Tracing the ransomware family tree

Ransomware is behind many of the latest cyber attacks and it can be hard for defenders to track the ever-growing number of variants and the botnets behind them.

Threat intelligence company DomainTools has been taking a look at the booming underground economy surrounding ransomware with a focus on the most prolific ransomware families.

The top three ransomware families by number of victims are: Conti, Maze (Egregor), and Sodinokibi (Revil). All of these groups make alliances, share tools, and sell access to one another and nothing remains static. There are also sophisticated affiliate programs, where ransomware authors design a piece of code and then sell it off to others for a percentage of the ransom gained.

Access for the ransomware is usually via an initial backdoor or botnet, frequently called an initial access broker. These backdoors, remote access trojans (RATs), are first dropped by a downloader, another piece of simple, obfuscated software that is usually distributed by spam emails with malicious documents.

So what of the big three? Conti, first observed in December 2019, uses a multi-threaded approach which makes the execution much faster than other malware families. This can mean that by the time defenders notice the Conti infection on one machine, it's too late. Conti is believed to be operated by the same group that is behind the Ryuk ransomware, which also operates a Ransomware-as-a-Service (RaaS) offering and have a leak site that they leverage against victims for double extortion.

The Maze ransomware group remains one of the most prolific ransomware affiliate programs. Formed in 2019 the group announced its retirement in November 2020 though most of its affiliates have now moved on to using the Egregor ransomware.

The REvil ransomware family first appeared in April 2019 and is thought, because of code similarities, to be the spiritual successor to GandCrab, an earlier ransomware variant that targeted consumers. It has a number of unique features including attempting to escalate privileges by constantly spamming the user with an administrator login prompt or rebooting into Windows Safe Mode to encrypt files.

"While the previous three families may be the most prominent in terms of victim market share, there remains an ever growing number of ransomware gangs and families to keep track of in the rapid news cycle," writes Chad Anderson, senior security researcher at DomainTools, on the company’s blog. "These three families also offer a glimpse into what most of the ransomware market looks like as far as infection vectors and chains are concerned."

You can find out more, including a detailed map of variants on the DomainTools blog.

Photo Credit: LeoWolfert/Shutterstock