New research identifies four emerging ransomware groups currently affecting organizations and that show signs of becoming bigger threats in the future. Credit: Mikkel William / Getty Images New research from Palo Alto Networks’ Unit 42 has identified four emerging ransomware groups that have the potential to become bigger problems in the future. These are AvosLocker, Hive Ransomware, HelloKitty, and LockBit 2.0.Emerging ransomware threat groups“With major ransomware groups such as REvil and Darkside lying low or rebranding to evade law enforcement heat and media attention, new groups will emerge to replace the ones that are no longer actively targeting victims,” stated the security firm’s latest report Ransomware Groups to Watch: Emerging Threats. Within the research, Doel Santos, threat intelligence analyst, and Ruchna Nigam, principal threat researcher, detailed behaviors of the four ransomware groups.AvosLockerFirst observed in July 2021, AvosLocker operates within the ransomware-as-a-service (RaaS) model and is controlled by avos, which advertises its services on dark web discussion forum Dread. Its ransom note includes information and an ID used to identify victims, instructing those infected to visit the AvosLocker Tor site for recovery and data restoration. According to the research, ransom requests have been between $50,000 and $75,000 in Monero, with infections identified at seven organizations around the globe.Hive RansomwareBeginning operations in June 2021, Hive Ransomware has been detected targeting healthcare organizations and other businesses ill-equipped to defend against cyberattacks, according to the report. The group published its first victim on its leak site Hive Leaks, before going on to post details of another 28 victims. “When this ransomware is executed, it drops two batch scripts,” wrote the researchers. “The first script, hive.bat, tries to delete itself, and the second script is in charge of deleting the shadow copies of the system (shadow.bat). Hive ransomware adds the [randomized characters].hive extension to the encrypted files and drops a ransom note titled HOW_TO_DECRYPT.txt containing instructions and guidelines to prevent data loss.” Victims are directed via the ransom note to a chat function with the attackers to discuss decryption. The researchers are unable to specify the exact delivery method of the ransomware but suggest traditional means such as credential brute-forcing or spear-phishing could be at play.HelloKitty: Linux EditionThe HelloKitty family surfaced in 2020, primarily targeting Windows systems. Its name comes from its use of HelloKittyMutex. In 2021, Palo Alto detected a Linux (ELF) sample with the name funny_linux.elf containing a ransom note with verbiage that directly matched ransom notes seen in later samples of HelloKitty for Windows. Further samples were discovered, and in March they began targeting ESXi, a target of choice for recent Linux ransomware variants. “Oddly enough, the preferred mode of communication shared by attackers in the ransom notes across the different samples is a mix between Tor URLs and victim-specific Protonmail email addresses,” the researchers wrote. “This could indicate different campaigns or even entirely different threat actors making use of the same malware codebase.” Ransom demands as high as $10 million in Monero have been detected, though attackers are also willing to accept Bitcoin payments. The ransomware encrypts files using the Elliptic Curve Digital Signature Algorithm (ECDSA).LockBit 2.0Previously known as ABCD ransomware, LockBit 2.0 is another group that operates as an RaaS. Although in operation since 2019, Palo Alto has discovered recent evolution in the group’s methods, with the actors claiming their current variant is the fastest encryption software in operation. Since June, the group has compromised 52 global organizations. “All the posts by the threat actors on their leak site include a countdown until confidential information is released to the public, which creates additional pressure on the victim,” researchers write. Upon execution, LockBit 2.0 begins file encryption and appends the .lockbit extension. When encryption is complete, a ransom note titled Restore-My-Files.txt notifies victims of the compromise and offers advice on steps for decryption. Related content news analysis Cisco unveils AI-powered assistants to level up security defenses New AI-driven tools aim to simplify and bolster policies, alerts and prevention to reduce complexity when setting security policies and assess traffic without decryption. By Rosalyn Page Dec 05, 2023 5 mins Encryption Cloud Security brandpost Sponsored by Microsoft Security How Microsoft and Amazon are expanding the fight against international tech support fraud By partnering with other companies to share vital information and resources, Microsoft is taking the fight to ever-evolving support fraud in 2024…and beyond. By Microsoft Security Dec 05, 2023 1 min Security news analysis Russia's Fancy Bear launches mass credential collection campaigns The campaigns exploit Outlook and WinRAR flaws to target government, defense, and other entities, and they represent a change of tactic for the APT28 group. By Lucian Constantin Dec 05, 2023 5 mins Advanced Persistent Threats Critical Infrastructure Vulnerabilities brandpost Sponsored by Palo Alto Networks Addressing vulnerabilities in OT environments requires a Zero Trust approach Here’s a rundown of why manufacturers are so exposed and how Zero Trust can help solve many security issues. By Navneet Singh, vice president of marketing, network security, Palo Alto Networks Dec 05, 2023 6 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe