
Estimated reading time: 9 minutes
Three of The Bad Guys (RWaaS)
#1) LockBit – The Most Prolific and Harmful
Overview
- Initial Appearance: LockBit first emerged in September 2019, initially known as “ABCD” ransomware due to the “.abcd” extension it added to encrypted files.
- RaaS Model: LockBit operates on a ransomware-as-a-service model, recruiting affiliates who are provided with the ransomware and infrastructure needed to carry out attacks. The affiliates pay a commission to the LockBit operators from their ransom earnings. They are infamous for employing strategies like double extortion and initial access broker affiliates, recruiting insiders, and hosting hacker recruitment parties.

Tactics and Techniques
- Targeting: LockBit targets organizations across various sectors, including healthcare, education, finance, and government.
- Distribution: The ransomware is typically spread through phishing emails, exploit kits, and compromised remote desktop protocols (RDP). Affiliates often use additional malware or manual hacking techniques to gain initial access.
- Encryption: Once inside a network, LockBit quickly encrypts files using strong encryption algorithms. The ransomware can spread laterally within the network, encrypting data on as many systems as possible.
- Extortion: LockBit employs a double extortion tactic, where not only are the victim’s files encrypted, but sensitive data is also exfiltrated and threatened to be published unless a ransom is paid.
Features
- Self-Spreading Capabilities: LockBit has been known to have self-spreading mechanisms, allowing it to propagate across a network autonomously.
- Customization: The ransomware can be customized by affiliates, allowing them to modify ransom notes, encryption methods, and other parameters.
- Speed: LockBit is designed to encrypt files quickly, reducing the time available for the victim to react and mitigate the attack.
Notable Incidents
- High-Profile Attacks: LockBit has been implicated in several high-profile attacks, (Boeing Airlines, US, Royal Mail, UK), causing significant disruptions and financial losses. These include attacks on large enterprises, healthcare institutions, and government agencies.
- Other Targets: Despite its high-profile hacks, most of LockBit’s victims are smaller organizations, with an average ransom of $100,000
Publicity: The group maintains a presence on the dark web, where they publish data from victims who refuse to pay the ransom, adding pressure on organizations to comply with their demands.
Evolution
- Continued Development: LockBit continues to evolve, with new versions of the ransomware appearing periodically. These updates often include enhanced encryption techniques, new distribution methods, and improved obfuscation to evade detection.
Latest News
- LockBit was significantly disrupted in February 2024. A coordinated law enforcement operation (Operation Cronos), led by the UK’s National Crime Agency in collaboration with the FBI and others, resulted in the seizure of LockBit’s servers and public-facing infrastructure, including internal servers and public websites. (Justice.gov) While the takedown was a major blow to operations there are reports that the group is attempting to reestablish their activities on the dark web and may continue to pose threats in the future. Brett Callow, threat analyst at Emsisoft, noted “The fact is that LockBit, as a brand, is probably dead. It’s unlikely that anybody would trust an operation that was so completely compromised.” This was a very big win for the good guys. That said, this does highlight the challenges law enforcement faces,” Callow said. “Some groups have cockroach-like resilience and permanently taking them out of action is far from easy.”
#2) Clop Group (Lace Tempest) – The Big Game Hunters
The Clop group, also known as “Clop” or “Cl0p” operated by TA505, is a threat group that has outlasted and leveraged other cybercriminal organizations. It is a notorious cybercriminal organization, considered one of the largest phishing and malicious spam distributors worldwide.
Overview

- Ransomware Operation: Clop is primarily known for its ransomware attacks, where they encrypt victims’ data and demand a ransom for the decryption key.
- Double Extortion: Clop often engages in “double extortion” tactics. This means they not only encrypt the data but also steal sensitive information and threaten to release it publicly if the ransom is not paid.
- High-Profile Targets: The group targets a wide range of organizations, including large enterprises, healthcare institutions, and educational institutions, seeking large ransoms.
History and Activities
- Emergence: Clop ransomware was first identified in 2019 and has been linked to a series of high-profile attacks since then.
- Tactics: The group typically gains network access through phishing emails, exploiting vulnerabilities, or using compromised credentials. Once inside, they deploy their ransomware to encrypt files and exfiltrate data.
- Notable Attacks: Some notable attacks attributed to Clop include those on Accellion software, a file transfer service, which impacted multiple organizations. In 2023, The Clop ransomware group found a hidden flaw in the MOVEit Transfer software. They used this flaw to break into the system, steal sensitive data, and then encrypt the files. Clop demanded a ransom to unlock the files and threatened to leak the stolen data if not paid. This affected many organizations, including the Govt. of Nova Scotia and British Airways who were using MOVEit Transfer for secure file transfers.
Operations
- Affiliations: Clop is believed to be associated with the broader cybercriminal ecosystem, possibly linked to other groups or individuals specializing in different aspects of cybercrime, such as initial access brokers and money launderers.
- Leak Sites: Clop operates leak sites where they publish data stolen from victims who refuse to pay the ransom. This adds pressure on the victims to comply with their demands.
- Technical Sophistication: The group uses sophisticated techniques to evade detection, including anti-analysis and anti-debugging measures in their malware. They also often disable security tools and backups to maximize the impact of their attacks.
- Quadruple Extortion: CL0P’s operators are renowned for going to extreme lengths to get their message across. After publicly displaying proof of the organization’s breach, publishing data on their leak site and their messages being ignored, they will go straight to stakeholders and executives to ensure their demands are met. (P. McAteer, Cyber Threat Intelligence Analyst at SecurityHQ)
Impact
- Financial and Operational Damage: Victims of Clop ransomware attacks often face significant financial losses, operational disruptions, and reputational damage.
- Response and Mitigation: Organizations targeted by Clop need to engage in extensive incident response activities, which can include negotiating with the attackers, improving security measures, and recovering from data loss.
- Bounty: The US State Dept. put a $10M bounty on Clop for information linking the ransomware group to a foreign government. This reward is part of the Rewards for Justice (RFJ) program.
Law Enforcement Actions
- Crackdowns: Law enforcement agencies worldwide are actively working to track and disrupt Clop’s operations. There have been some arrests and takedowns related to individuals associated with the group, but the decentralized nature of these cybercriminal organizations makes complete eradication challenging.
#3) ALPHV (Black Cat) – Sophisticated New Player
Overview

