Most Dangerous Ransomware Groups You Should Know About
Last updated on November 21, 2023
Ransomware is a major threat that costs businesses, corporations, and infrastructure operators billions of dollars every year. Behind this type of threat are experienced ransomware groups developing and distributing malware that makes the attacks possible.
For years, cybersecurity experts have compared these ransomware attacks to natural disasters, sporadic yet devastating. However, the perpetrators behind these acts are no forces of nature; they’re calculated, clever, and relentlessly creative.
From high-profile attacks on multinational corporations to crippling blows to healthcare systems in the middle of a pandemic, these ransomware gangs continue to adapt, innovate, and escalate their strategies. The strategic adaptation of these gangs has not only elevated ransomware attacks from minor annoyances to critical national security threats but has also led to the loss of billions of dollars and invaluable data assets.
In this blog post, the objective is not merely to identify but to scrutinize the most perilous ransomware groups that have emerged over time.
Whether you’re a cybersecurity professional striving to mitigate these risks, a business leader aiming to protect your assets, or just a concerned citizen, understanding the modus operandi of these notorious groups is the first step in fortifying your digital infrastructure against these persistent threats.
By now you know that there are plenty of active ransomware groups out there. With names such as Vice Society, Agenda, or Redeemer, these strains sound like they belong in hacker movies, right? So, while newcomers may want to get a share of the money, a few ransomware families have established their domination.
8 Most Dangerous Ransomware Groups of All Time
Let’s take a quick look at the most dangerous ransomware groups disrupting the cybersecurity landscape. Here we go!
For the past three years, Clop has been one of the most active ransomware families. It has gained notoriety for hacking into high-profile companies in many industries around the world, employing multilevel extortion tactics that led to substantial payouts estimated at US$500 million as of November 2021.
The gang was detected in early 2019 and has since been linked to a number of high-profile ransomware attacks, like the breach on ExecuPharm in the United States, as well as the data breach at Accellion, where threat actors abused vulnerabilities in the IT provider’s software to collect data from dozens of its customers, including the University of Colorado.
The Clop ransomware organization was the focus of a three-and-a-half-year global law enforcement operation known as ‘Operation Cyclone’. We reported in November that Ukrainian authorities had arrested members of the Clop ransomware group who were implicated in ransom money laundering.
What makes Conti different from other ransomware groups is the lack of ethical limitations on its victims. The hacking group carried out multiple cyberattacks in the healthcare and education sectors, demanding millions of dollars in ransom.
In February 2022, Conti targeted an international terminal operator that manages 24 seaports across Europe and Africa. All 24 ports were impacted by the cyberattack, which significantly disrupted business operations.
DarkSide is a ransomware program that functions as a ransomware-as-a-service (RaaS) group. It began attacking organizations worldwide in August 2020 and, like other similar threats used in targeted cyberattacks, DarkSide not only encrypts the victim’s data but also exfiltrates it from the impacted servers. In just nine months of operation, DarkSide gained at least $90 million in Bitcoin ransom payments from 47 distinct wallets.
REvil Ransomware, first noticed in April 2019 and operating as a ransomware-as-a-service model, is famous for its attacks on two important organizations: JBS and Kaseya.
Due to the REvil ransomware group, JBS Foods, the biggest meatpacking enterprise worldwide was forced to temporarily shut down its operations and had to pay an estimated $11 million ransom to prevent threat actors from publishing their data online.
REvil ransomware was able to encrypt Kaeya’s servers in July 2021, thanks to a Kaseya software vulnerability to SQL injection attacks. This led to a supply chain attack because its customers were affected. As it directly impacted over 1,500 businesses globally, the attack on Kaseya garnered the gang some unwanted attention.
In January 2022, following diplomatic pressure, Russian authorities captured multiple members of the organization and seized assets worth millions of dollars. However, this disruption was just temporary, and the REvil ransomware gang has resumed operations starting April 2022.
LockBit ransomware, one of the most dangerous ransomware gangs at this time, was first spotted in September 2019. The group operates as a ransomware-as-a-service (RaaS) by recruiting malicious actors to compromise networks and encrypt devices. It targets companies located in the US, China, India, and Europe.
LockBit 2.0 RaaS was released in June 2021, followed by 3.0 in June 2022. The latest version features new encryptors built on the BlackMatter source code, new payment methods, new extortion strategies, and the first ransomware bug bounty program.
We recently found out that the LockBit ransomware operation took a severe blow after a developer leaked online the builder of their newest ransomware encryptor. The encryptor, codenamed LockBit Black, was officially released in June, after being in tests for two months. Multiple security researchers confirmed that the builder is indeed legitimate.
The Maze ransomware group uses a multi-faceted approach to its attacks. They employ a range of infection vectors, from email phishing to exploiting software vulnerabilities. What sets Maze apart is its double-extortion technique: not only do they encrypt the victim’s data, but they also steal it.
If the ransom isn’t paid, the group threatens to release the sensitive data publicly. Maze has gone after big players in the market, including Canon, LG, and Xerox. Though they’ve reportedly ceased operations, their tactics continue to inspire other ransomware groups.
Ryuk is an active ransomware group known for its highly targeted approach. Rather than casting a wide net, Ryuk focuses on spear-phishing attacks aimed at specific organizations, particularly within healthcare. This strategy has allowed them to demand exceptionally high ransoms, resulting in significant financial gains. The group’s attacks have created major disruptions across various sectors, putting them high on the list of dangerous ransomware entities.
Emerging as a spin-off from the BitPaymer group, DoppelPaymer employs similar tactics such as targeted phishing and exploiting software vulnerabilities. Their victims typically include local governments and large corporations, making them a significant threat. Like Maze, DoppelPaymer engages in data exfiltration, demanding high ransoms and threatening to release the stolen data if their demands are not met.
As a Senior Content Writer and Video Content Creator specializing in cybersecurity, I leverage digital media to unravel and clarify complex cybersecurity concepts and emerging trends. With my extensive knowledge in the field, I create content that engages a diverse audience, from cybersecurity novices to experienced experts. My approach is to create a nexus of understanding, taking technical security topics and transforming them into accessible, relatable knowledge for anyone interested in strengthening their security posture.