{ "id": "7ba91d96-4205-4b2d-84ef-b4d9286a8134", "created_at": "2026-04-06T01:31:10.603742Z", "updated_at": "2026-04-10T03:38:19.900157Z", "deleted_at": null, "sha1_hash": "931bcdeebbc1062abe68f84a51abe1809c7ce35a", "title": "Ransomware world in 2021: who, how and why", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2333692, "plain_text": "Ransomware world in 2021: who, how and why\r\nBy Dmitry Galov\r\nPublished: 2021-05-12 · Archived: 2026-04-06 00:58:03 UTC\r\nAs the world marks the second Anti-Ransomware Day, there’s no way to deny it: ransomware has become the\r\nbuzzword in the security community. And not without good reason. The threat may have been around a long time,\r\nbut it’s changed. Year after year, the attackers have grown bolder, methodologies have been refined and, of course,\r\nsystems have been breached. Yet, much of the media attention ransomware gets is focused on chronicling which\r\ncompanies fall prey to it. In this report, we take a step back from the day-to-day ransomware news cycle and\r\nfollow the ripples back into the heart of the ecosystem to understand how it is organized.\r\nFirst, we will debunk three preconceived ideas that obstruct proper thinking on the ransomware threat. Next, we\r\ndive deep into the darknet to demonstrate how cybercriminals interact with each other and the types of services\r\nthey provide. And finally, we conclude with a look at two high-profile ransomware brands: REvil and Babuk.\r\nNo matter how much work we put into writing this report, before you start reading, make sure your data is backed\r\nup safely!\r\nPart I: Three preconceived ideas about ransomware\r\nIdea #1: Ransomware gangs are gangs\r\nAlong with the rise of big-game hunting in 2020, we saw the emergence of a number of high-profile groups in the\r\nransomware world. Criminals discovered victims would be more likely to pay ransoms if they could establish\r\nsome form of reputability beforehand. To ensure that their ability to restore encrypted files would never be\r\nquestioned, they cultivated an online presence, wrote press releases and generally made sure their name would be\r\nknown to all potential victims.\r\nBut by placing themselves under the spotlight, such groups hide the actual complexity of the ransomware\r\necosystem. From the outside, they may appear to be single entities; but they are in fact only the tip of the spear. In\r\nmost attacks there are a significant number of actors involved, and a key takeaway is that they supply services to\r\neach other through dark web marketplaces.\r\nBotmasters and account resellers are tasked with providing initial access inside the victim’s network. Other\r\nmembers of this ecosystem, which we’ll name the red team for the purpose of this discussion, use this initial\r\naccess to obtain full control over the target network. During this process, they will gather information about the\r\nvictim and steal internal documents.\r\nThese documents may be forwarded to an outsourced team of analysts who will try to figure out the actual\r\nfinancial health of the target, in order to set the highest ransom price that they are likely to pay. Analysts will also\r\nkeep a lookout for any sensitive or incriminating information which may be used to support their blackmail tactics\r\n– the goal being to put maximum pressure on decision-makers.\r\nhttps://securelist.com/ransomware-world-in-2021/102169/\r\nPage 1 of 15\n\nWhen the red team is ready to launch the attack, it will purchase a ransomware product from dark web developers,\r\nusually in exchange for a cut of the ransom. An optional role here is the packer developer, who may add\r\nprotection layers to the ransomware program and make it harder for security products to detect for the few hours it\r\nneeds to encrypt the whole network.\r\nFinally, negotiations with the victims may be handled by yet another team and when the ransom is paid out, a\r\nwhole new set of skills is needed to launder the cryptocurrency obtained.\r\nAn interesting aspect of all this is that the various actors in the “ransomware value chain” do not need to\r\npersonally know each other, and in fact they don’t. They interact with each other through internet handles, paying\r\nfor services with cryptocurrency. It follows that arresting any of these entities (while useful for deterrence\r\npurposes) does little to slow down the ecosystem, as the identity of co-perpetrators cannot be obtained, and other\r\nsuppliers will immediately fill the void that was created.\r\nThe ransomware world must be understood as an ecosystem, and treated as such: it is a problem that can only be\r\naddressed systematically, for instance by preventing the money from circulating inside of it – which involves not\r\npaying ransoms in the first place.\r\nIdea #2: Targeted ransomware is targeted\r\nThe previous description of the ransomware ecosystem has noteworthy implications when it comes to the way\r\nvictims are selected. Yes, criminal groups are getting bolder and ask for ever-increasing ransoms. But ransomware\r\nattacks have an opportunistic aspect to them. As far as we know, these groups do not peruse the Financial Times to\r\ndecide who they are going after next.