Illusive Blog February 5, 2021

The Major Ransomware Threat Groups and What Makes Them Effective

By Claire Trimble

2020 was a banner year for ransomware. According to a recent report by blockchain analysis firm Chainalysis, ransomware gangs made at least $350 million in ransom payments last year, a 311% increase of ransomware payments recorded over 2019. 

This will be the first article in a 3-part series looking at the evolving nature and sophistication of ransomware attacks. This series is a snapshot from the comprehensive eBook on the topic, Ransomware, Inc: The Rise of Targeted Ransomware Crime Syndicates, published by Alissa Valentina Knight and Knight Ink, and commissioned by Illusive. 

What are the major known groups behind ransomware attacks in recent years? And what is making them so much more effective?

Not the ransomware of old

These aren’t your grandparents’ ransomware attacks (by which I mean those of just a few years ago). Ransomware attacks of old used the “spray and pray” method of scattering ransomware all over the internet and hoping to hit paydirt through the numbers game has given way to highly targeted strains pointed at specific victims. 

Yet today’s attacks targeting large enterprises are carried out by sophisticated actors, often by a nation state or those trained or supported by them. 

As Knight writes:

Ransomware crime syndicates, much like the mob that the etymology of the word originated from, have grown from unsophisticated, loosely organized groups of just a hand-full of people. They’ve now grown in size to become large, transnational criminal enterprises raking in revenues in the billions from operating their own ransomware operations to leasing it out in “ransomware-as-a-service.” 

Yes, the major ransomware threat actors have evolved, they have streamlined and greatly expanded operations, and their business models have changed. All of these have resulted in a growing and very dangerous cybersecurity threat. 

Looking at the primary ransomware actors

So who are some of the main groups involved in ransomware? Here is a list, with a brief description of each.

Maze – Active since at least May 2019, Maze gained notoriety for first exfiltrating a victim’s data and threatening to publish the stolen files unless the ransom was paid. Until then, most ransomware was a threat to require money once files were encrypted, but smart companies were able to prepare with robust backup systems. 

But Maze both encrypted the files and exfiltrated the data post-compromise, and only then demanded ransomware, often threatening to to publish the sensitive information on Dark Web websites. A game changer, this was leveraged to apply additional pressure on organizations to pay extortion fees. Read from FireEye here

It’s unclear what the current status of Maze is. While the group in November 2020 announced that it was shutting down, some say that Egregor (see below) is essentially an offshoot of Maze.

Egregor – Egregor ransomware is a relatively new ransomware (first spotted in September 2020) that seems intent on making its way to the top right now. 

Like Maze, Egregor uses “double extortion,” relying on stolen data on leak pages to pressure victims into paying the ransom.

Targeted environments are initially compromised through various means (RDP probing, phishing) and once the Cobalt Strike beacon payload is established and persistent, it is then used to deliver and launch the Egregor payloads. Read more here from Malwarebytes. 

A publicized attack on Barnes & Noble in October was in the news, with the group claiming to have stolen unencrypted “financial and audit” data. 

Ryuk – First spotted in August of 2018, the Ryuk gang gained notoriety in 2019, demanding multi-million-dollar ransoms from companies, hospitals, and local governments. According to a report, Ryuk is said to have $150 million dollars from their ransomware attacks so far.

The variant was previously delivered via Trickbot, but most recently it’s been paired with the Bazar loader, as recently noted to

A particular target of Ryuk has been the healthcare industry.

Ryuk caused millions of ransomware attacks across the globe in 2020, with a prime focus on the healthcare sector—including the massive attack on Universal Health Services. And shortly after, a joint report by CISA, the FBI and the Department of Health and Human Services warned of a massive threat to U.S. hospitals. It seems like old news as it was overshadowed by concern over U.S. election security and the later revealed SolarWinds attacks, but the warning was at the top of the news headlines in late October.  

Phobos – Phobos has been around since the end of 2018.

Named after the Greek God of fear, Phobos is one of the ransomware that are distributed via hacked Remote Desktop (RDP) connections. Once Phobos ransomware enters your system, it fully encrypts standard-sized files. For large files, it encrypts only certain segments, in order to maximize damage and be more efficient. 

Phobos ransomware primarily targets businesses, usually small enterprises. 

REvil / Sodinokibi – Back in June 2020, we learned that the REvil ransomware syndicate begun auctioning off sensitive data stolen from companies hit by its malicious software.

REvil ransomware developers, operating as a Ransomware as a Service (RaaS) say that they made more than $100 million in one year by extorting large businesses across the world from various sectors – including Travelex, Grubman Shire Meiselas & Sacks (GSMLaw), Brown-Forman, Kenneth Cole, and GEDIA Automotive. Group.

These are some of the major players, but obviously the list expands and evolves pretty rapidly. 

As Knight writes, these groups have now “grown in size to become large, transnational criminal enterprises raking in revenues in the billions from operating their own ransomware operations to leasing it out in “ransomware-as-a-service.” RaaS affiliate programs adopt a shared revenue model where the operators take a portion of the profits their affiliates generate in a typical 60/40 split.”

At least 10 Ransomware as a Service (RaaS) groups have emerged since December 2019, with another nine groups dubbed as “rising” powers tied to double extortion efforts. Conti, in particular, has found the greatest amount of success this year, claiming 142 ransomware victims.

Keep an eye out for future posts in this series on ransomware. 

Learn more:

Claire Trimble is Chief Marketing Officer at Illusive.