New research from Palo Alto Networks\u2019 Unit 42 has identified four emerging ransomware groups that have the potential to become bigger problems in the future. These are AvosLocker, Hive Ransomware, HelloKitty, and LockBit 2.0.Emerging ransomware threat groups\u201cWith major ransomware groups such as REvil and Darkside lying low or rebranding to evade law enforcement heat and media attention, new groups will emerge to replace the ones that are no longer actively targeting victims,\u201d stated the security firm\u2019s latest report Ransomware Groups to Watch: Emerging Threats. Within the research, Doel Santos, threat intelligence analyst, and Ruchna Nigam, principal threat researcher, detailed behaviors of the four ransomware groups.AvosLockerFirst observed in July 2021, AvosLocker operates within the ransomware-as-a-service (RaaS) model and is controlled by avos, which advertises its services on dark web discussion forum Dread. Its ransom note includes information and an ID used to identify victims, instructing those infected to visit the AvosLocker Tor site for recovery and data restoration. According to the research, ransom requests have been between $50,000 and $75,000 in Monero, with infections identified at seven organizations around the globe.Hive RansomwareBeginning operations in June 2021, Hive Ransomware has been detected targeting healthcare organizations and other businesses ill-equipped to defend against cyberattacks, according to the report. The group published its first victim on its leak site Hive Leaks, before going on to post details of another 28 victims. \u201cWhen this ransomware is executed, it drops two batch scripts,\u201d wrote the researchers. \u201cThe first script, hive.bat, tries to delete itself, and the second script is in charge of deleting the shadow copies of the system (shadow.bat). Hive ransomware adds the [randomized characters].hive extension to the encrypted files and drops a ransom note titled HOW_TO_DECRYPT.txt containing instructions and guidelines to prevent data loss.\u201dVictims are directed via the ransom note to a chat function with the attackers to discuss decryption. The researchers are unable to specify the exact delivery method of the ransomware but suggest traditional means such as credential brute-forcing or spear-phishing could be at play.HelloKitty: Linux EditionThe HelloKitty family surfaced in 2020, primarily targeting Windows systems. Its name comes from its use of HelloKittyMutex. In 2021, Palo Alto detected a Linux (ELF) sample with the name funny_linux.elf containing a ransom note with verbiage that directly matched ransom notes seen in later samples of HelloKitty for Windows. Further samples were discovered, and in March they began targeting ESXi, a target of choice for recent Linux ransomware variants.\u201cOddly enough, the preferred mode of communication shared by attackers in the ransom notes across the different samples is a mix between Tor URLs and victim-specific Protonmail email addresses,\u201d the researchers wrote. \u201cThis could indicate different campaigns or even entirely different threat actors making use of the same malware codebase.\u201d Ransom demands as high as $10 million in Monero have been detected, though attackers are also willing to accept Bitcoin payments. The ransomware encrypts files using the Elliptic Curve Digital Signature Algorithm (ECDSA).LockBit 2.0Previously known as ABCD ransomware, LockBit 2.0 is another group that operates as an RaaS. Although in operation since 2019, Palo Alto has discovered recent evolution in the group\u2019s methods, with the actors claiming their current variant is the fastest encryption software in operation. Since June, the group has compromised 52 global organizations. \u201cAll the posts by the threat actors on their leak site include a countdown until confidential information is released to the public, which creates additional pressure on the victim,\u201d researchers write. Upon execution, LockBit 2.0 begins file encryption and appends the .lockbit extension. When encryption is complete, a ransom note titled Restore-My-Files.txt notifies victims of the compromise and offers advice on steps for decryption.