New research identifies four emerging ransomware groups currently affecting organizations and that show signs of becoming bigger threats in the future. Credit: Mikkel William / Getty Images New research from Palo Alto Networks’ Unit 42 has identified four emerging ransomware groups that have the potential to become bigger problems in the future. These are AvosLocker, Hive Ransomware, HelloKitty, and LockBit 2.0.Emerging ransomware threat groups“With major ransomware groups such as REvil and Darkside lying low or rebranding to evade law enforcement heat and media attention, new groups will emerge to replace the ones that are no longer actively targeting victims,” stated the security firm’s latest report Ransomware Groups to Watch: Emerging Threats. Within the research, Doel Santos, threat intelligence analyst, and Ruchna Nigam, principal threat researcher, detailed behaviors of the four ransomware groups.AvosLockerFirst observed in July 2021, AvosLocker operates within the ransomware-as-a-service (RaaS) model and is controlled by avos, which advertises its services on dark web discussion forum Dread. Its ransom note includes information and an ID used to identify victims, instructing those infected to visit the AvosLocker Tor site for recovery and data restoration. According to the research, ransom requests have been between $50,000 and $75,000 in Monero, with infections identified at seven organizations around the globe. Hive RansomwareBeginning operations in June 2021, Hive Ransomware has been detected targeting healthcare organizations and other businesses ill-equipped to defend against cyberattacks, according to the report. The group published its first victim on its leak site Hive Leaks, before going on to post details of another 28 victims. “When this ransomware is executed, it drops two batch scripts,” wrote the researchers. “The first script, hive.bat, tries to delete itself, and the second script is in charge of deleting the shadow copies of the system (shadow.bat). Hive ransomware adds the [randomized characters].hive extension to the encrypted files and drops a ransom note titled HOW_TO_DECRYPT.txt containing instructions and guidelines to prevent data loss.” Victims are directed via the ransom note to a chat function with the attackers to discuss decryption. The researchers are unable to specify the exact delivery method of the ransomware but suggest traditional means such as credential brute-forcing or spear-phishing could be at play.HelloKitty: Linux EditionThe HelloKitty family surfaced in 2020, primarily targeting Windows systems. Its name comes from its use of HelloKittyMutex. In 2021, Palo Alto detected a Linux (ELF) sample with the name funny_linux.elf containing a ransom note with verbiage that directly matched ransom notes seen in later samples of HelloKitty for Windows. Further samples were discovered, and in March they began targeting ESXi, a target of choice for recent Linux ransomware variants. “Oddly enough, the preferred mode of communication shared by attackers in the ransom notes across the different samples is a mix between Tor URLs and victim-specific Protonmail email addresses,” the researchers wrote. “This could indicate different campaigns or even entirely different threat actors making use of the same malware codebase.” Ransom demands as high as $10 million in Monero have been detected, though attackers are also willing to accept Bitcoin payments. The ransomware encrypts files using the Elliptic Curve Digital Signature Algorithm (ECDSA).LockBit 2.0Previously known as ABCD ransomware, LockBit 2.0 is another group that operates as an RaaS. Although in operation since 2019, Palo Alto has discovered recent evolution in the group’s methods, with the actors claiming their current variant is the fastest encryption software in operation. Since June, the group has compromised 52 global organizations. “All the posts by the threat actors on their leak site include a countdown until confidential information is released to the public, which creates additional pressure on the victim,” researchers write. Upon execution, LockBit 2.0 begins file encryption and appends the .lockbit extension. When encryption is complete, a ransom note titled Restore-My-Files.txt notifies victims of the compromise and offers advice on steps for decryption. Related content news CISA, FBI urge developers to patch path traversal bugs before shipping The advisory highlights how developers can follow best practices to fix these vulnerabilities during production. By Shweta Sharma May 03, 2024 3 mins Vulnerabilities news Microsoft continues to add, shuffle security execs in the wake of security incidents The company has appointed new product security chiefs as well as a customer-facing CISO as it continues to respond to high-profile attacks on its products and own network. By Elizabeth Montalbano May 03, 2024 4 mins CSO and CISO feature Malware explained: How to prevent, detect and recover from it What are the types of malware? How does malware spread? How do you know if you’re infected? We've got answers. By Josh Fruhlinger May 03, 2024 18 mins Ransomware Phishing Malware brandpost Sponsored by Cyber NewsWire LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely from Any Browser, Anywhere Early adoption by Fortune 100 companies worldwide, LayerX already secures more users than any other browser security solution and enables unmatched security, performance and experience By Cyber NewsWire May 02, 2024 4 mins Cyberattacks Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe