The actors behind ransomware tend to fall into two categories: cybercriminal gangs, often based in Eastern Europe, and groups backed by economic outcasts like Iran, Russia and North Korea. Historically the first prefer a shotgun approach; the second behave more like snipers. Here are a few of the groups that have been linked to recent ransomware and are still a threat.
TA2101: In November 2019, a California-based security firm was the first to report on TA2101, which had been using phishing emails to attack U.S. businesses and organizations, especially those in health care. It has also attacked health care as well as IT and manufacturing in Germany and Italy, preferring Maze, Cobalt Strike and Buran ransomware.
Lazarus: Operational at least since 2009, Lazarus has been linked to North Korea, though the nature of the relationship isn’t clear. It’s best known for hacking Sony Pictures in 2014 in response to its planned release of The Interview, which satirized Kim Jong-un Un. Lazarus is thought to be behind the 2014 WannaCry ransomware attack, which infected 300,000-plus computers worldwide.
Wizard Spider: This Russia-based cybercriminal group is thought to be one of the actors behind Ryuk, which was among the most pervasive ransomware threats of 2019 and is still wreaking havoc. Its most recent attack in December 2021 left millions of Australians without power. Wizard Spider also operates TrickBot, which steals banking information through a Trojan horse that infects Windows-based operating systems.
CryptoTech: There is compelling evidence that CryptoTech is the second actor behind Ryuk. While not much is known about this group—except that it communicates in Russian—its involvement in Ryuk would be a lucrative enterprise, as the ransomware has distinguished itself by demanding payments 10 times that of other ransomware types.
GRU: It was only a matter of time before ransomware became another weapon in the arsenal of the GRU, the Russian military’s intelligence organization. Its 2017 NotPetya ransomware attack—which primarily targeted Ukrainian victims but shut down corporations, ports and government operations worldwide—was typical of Kremlin-backed cybercrime in that its main goal was to sow chaos. In that, it succeeded. Wired magazine called NotPetya the “most devastating cyberattack in history.”
DarkSide: Unlike the GRU, the DarkSide gang, which is probably of Russian derivation, appears to be an apolitical organization interested only in profitable “big game” targets. Indeed, according to an update on its DarkSide Leaks blog, it eschews certain targets, going so far as to forbid its partners from attacking organizations within the healthcare, nonprofit and education industries; however, its Colonial Pipeline attack, which disrupted U.S. fuel operations and resulted in numerous emergency declarations in May 2021, shows it is willing to sow social chaos if it delivers a hefty ransom.