\r\nCounter-intuitively, the people who obtain the initial access to the victim’s network are not the ones who deploy\r\nthe ransomware later on; and it is helpful to think of access collection as an entirely separate business. For it to be\r\nviable, sellers need a steady stream of “product”. It might not make financial sense to spend weeks trying to\r\nbreach a predetermined hard target like a Fortune 500 company because there’s no guarantee of success. Instead,\r\naccess sellers go after the low-hanging fruit. There are two main sources for such access:\r\nBotnet owners. Well-known malware families are involved in the biggest and most wide-reaching\r\ncampaigns. Their main objective is to create networks of infected computers, though the infection is only\r\ndormant at this point. Botnet owners (botmasters) sell access to the victim machines in bulk as a resource\r\nthat can be monetized in many ways, such as organizing DDoS attacks, distributing spam or, in the case of\r\nransomware, by piggybacking on this initial infection to get a foothold in a potential target.\r\nAccess sellers. Hackers who are on the lookout for publicly disclosed vulnerabilities (1-days) in internet\r\nfacing software, such as VPN appliances or email gateways. As soon as such a vulnerability is disclosed,\r\nthey compromise as many affected servers as possible before the defenders have applied the corresponding\r\nupdates.\r\nhttps://securelist.com/ransomware-world-in-2021/102169/\r\nPage 2 of 15\n\nAn example of an offer to sell access to an organization’s RDP\r\nIn both cases, it is only after the fact that the attackers take a step back and figure out who they have breached, and\r\nif this infection is likely to lead to the payment of a ransom. Actors in the ransomware ecosystem don’t do\r\ntargeting in that they almost never choose to go after specific entities. Understanding this fact underlines the\r\nimportance for companies to update internet-facing services in a timely fashion, and to have the ability to detect\r\ndormant infections before they can be leveraged for wrongdoing.\r\nIdea #3: Cybercriminals are criminals\r\nAlright, technically, they are. But this is also an area where there is more than meets the eye, because of the\r\ndiversity of the ransomware ecosystem. There is, of course, a documented porosity between the ransomware\r\necosystem and other cybercrime domains such as carding or point-of-sale (PoS) hacking. But it is worth pointing\r\nout that not all members of this ecosystem originate from the cybercrime underworld. In the past, high-profile\r\nransomware attacks have been used as a destructive means. It is not unreasonable to think that some APT actors\r\nare still resorting to similar tactics to destabilize rival economies while maintaining strong plausible deniability.\r\nOn the same note, we released a report last year about Lazarus group trying its hand at big-game hunting.\r\nClearSky identified similar activity that they attributed to the Fox Kitten APT. Observers have noted that the\r\nobvious profitability of ransomware attacks has attracted a few state-sponsored threat actors to this ecosystem as a\r\nway of circumventing international sanctions.\r\nOur data indicates that such ransomware attacks represent only a tiny fraction of the total. While they do not\r\nrepresent a rift in what companies need to be able to defend against, their very existence creates an additional risk\r\nfor victims. On October 1, 2020, the US Department of the Treasury’s OFAC released a memo clarifying that\r\ncompanies wiring money to attackers need to ensure that the recipients are not subject to international sanctions.\r\nThis announcement appeared to be effective as it already impacted the ransomware market. It goes without saying\r\nthat performing due diligence on ransomware operators is a challenge on its own.\r\nPart II: The darknet shenanigans\r\nThrough the market lanes\r\nhttps://securelist.com/ransomware-world-in-2021/102169/\r\nPage 3 of 15\n\nWhen it comes to the sale of digital goods or services related to cybercrime on the darknet, most information is\r\naggregated on just a few large platforms, though there are multiple smaller thematic ones focusing on a single\r\ntopic or product. We analyzed three main forums on which ransomware-related offers are aggregated. These\r\nforums are the main platforms where cybercriminals that work with ransomware actively communicate and trade.\r\nWhile the forums host hundreds of various advertisements and offers, for analysis we selected just a few dozen\r\noffers that had been verified by forum administrations and placed by groups with an established reputation. These\r\nads included a variety of offers from the sale of source code to regularly updated recruitment advertisements,\r\navailable in English and Russian.