An Analysis of the Most Active Ransomware Variants

In Intel 471’s Ransomware Variants report, they found that 34 ransomware variants launched 722 attacks from October to December 2021.

This was an increase of 110 attacks compared to the previous quarter.

Source: Intel 471

Some of the top variants of ransomware (that is, the most active) tracked in the second half of last year can be found below, along with a synopsis of who it affects, how it works, how it evades detection and details about the infection chain.

Learn about the top variants of ransomware (that is, the most active), along with who it affects, how it works, how it evades detection and details about the infection chain.

Lockbit 2.0

Lockbit 2.0 was the most prominent ransomware variant in Q4 of 2021 and was responsible for 29% of all reported attacks, according to Intel 471. The variant is known as ransomware as a service (SaaS) – the operators rent access to the ransomware strain, but rely on other attackers to compromise corporate networks to deploy it.

Formerly known as ABCD ransomware, the RaaS group emerged in 2019. As of October 2021, Lockbit 2.0 had 203 victims on its leak site. Of those victims, over 80% of its victims are small to medium-sized businesses (SMBs), according to Trend Micro.

Lockbit 2.0 has continued to be active in 2022, prompting the FBI to issue a warning in February. The group uses a variety of techniques, tactics and procedures (TTPs) to launch an attack, which creates challenges for defense teams. It also relies on obfuscation techniques such as decoding strings and self-deleted files to evade detection. 

For initial access, Lockbit 2.0 has used tactics such as purchased access, unpatched vulnerabilities, and zero day exploits. Once in an environment, threat actors use tools such as Mimikatz to escalate privileges.  

Conti Ransomware

Conti was the most active ransomware group in 2021 in Palo Alto Networks’ Unit 42, according to its report.

This type of ransomware is human-operated and will steal information, threatening to expose it in addition to encrypting it. It is known as leveraging fileless attack methods to make it more difficult for analysts to investigate.

In a report from Sophos, they found that attackers were able to compromise a target’s network and gain access to domain admin credentials – within 16 minutes of exploiting a vulnerable firewall. The attackers then deployed Cobalt Strike beacons to servers to help deploy the ransomware attack.

Indicators of compromise can be found on the Sophos Github.

Egregor Ransomware

A relatively newer ransomware spotted in 2020, Egregor has been involved in attacks against retailers like Kmart, Ubisoft, Barnes & Noble and the Vancouver Metro System (MalwareBytes & Fortiguard Labs). It affects Windows-based operating systems, and targets well-known organizations, random individuals and small businesses.

Egregor has been distributed through Cobalt Strike, used to deliver and launch payloads. According to Malwarebytes, targeted environments are initially compromised through various means including brute-forcing RDP ports and phishing.

Ryuk Ransomware

Late in 2020, a number of U.S. agencies released an advisory of widespread Ryuk ransomware attacks targeting healthcare and public health sector organizations.

First seen in 2018, Ryuk is spread through tools like Cobalt Strike and PowerShell Empire, as well as Mimikatz to dump plaintext Windows passwords or hash values.

Attackers evade detection by leveraging native Windows tools to perform network discovery and move laterally throughout a network, a technique known as Living of the Land (LotL) – using already-existing legitimate tools to conduct malicious activity.

Learn more in Ryuk Ransomware Targets Healthcare Organizations.

Thanos Ransomware

Initially detected in January 2020, Thanos is known as a ransomware as a service, allowing attackers to create custom ransomware payloads with developer assistance, according to BleepingComputer.

It affects Windows users and uses tactics to bypass detection by Windows Defender (an antivirus program), as reported by Fortinet. It also leverages commands to stop or bypass detection by other popular antivirus software. Other attack campaigns included delivering a variant of Thanos via Microsoft Excel email attachments, disguised as fake billing and tax repayment documents.

A new Thanos variant was seen targeting a computer’s MBR (master boot record) as part of its infection chain, attempting to lock users out (Security Intelligence). An attack against organizations in the Middle East and North Africa delivered Thanos, including a ransom for $20,000 of bitcoin.

Ragnar Ransomware

First seen in December 2019, Ragnar Locker targets Fortune 500 and other companies, using a variety of techniques to get network access and move laterally throughout an environment.

Ragnar leverages native Windows administrative tools like PowerShell, Windows Group Policy Objects (GPO) for lateral movement. It targets RDP (Remote Desktop Protocol) connections, exploits managed service providers’ remote management software and domain admin access to gain a foothold in networks and elevate privileges.

It’s one of the ransomware variants seen not only encrypting files, but also exfiltrating data to blackmail victims into paying a ransom.

Learn more in Protecting Against Ragnar Locker Ransomware.

WastedLocker Ransomware

Last year, wearable tech manufacturer Garmin fell victim to the WastedLocker ransomware. WastedLocker attempts to avoid detection by behavior-based anti-ransomware tools, according to Sophos.

Similar to other types of ransomware, it leverages existing Windows features, interacting with Windows API functions from within the memory itself, according to ZDNet. It can also encrypt cached documents in memory to avoid detection by behavior-monitoring software.

In past attacks, WastedLocker campaigns often start with using stolen login credentials. If they have admin credentials not protected by multi-factor authentication, they can easily access a target’s systems through VPN and then disable any security tools.

Phobos/EKING Ransomware

First spotted in early 2019, The attackers behind Phobos often will target smaller businesses. Phobos often pushes out new variants that evolve their attack methods (Fortinet). In one sample, researchers found a Microsoft Word document with malicious Macro designed to spread the EKING variant on an affected system.

Phobos will scan files on logical drives, network sharing resources and new attached logical drives before encrypting files. In addition to encrypting files, it can terminate active operating system processes, delete local backups, disable recovery mode and your firewall to stop you from rebooting a device to stop the infection (Heimdal Security).

BazarLoader Ransomware

This is a Trojan commonly used to deploy Ryuk ransomware, targeting high-value enterprise targets (BleepingComputer). It’s chosen for its covertness, minimal functionality and obfuscation layer that better evades detection by security tools.

A compromise often starts with a targeted phishing attack, then injection of the BazarLoader backdoor component into legitimate Windows processes like cmd.exe, explorer.exe and svchost.exe. It will deploy a Cobalt Strike beacon that calls for additional exploitation tools that can map a Windows domain and extract credentials.

Ransomware Prevention & Detection

As commonly seen among the top most-active ransomware variants, they typically:

• Leverage stolen, weak or brute-forced credentials for initial access, sometimes via phishing attempts
• Target RDP connections and VPN credentials to log in and turn off security tools
• Evade detection by common security solutions (including Windows Defender and other antivirus software) by using legitimate Windows features to move laterally and deploy additional malicious payloads
• Use certain tools like Cobalt Strike, PowerShell Empire, Mimikatz to assist with ransomware attacks
• Exfiltrate or steal data for blackmail, threatening to release it publicly unless the targeted organization pays the ransom

Blumira can help your organization prevent, detect and respond to attacks before they result in ransomware infection. Our platform detects attackers throughout each stage of a ransomware attack, including scanning, credential access, privilege escalation, data exfiltration and malicious file execution.

Learn more in Ransomware Prevention & Detection and try Blumira’s cloud SIEM for free – deploy in hours to start detecting unknown threats in your environment today.