The same week in late February that Russian troops rolled into Ukraine, one of the world’s most potent Kremlin-aligned hacking gangs threatened to attack the U.S. and NATO allies. The so-called Conti group, notorious for its use of ransomware to extort millions from hospitals and emergency services, now threatened to target America’s critical infrastructure — vital systems like the power grid and water supply.
For three tense days, cyber-defense professionals anxiously anticipated the group’s next move. Then, with little warning, the gang blew up.
Conti’s network was allegedly infiltrated by a Ukrainian security researcher who leaked the group’s secrets on Twitter, including its chat records, ransomware code and financial details. The leak revealed that Conti was disorganized and prone to internal squabbles. They were also one of the most profitable hacking crews in the world.
«Ransomware-as-a-service,» known as RaaS, has exploded in popularity in recent years, with criminal gangs raking in cash extorted from health care providers, retailers, manufacturers, colleges, local governments and many other organizations. Such schemes shot up up 85% last year from 2020, and individual demands increased 144% to $2.2 million. The average payment was up 78%, to roughly $541,000, according to a new report by Unit 42, a threat research team at Palo Alto Networks.
«The vast majority of ransomware actors are financially motivated. RaaS makes carrying out attacks significantly easier by lowering the barrier to entry and expanding the reach of ransomware,» Unit 42’s Ryan Olson told CBS News. «As organizations continue to pay ransoms, the more these actors invest in their ransomware organizations and are fueled to continue their efforts.»
Many hacking groups operate like a business that is run «for criminals, by criminals, with agreements that set terms, often in exchange for monthly fees or a percentage of ransoms paid,» Olson said, adding that the groups often are compartmentalized with departments focused on tasks like administration, coding, marketing and security testing.
These three organizations accounted for more than a third of ransomware activity last year:
Conti’s growth was astronomical and unprecedented, Olson said. In the two years prior to the leaks that led to the group’s implosion, their activities surged. Conti was responsible for more security incidents than any other ransomware gang. The group stole and publicly released private information from over 600 companies and government organizations. Their average ransom demand rose from just $178,000 in early 2020 to nearly $1.8 million last year.
«They’re ruthless,» Olson said, noting the group’s willingness to go after more vulnerable targets like hospitals, health care providers, municipal governments and law enforcement agencies. «They operate without a code of honor.»
On a dark web forum in February, Conti announced its «full support» of the Russian government and threatened to use its «full capacity to deliver retaliatory measures» if NATO allies targeted Russian infrastructure with cyberattacks.
REvil is best known for demanding $70 million in 2021 from software infrastructure provider Kaseya — the biggest ransomware attack on record. The group pioneered ransomware-as-a-service, a business model that allows cybercriminals to sell their hacking expertise and launch attacks using their own particular ransomware software.
REvil’s software would infect and lock networked office workstations, often shutting down the targeted business until a ransom demand was paid. REvil’s demands varied, depending on the size of the company and type of data stolen. If a company failed to pay, REvil would double their ransom demands and publish the stolen data. Unit 42 analysts found that REvil’s average demand in 2021 jumped to $2.2 million, more than four times the $500,000 it had asked for previously. Their highest ransom demand last year was $5.4 million.
The group was allegedly dismantled recently by Russia’s internal security agency at the request of several international law enforcement agencies, including U.S. authorities.
The HelloKitty group might be less famous than rival ransomware gangs, but they are pioneers. In early 2020 a Linux-variant of its ransomware targeted VMWare’s software used in data centers. HelloKitty is best known for allegedly having stolen and released source code from Polish video game developer CD Projekt Red.
The gang, also known as FiveHands, favored corporate targets and used a multipronged attack, often threatening to release stolen data on the dark web and hammering victims with denial of service attacks if ransom demands weren’t met. Law enforcement agencies believe that prior to the Russian invasion, the group operated from eastern Ukraine.
While not as financially successful as other major ransomware gangs, HelloKitty’s tactics and tech were innovative, inspiring more famous ransomware operators.
«Cybercrime is a cat-and-mouse game,» Olson said «There are always ways to stop attackers from being successful. However attackers will continue to evolve and innovate their tactics. It’s critical to be prepared and educated on the latest threats so you know how to protect your organization.»