\r\nDifferent types of offers\r\nAs we noted before, the ransomware ecosystem consists of players that take on different roles. Darknet forums\r\npartially reflect this state of affairs, albeit the offers on these markets are aimed primarily at selling or recruiting.\r\nJust as with any marketplace, when operators need something, they actively update their ad placements on forums\r\nand take them off as soon as that need is fulfilled. Ransomware developers and operators of affiliate ransomware\r\nprograms (better known as Ransomware as a Service) offer the following:\r\nInvitations to join partner networks, affiliate programs for ransomware operators\r\nAds for ransomware source code or ransomware builders\r\nThe first type of involvement presumes a lengthy partnership between the ransomware group operator and the\r\naffiliate. Usually, the ransomware operator takes a profit share ranging from 20% to 40%, while the remaining 60-\r\n80% stays with the affiliate.\r\nExamples of offers listing payment conditions in partner programs\r\nhttps://securelist.com/ransomware-world-in-2021/102169/\r\nPage 4 of 15\n\nWhile many ransomware operators look for partners, some sell ransomware source code or do-it-yourself (DIY)\r\nransomware packages. Such offers vary from US$300 to US$5000.\r\nSale of ransomware source code or the sale of leaked samples is the easiest way of making money off ransomware\r\nin terms of technical proficiency and effort invested by the seller. However, such offers also make the least money,\r\nas source code and samples quickly lose their value. There are two different types of offers – with and without\r\nsupport. If ransomware is purchased without support, once it is detected by cybersecurity solutions, the buyer\r\nwould need to figure out on their own how to repackage it, or find a service that does sample repackaging –\r\nsomething that it still easily detected by security solutions.\r\nOffers with support (admittedly, more widespread in the financial malware market), usually offer regular updates\r\nand make decisions about malware updates.\r\nIn this regard, darknet forum offers have not changed much compared to 2017.\r\nRansomware developers sometimes advertise builders and source code as a one-off purchase with no customer\r\nsupport\r\nhttps://securelist.com/ransomware-world-in-2021/102169/\r\nPage 5 of 15\n\nAn offer of a subscription for ransomware and additional services looks very similar to any other ad for a\r\nlegitimate product, with varying benefits and price range\r\nSome of the big players aren’t seen on the darknet\r\nEven though the number and the range of offers available on the darknet certainly is not small, the markets do not\r\nreflect the whole ransomware ecosystem. Some large ransomware groups either work independently or find\r\npartners directly (for instance, as far as we know, Ryuk was able to access some of its victims’ systems after a\r\nTrickbot infection, which suggests a potential partnership between two groups). Therefore, the forums generally\r\nhost smaller players – either medium-sized RaaS operators, smaller actors that sell source code and newbies.\r\nGround rules for affiliates on the darknet\r\nThe ransomware market is a closed one, and the operators behind it are careful about who they choose to work\r\nwith. This caution is reflected in the ads the operators place and criteria they impose when selecting partners.\r\nThe first general rule is that of geographical restrictions placed on the operators. When malware operators work\r\nwith partners, they avoid using the malware in the jurisdiction where they are based. This rule is strictly adhered\r\nto and partners that don’t abide by it quickly lose access to the programs they have been working with.\r\nAdditionally, operators screen potential partners to reduce the chances of hiring an undercover official, for\r\ninstance, by checking their knowledge of the country they claim to be from, as illustrated in the example below.\r\nThey may also impose restrictions on certain nationalities based on their political views. These are just some of\r\nthe ways operators try to ensure their security.\r\nhttps://securelist.com/ransomware-world-in-2021/102169/\r\nPage 6 of 15\n\nIn this example the gang recommends vetting new affiliates by asking obscure questions about the history of\r\nformer Soviet republics and expressions that typically only native Russian speakers could answer\r\nAvaddon may consider English-speaking affiliates if they have an established reputation or can provide a\r\ndeposit, according to this ad\r\nThe merchants\r\nFor a more detailed overview we chose two of the most noteworthy Big Game Hunting ransomware in 2021.\r\nThe first one is the REvil (aka Sodinokibi) gang. Since 2019, this ransomware has been advertised on\r\nunderground forums and has a strong reputation as a RaaS operator. The gang’s name REvil often appears in news\r\nheadlines in the infosecurity community. REvil operators have demanded the highest ransoms in 2021.\r\nThe other is the Babuk locker. Babuk is the first new RaaS threat discovered in 2021, demonstrating a high level\r\nof activity.