New research identifies four emerging ransomware groups currently affecting organizations and that show signs of becoming bigger threats in the future. Credit: Mikkel William / Getty Images New research from Palo Alto Networks’ Unit 42 has identified four emerging ransomware groups that have the potential to become bigger problems in the future. These are AvosLocker, Hive Ransomware, HelloKitty, and LockBit 2.0.Emerging ransomware threat groups“With major ransomware groups such as REvil and Darkside lying low or rebranding to evade law enforcement heat and media attention, new groups will emerge to replace the ones that are no longer actively targeting victims,” stated the security firm’s latest report Ransomware Groups to Watch: Emerging Threats. Within the research, Doel Santos, threat intelligence analyst, and Ruchna Nigam, principal threat researcher, detailed behaviors of the four ransomware groups.AvosLockerFirst observed in July 2021, AvosLocker operates within the ransomware-as-a-service (RaaS) model and is controlled by avos, which advertises its services on dark web discussion forum Dread. Its ransom note includes information and an ID used to identify victims, instructing those infected to visit the AvosLocker Tor site for recovery and data restoration. According to the research, ransom requests have been between $50,000 and $75,000 in Monero, with infections identified at seven organizations around the globe. Hive RansomwareBeginning operations in June 2021, Hive Ransomware has been detected targeting healthcare organizations and other businesses ill-equipped to defend against cyberattacks, according to the report. The group published its first victim on its leak site Hive Leaks, before going on to post details of another 28 victims. “When this ransomware is executed, it drops two batch scripts,” wrote the researchers. “The first script, hive.bat, tries to delete itself, and the second script is in charge of deleting the shadow copies of the system (shadow.bat). Hive ransomware adds the [randomized characters].hive extension to the encrypted files and drops a ransom note titled HOW_TO_DECRYPT.txt containing instructions and guidelines to prevent data loss.” Victims are directed via the ransom note to a chat function with the attackers to discuss decryption. The researchers are unable to specify the exact delivery method of the ransomware but suggest traditional means such as credential brute-forcing or spear-phishing could be at play.HelloKitty: Linux EditionThe HelloKitty family surfaced in 2020, primarily targeting Windows systems. Its name comes from its use of HelloKittyMutex. In 2021, Palo Alto detected a Linux (ELF) sample with the name funny_linux.elf containing a ransom note with verbiage that directly matched ransom notes seen in later samples of HelloKitty for Windows. Further samples were discovered, and in March they began targeting ESXi, a target of choice for recent Linux ransomware variants. “Oddly enough, the preferred mode of communication shared by attackers in the ransom notes across the different samples is a mix between Tor URLs and victim-specific Protonmail email addresses,” the researchers wrote. “This could indicate different campaigns or even entirely different threat actors making use of the same malware codebase.” Ransom demands as high as $10 million in Monero have been detected, though attackers are also willing to accept Bitcoin payments. The ransomware encrypts files using the Elliptic Curve Digital Signature Algorithm (ECDSA).LockBit 2.0Previously known as ABCD ransomware, LockBit 2.0 is another group that operates as an RaaS. Although in operation since 2019, Palo Alto has discovered recent evolution in the group’s methods, with the actors claiming their current variant is the fastest encryption software in operation. Since June, the group has compromised 52 global organizations. “All the posts by the threat actors on their leak site include a countdown until confidential information is released to the public, which creates additional pressure on the victim,” researchers write. Upon execution, LockBit 2.0 begins file encryption and appends the .lockbit extension. When encryption is complete, a ransom note titled Restore-My-Files.txt notifies victims of the compromise and offers advice on steps for decryption. Related content news NIST publishes new guides on AI risk for developers and CISOs Companion publications to NIST’s AI Risk Management Framework explore a long worry list in more detail and are likely to become essential reading for security professionals. By John Dunn May 01, 2024 4 mins Regulation Government Security Practices news analysis 5 key takeways from Verizon's 2024 Data Breach Investigations Report The rapid of exploitation of zero-day vulnerabilities, such as MOVEit, and the effectiveness of ransomware attacks are two of the major findings from last year’s breach data. By Rosalyn Page May 01, 2024 5 mins Data Breach Zero-day vulnerability Data and Information Security feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff May 01, 2024 15 mins Technology Industry IT Skills Events feature 3 Windows vulnerabilities that may not be worth patching Some vulnerabilities eat up a security team’s time and resources yet provide little or nothing in the way of true protection. Some may even introduce more risk to a network. By Susan Bradley May 01, 2024 7 mins Windows Security Patch Management Software Security Practices PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe