlackCat, also known as ALPHV or Noberus, first appeared in November 2021 and is written in Rust, making it capable of infecting both Windows and Linux-based systems. Known for triple-extortion tactics, BlackCat demands ransoms for decrypting infected files, not publishing stolen data, and avoiding DoS attacks.

The FBI notes BlackCat has affected at least sixty entities globally. Operating as a RaaS, it quickly became sophisticated, recruiting affiliates on cybercrime forums. BlackCat is linked to Russian-speaking cybercriminals and is related to previous variants like BlackMatter and DarkSide, the latter known for the Colonial Pipeline attack.

Notable attacks by BlackCat include the disruption of OilTanking GmbH, a German fuel company, in January, and an attack on Swissport, an aviation company, in February. For Swissport, BlackCat claimed to have exfiltrated 1.6TB of data, including internal documents and personal data like scanned passports and IDs. Despite Swissport containing the incident within 48 hours, BlackCat attempted to sell the stolen data, showcasing its double-extortion methodology.

The Clop ransomware group, also known as CL0P and TA505, is a highly active cybercriminal gang notable for its ransomware attacks. The U.S. State Department has offered a $10 million bounty for information on the group, underscoring the threat they pose.

Clop is associated with the FIN11 threat actor group and employs double extortion tactics, having previously targeted U.S. healthcare organizations. The group uses both wide-net methods and more focused, targeted approaches.

A significant attack by Clop was the exploitation of a previously unknown SQL injection vulnerability (CVE-2023-34362) in Progress Software’s MOVEit Transfer in May 2023. This attack involved infecting internet facing MOVEit Transfer web applications with a web shell named LEMURLOOT, used to steal data from underlying databases. This attack started in May with victims continuing to come forward months later.

Another major campaign occurred in late January 2023 when Clop targeted the GoAnywhere Managed File Transfer software with a zero-day vulnerability (CVE-2023-0669), affecting approximately 130 organizations over 10 days. The group sent ransom notes to executives of victim companies, threatening to publish stolen files if ransoms were not paid.

Emerging in early 2022, the Black Basta ransomware group quickly rose to prominence as both an aggressive ransomware operator and a new player in the RaaS market. In just its first few months, Black Basta confirmed over one hundred victims, including an alarming nineteen major enterprises, with most targets located in the U.S. construction and manufacturing industries.

Employing the troubling double extortion tactic of both encrypting files and stealing sensitive data to then threaten its release, Black Basta affected a wide range of organizations across North America and Europe. By September, they had breached over ninety networks using advanced intrusion techniques like the Qakbot trojan and PrintNightmare exploit.

Two notable attacks saw the American Dental Association disrupted and Deutsche Windtechnik’s wind turbine monitoring shut down for two days after finding their names on Black Basta’s leak site.

The Play ransomware group, also known as PlayCrypt, emerged in June 2022 and quickly became known for its ransomware extortion attacks targeting companies and governmental institutions globally. This group has been particularly active in countries like the United States, Brazil, Argentina, Germany, Belgium, and Switzerland.

One of the distinguishing features of Play ransomware is its use of intermittent encryption, a technique that partially encrypts a system to evade detection by static analysis tools typically used to identify ransomware infections. They have also been augmenting their toolbox with new tools and exploits, including vulnerabilities like ProxyNotShell, OWASSRF, and a Microsoft Exchange Server remote code execution, showcasing their evolving capabilities.

Security experts have suggested that Play may have links to Russia, based on similarities in the encryption techniques they use with other Russian-linked ransomware groups such as Hive and Nokoyawa. The group’s name derives from the “.play” file extension they use to encrypt victims’ data, leaving behind a message containing the word “PLAY” and an email address.

A high-profile breach attributed to the Play ransomware group occurred in 2022 when they attacked the Argentine judiciary of Córdoba. In 2023, Play launched a series of attacks in Switzerland. One notable incident involved the Neue Zürcher Zeitung newspaper, leading to the compromise of the systems of its service provider, CH-Media. This breach enabled Play to access the addresses of over 400,000 Swiss citizens living abroad.

Royal ransomware emerged as an operation in January 2022 and is made up of experienced ransomware actors from previous groups. It is not classified as a RaaS operation because it keeps its coding and infrastructure private, not allowing access to outside actors. The group has escalated its activities since 2023, shifting focus to high-value corporate targets to demand larger ransoms.

The methods employed by the Royal group include a blend of old and new techniques, such as callback phishing. This method involves luring victims into installing remote desktop malware, thereby providing the threat actors with relatively easy access to infiltrate the victim’s machine. Such tactics indicate that the group’s members are seasoned and skilled operatives.

According to the FBI and CISA, the Royal ransomware gang has compromised the networks of at least 350 organizations globally since September 2022, requesting a total of $275 million in ransom payments. This statistic underlines the extensive reach and impact of their operations.

The Royal ransomware is designed to function on Windows operating systems, using the OpenSSL library to encrypt files. Security firms have detected its signature and have been actively working to provide protection and guidance for organizations to guard against these threats.