\r\nREvil\r\nAn example of an ad placed by the REvil affiliate program\r\nREvil is one of the most prolific RaaS operations. The group’s first activity was observed in April 2019 after the\r\nshutdown of GandCrab, another now-defunct ransomware gang.\r\nTo distribute ransomware, REvil cooperates with affiliates hired on cybercriminal forums. The ransom demand is\r\nbased on the annual revenue of the victim, and distributors earn between 60% and 75% of the ransom. Monero\r\n(XMR) cryptocurrency is used for payment. According to the interview with the REvil operator, the gang earned\r\nover $100 million from its operations in 2020.\r\nhttps://securelist.com/ransomware-world-in-2021/102169/\r\nPage 7 of 15\n\nThe developers regularly update the REvil ransomware to avoid detection and improve the reliability of ongoing\r\nattacks. The group announces all major updates and availability of new partner program items in their various\r\nthreads on cybercriminal forums. On April 18, 2021, the developer announced that the *nix implementation of the\r\nransomware was undergoing closed testing.\r\nREvil informs about the internal testing of the *nix implementation of the ransomware\r\nTechnical details\r\nREvil uses the Salsa20 symmetric stream algorithm for encrypting the content of files and the keys for it with an\r\nelliptic curve asymmetric algorithm. The malware sample has an encrypted configuration block with many fields,\r\nwhich allow attackers to fine-tune the payload. The executable can terminate blacklisted processes prior to\r\nencryption, exfiltrate basic host information, encrypt non-whitelisted files and folders on local storage devices and\r\nnetwork shares. A more detailed account of the technical capabilities of REvil is available in our private and\r\npublic reports.\r\nThe ransomware is now distributed mainly through compromised RDP accesses, phishing, and software\r\nvulnerabilities. The affiliates are responsible for gaining initial access to corporate networks and deploying the\r\nlocker – a standard practice for the RaaS model. It should be noted that the gang has very strict recruitment rules\r\nfor new affiliates: REvil recruits only Russian-speaking highly skilled partners with experience in gaining access\r\nto networks.\r\nPrivilege elevation, reconnaissance and lateral movement follow a successful breach. The operators then evaluate,\r\nexfiltrate and encrypt sensitive files. The next stage is negotiations with the attacked company. If the victim\r\ndecides not to pay their ransom, the REvil operators will start publishing the sensitive data of the attacked\r\ncompany on the .onion Happy Blog site. The tactic of publishing exfiltrated confidential data on leak sites has\r\nrecently gone mainstream among Big Game Hunting players.\r\nhttps://securelist.com/ransomware-world-in-2021/102169/\r\nPage 8 of 15\n\nAn example of a post on REvil’s blog that includes data stolen from the victim\r\nIt’s worth noting that ransomware operators have started using voice calls to business partners and journalists, as\r\nwell as DDoS attacks, to force their victims to pay a ransom. In March 2021, according to the operator, the gang\r\nlaunched a service at no extra cost for affiliates that contacts the victim’s partners and the media to exert\r\nmaximum pressure, plus DDoS (L3, L7) as a paid service.\r\nREvil announces a new feature to arrange calls to the media and the target’s partners to exert additional\r\npressure when demanding a ransom\r\nAccording to our research, this malware affected almost 20 business sectors. The largest share of victims fell into\r\nthe category Engineering \u0026 Manufacturing (30%), followed by Finance (14%), Professional \u0026 Consumer\r\nServices (9%), Legal (7%), and IT \u0026 Telecommunications (7%).\r\nThe victims of this campaign include companies such as Travelex, Brown-Forman Corp., the pharmaceutical\r\ngroup Pierre Fabre, and the celebrity law firm Grubman Shire Meiselas \u0026 Sacks. In March 2021, the gang\r\nbreached Acer and demanded the highest recorded ransom of $50 million.\r\nOn April 18, 2021, a member of the REvil group announced that the gang was on the cusp of declaring its “most\r\nhigh-profile attack ever” in a post on forums where cybercriminals recruit new affiliates. On April 20, the group\r\npublished a number of alleged blueprints for Apple devices on the Happy Blog site. According to the attackers, the\r\nhttps://securelist.com/ransomware-world-in-2021/102169/\r\nPage 9 of 15\n\ndata was stolen from Quanta’s network. Quanta Computer is a Taiwan-based manufacturer and one of Apple’s\r\npartners. Quanta’s initial ransom demand was $50 million.\r\nIn the past few quarters there has been a sharp spike in REvil’s targeted activity (download)\r\nThe REvil gang is a prime example of a Big Game Hunting player. In 2021, we are seeing a trend towards bigger\r\nransoms for sensitive company data. The use of new tactics to pressure the victim, the active development of non-Windows versions and the regular recruitment of new affiliates all suggest that the number and scale of attacks\r\nwill only grow in 2021.