• United States



UK Editor

4 most dangerous emerging ransomware threat groups to watch

News Analysis
Aug 24, 20214 mins

New research identifies four emerging ransomware groups currently affecting organizations and that show signs of becoming bigger threats in the future.

Ransomware  >  A masked criminal ransoms data for payment.
Credit: Mikkel William / Getty Images

New research from Palo Alto Networks’ Unit 42 has identified four emerging ransomware groups that have the potential to become bigger problems in the future. These are AvosLocker, Hive Ransomware, HelloKitty, and LockBit 2.0.

Emerging ransomware threat groups

“With major ransomware groups such as REvil and Darkside lying low or rebranding to evade law enforcement heat and media attention, new groups will emerge to replace the ones that are no longer actively targeting victims,” stated the security firm’s latest report Ransomware Groups to Watch: Emerging Threats. Within the research, Doel Santos, threat intelligence analyst, and Ruchna Nigam, principal threat researcher, detailed behaviors of the four ransomware groups.


First observed in July 2021, AvosLocker operates within the ransomware-as-a-service (RaaS) model and is controlled by avos, which advertises its services on dark web discussion forum Dread. Its ransom note includes information and an ID used to identify victims, instructing those infected to visit the AvosLocker Tor site for recovery and data restoration. According to the research, ransom requests have been between $50,000 and $75,000 in Monero, with infections identified at seven organizations around the globe.

Hive Ransomware

Beginning operations in June 2021, Hive Ransomware has been detected targeting healthcare organizations and other businesses ill-equipped to defend against cyberattacks, according to the report. The group published its first victim on its leak site Hive Leaks, before going on to post details of another 28 victims. “When this ransomware is executed, it drops two batch scripts,” wrote the researchers. “The first script, hive.bat, tries to delete itself, and the second script is in charge of deleting the shadow copies of the system (shadow.bat). Hive ransomware adds the [randomized characters].hive extension to the encrypted files and drops a ransom note titled HOW_TO_DECRYPT.txt containing instructions and guidelines to prevent data loss.”

Victims are directed via the ransom note to a chat function with the attackers to discuss decryption. The researchers are unable to specify the exact delivery method of the ransomware but suggest traditional means such as credential brute-forcing or spear-phishing could be at play.

HelloKitty: Linux Edition

The HelloKitty family surfaced in 2020, primarily targeting Windows systems. Its name comes from its use of HelloKittyMutex. In 2021, Palo Alto detected a Linux (ELF) sample with the name funny_linux.elf containing a ransom note with verbiage that directly matched ransom notes seen in later samples of HelloKitty for Windows. Further samples were discovered, and in March they began targeting ESXi, a target of choice for recent Linux ransomware variants.

“Oddly enough, the preferred mode of communication shared by attackers in the ransom notes across the different samples is a mix between Tor URLs and victim-specific Protonmail email addresses,” the researchers wrote. “This could indicate different campaigns or even entirely different threat actors making use of the same malware codebase.” Ransom demands as high as $10 million in Monero have been detected, though attackers are also willing to accept Bitcoin payments. The ransomware encrypts files using the Elliptic Curve Digital Signature Algorithm (ECDSA).

LockBit 2.0

Previously known as ABCD ransomware, LockBit 2.0 is another group that operates as an RaaS. Although in operation since 2019, Palo Alto has discovered recent evolution in the group’s methods, with the actors claiming their current variant is the fastest encryption software in operation. Since June, the group has compromised 52 global organizations. “All the posts by the threat actors on their leak site include a countdown until confidential information is released to the public, which creates additional pressure on the victim,” researchers write. Upon execution, LockBit 2.0 begins file encryption and appends the .lockbit extension. When encryption is complete, a ransom note titled Restore-My-Files.txt notifies victims of the compromise and offers advice on steps for decryption.

UK Editor

Michael Hill is the UK editor of CSO Online. He has spent the past five-plus years covering various aspects of the cybersecurity industry, with particular interest in the ever-evolving role of the human-related elements of information security. A keen storyteller with a passion for the publishing process, he enjoys working creatively to produce media that has the biggest possible impact on the audience.

More from this author