ALPHV BlackCat is a sophisticated and highly customizable ransomware strain that has gained notoriety since its emergence.
ALPHV, known as BlackCat, is a ransomware strain that emerged in late 2021. It stands out due to its advanced capabilities and the way it operates.
Technical Characteristics
- Programming Language: ALPHV/BlackCat is written in Rust, a language known for its performance and safety. This choice of language allows it to evade detection more effectively and complicates reverse engineering efforts.
- Customization: The ransomware is highly customizable, allowing operators to tailor the malware to specific targets. This includes options for encryption methods, ransom notes, and even extensions for encrypted files.
- Efficiency: It features efficient encryption algorithms, which enable it to encrypt large volumes of data quickly. This is particularly dangerous for organizations with substantial amounts of critical data.
Operational Tactics
- Ransomware-as-a-Service (RaaS): ALPHV/BlackCat operates on a RaaS model, where the developers lease the ransomware to affiliates who then carry out the attacks. This model expands its reach and makes it more challenging to track down the primary operators.
- Double Extortion: This ransomware employs a double extortion tactic. In addition to encrypting files, it exfiltrates sensitive data. Victims are then threatened with the public release of this data if the ransom is not paid, adding pressure to comply with the demands.
- Victim Selection: The operators behind ALPHV/BlackCat often target high-value organizations, including those in critical sectors such as healthcare, finance, and energy. The attacks are typically well-planned and executed with precision.
Impact and Incidents
- Wide Reach: Since its emergence, ALPHV/BlackCat has been responsible for numerous high-profile attacks worldwide, impacting various industries and causing significant operational disruptions. In November 2023, for example, Canada’s Trans Northern Pipeline had allegedly been infiltrated by the group, who claimed they stole 190 GB of data.
- Ransom Demands: The ransom amounts demanded by ALPHV/BlackCat can be substantial, often running into millions of dollars.
Latest News:
In December 2023, the FBI disrupted the AlphV/BlackCat ransomware operation by seizing their servers and hijacking their associated URLs, allowing them to monitor the group’s activities and obtain decryption keys to assist victims. In March 2024, the group shut down its servers amid claims that they had stolen a $22 million ransom from an affiliate involved in an attack on Optum, suggesting a potential exit scam or rebranding attempt (BleepingComputer). Despite these setbacks, ALPHV/BlackCat has managed to continue its operations. By early 2024, the group was back online and resumed its activities, including launching new attacks and threatening to leak sensitive data stolen from healthcare organizations like Change Healthcare.
The ransomware threat is continually evolving, marked by both an increase in the number of active groups and a rise in their operational sophistication. Prominent players adapt their tactics to evade detection and maximize their profits. As of early 2024, estimates indicate that around 45 distinct ransomware groups are actively operating. This represents a significant increase from previous years, reflecting both the emergence of new groups and the persistence of established ones.
Mitigation and Response
Awareness and Training: Educating employees about the risks of ransomware and promoting best practices, such as avoiding suspicious emails and links, can help prevent initial infection vectors.
Backup and Recovery: The best defense against ransomware, is a robust backup and recovery strategy. Regularly backing up critical data and ensuring that backups are stored offline can mitigate the impact of an attack.
Security Measures: Organizations should implement comprehensive security measures, including endpoint protection, network segmentation, and regular security assessments. Keeping systems and software up to date with the latest patches is also crucial.
Incident Response: Having an incident response plan in place is essential. This includes identifying and isolating infected systems, notifying stakeholders, and engaging with cybersecurity experts to contain and remediate the attack.