The 8Base ransomware group, which emerged in March 2022, has quickly become a major ransomware player. Since June 2023, they have been actively targeting a wide range of victims across various industries, with a focus on small and medium-sized businesses. The United States, Brazil, and the United Kingdom have been particularly affected by their activities.

They have been observed using the Phobos ransomware variant, customized with a “.8base” extension to encrypt files. This suggests that 8Base may be leveraging RaaS offerings.

The group employs various initial access methods, including phishing emails and initial access brokers (IABs). They also use SystemBC to proxy their traffic and create an encrypted command-and-control channel.

One significant attack by the 8Base group targeted a U.S.-based medical facility in October 2023, highlighting their potential threat to the healthcare and public health (HPH) sector. They have also been responsible for nearly eighty attacks since March 2022, using tactics like encryption and “name and shame” to pressure victims into complying.

The BianLian ransomware group is a prominent cybercrime entity known for developing, deploying, and executing data extortion schemes. Active since at least June 2022, BianLian has targeted a wide range of organizations, particularly those in critical infrastructure sectors in the United States and Australia, including professional services and property development industries.

According to a report by a U.S. cybersecurity firm, as of September 2022, BianLian had claimed at least twenty victims across diverse sectors including insurance, medicine, law, and engineering. The group maintains a data leak site on the dark web (specifically, on Tor) where they list their victims, indicating the group’s continued and escalating activity.

Initially detected as an Android banking trojan in 2019, the BianLian ransomware has since evolved and is noted for its exceptionally rapid encryption capabilities, which are attributed to its development in the Go programming language.

The group has been known to leak substantial amounts of data, as seen in an incident where they claimed to have stolen 210 GB of technical and operational data from Air Canada, including information about vendors, SQL backups, and personal details of employees.

The Medusa ransomware group is known for encrypting victims’ files and wiping out backups and virtual hard disks to make recovery difficult. Notably, Medusa has gained notoriety for its focus on the healthcare sector, especially during the COVID-19 pandemic. They infect and encrypt systems in this sector and demand large ransoms for data retrieval.

Operating under the RaaS model, Medusa collaborates with global affiliates to expand its reach and impact. Since March 2023, the group has intensified its activities, increasingly targeting global enterprises. One of Medusa’s key tactics is the creation of the “Medusa Blog,” which is used to leak data taken from victims who refuse to pay the ransom.

Medusa ransomware is designed to target both Windows and Linux systems. It is typically distributed through executable files and gains initial access through exposed RDP servers using brute force attacks, sophisticated phishing emails, or exploiting existing vulnerabilities. Once activated, it encrypts files using the AES-256 algorithm and adds the “.medusa” extension. It also disables 228 services on infected computers, including major security software, and deletes the Volume Shadow Copy to prevent antivirus scans or the use of recovery tools.

One notable attack by the Medusa ransomware group occurred in March 2023, when they targeted the Minneapolis Public School district and demanded a $1 million ransom. Another significant breach took place against Toyota Financial Services (TFS), a subsidiary of Toyota Motor Corporation. In this attack, Medusa listed TFS on its data leak site on the dark web and demanded $8 million for the deletion of data allegedly stolen from Toyota. The threat actors claimed to have exfiltrated files, including financial documents, purchase invoices, hashed account passwords, and more, and threatened to leak the data if the ransom was not paid.

NoEscape is a ransomware group that emerged in May 2023, running a RaaS program. The group is notable for its recruitment of affiliates to conduct attacks in exchange for a share of the ransoms generated.

One high-profile breach attributed to NoEscape was against the Welsh furniture company Leekes, from which the group claimed to have stolen 130GB of data. Leekes was listed on NoEscape’s victim blog in September 2023, with threats to release further data.

NoEscape is believed to be a rebrand of the Avaddon ransomware gang, which ceased operations in 2021. The group targets enterprises in double-extortion attacks, involving both data theft and file encryption on Windows, Linux, and VMware ESXi servers. They threaten to release stolen data if ransoms are not paid, with demands ranging from hundreds of thousands to over $10 million. Interestingly, they prohibit attacks on CIS countries, offering free decryptors and breach information to victims from these regions.

The ransomware executes commands to delete Windows Shadow Volume Copies and disable system recovery options. It also terminates various applications to unlock and encrypt files and utilizes the Windows Restart Manager API to close processes that may prevent encryption. Encrypted files are marked with a 10-character extension unique to each victim.

NoEscape changes the system’s wallpaper to an image directing victims to ransom notes named ‘HOW_TO_RECOVER_FILES.txt’ in each folder. These notes include information about the breach and links to the NoEscape Tor negotiation site. The ransom demands are specified in bitcoins, and the site features a test decryption service and a chat panel for negotiations.

Shield your network with BlackFog’s advanced ADX technology and keep your data secure. Our behavioral analytics approach is at the frontline, defending against ransomware by stopping data theft before it starts.

Deploy BlackFog today and ensure your organization’s data never falls into the wrong hands. Register for an assessment today.

Learn more about how BlackFog protects enterprises from the threats posed by ransomware.