\r\nBabuk\r\nAnother player in the Big Game Hunting scene in 2021 is the Babuk locker. At the beginning of 2021 we observed\r\nseveral incidents involving this ransomware.\r\nAt the end of April 2021, the threat actors behind Babuk announced the end of their activity, stating that they will\r\nmake their source code publicly available in order to “do something like Open Source RaaS”. This means that\r\nwe’ll probably see a new wave of ransomware activity as soon as various smaller threat actors adopt the leaked\r\nsource code for their operations. We’ve seen this sort of situation happen before with other RaaS and MaaS\r\nprojects – the Cerberus banking Trojan for Android is a good example from last year.\r\nBabuk announcement about the end of operations\r\nThe group obviously customizes each sample for each victim because it includes a hardcoded name of the\r\norganization, personal ransomware note and extensions of the encrypted files. Babuk’s operators also use the RaaS\r\nmodel. Prior to infection, affiliates or the operators compromise the target network, so they can identify how to\r\ndeploy the ransomware effectively and evaluate the sensitive data in order to set the highest realistic ransom price\r\nfor the victim. The team behind Babuk defines their group as CyberPunks that “randomly test corporate networks\r\nsecurity,” using RDP as an infection vector. The gang offers 80% of the ransom to their affiliates.\r\nhttps://securelist.com/ransomware-world-in-2021/102169/\r\nPage 10 of 15\n\nAn example of an ad placed by the Babuk affiliate program\r\nBabuk advertises on both Russian-speaking and English-speaking underground forums. At the beginning of\r\nJanuary 2021, an announcement appeared on one forum about the new ransomware Babuk, with subsequent posts\r\nfocusing on updates and affiliate recruitment.\r\nBabuk’s announcement to the press explaining their strategy and victim selection\r\nBabuk’s whitelist prevents any targeting in the following countries: China, Vietnam, Cyprus, Russia and other CIS\r\ncountries. The operators also prohibit the compromise of hospitals, non-profit charities, and companies with an\r\nannual revenue of less than $30 million according to ZoomInfo. To join the affiliate program, a partner must pass\r\nan interview on Hyper-V and ESXi hypervisors.\r\nBabuk made the headlines for being probably the first ransomware gang to publicly declare a negative stance\r\ntowards the LGBT and Black Lives Matter (BLM) communities. It was due to this fact that the group excluded\r\nthese communities from their whitelist. But in a post on the Babuk data leak site about the results of two months\r\nof work, the gang reported that they had added LGBT and BLM foundations and charity organizations to their\r\nwhitelist.\r\nTechnical details\r\nFor encryption Babuk uses a symmetric algorithm combined with Elliptic curve Diffie–Hellman (ECDH). After\r\nsuccessful encryption, the malware drops a hardcoded ransom note as “How To Restore Your Files.txt” into each\r\nprocessed directory. In addition to the text, the ransom note contains a list of links to screenshots of some\r\nexfiltrated data. This proves that the malware sample is crafted after the victim’s data is exfiltrated. As mentioned\r\nabove, each sample is customized for the specific target.\r\nhttps://securelist.com/ransomware-world-in-2021/102169/\r\nPage 11 of 15\n\nIn the ransom note, the gang also suggests that the victim starts the negotiation process using their personal chat\r\nportal. These steps aren’t exclusively tied to Babuk but are commonly present in Big Game Hunting campaigns.\r\nRemarkably, the text of the ransom note also contains a private link to the related post on the .onion data leak site,\r\nwhich is not accessible from the main page of the site. There are some screenshots, as well as a text description of\r\nthe types of stolen files, and general threats addressed to the victim. If the victim decides not to negotiate with\r\ncybercriminals, the link to this post will be made public.\r\nThe group behind the Babuk locker primarily targets large industrial organizations in Europe, the US and Oceania.\r\nTargeted industries include, but are not limited to, transportation services, the healthcare sector, and various\r\nsuppliers of industrial equipment. In fact, recent cases show that Babuk operators are expanding their targets. On\r\nApril 26, the D.C. Police Department confirmed that its network had been breached, with the Babuk operator\r\nclaiming responsibility and announcing the attack on their .onion leak site.\r\nhttps://securelist.com/ransomware-world-in-2021/102169/\r\nPage 12 of 15\n\nBabuk’s announcement of a successful attack on the D.C. Police Department\r\nAccording to the post on this site, the gang was able to exfiltrate more than 250 GB of data from Washington’s\r\nMetropolitan Police Department network. At the time of writing, the police department had three days to start the\r\nnegotiation process with the attackers; otherwise, the group would start leaking data to criminal gangs. Babuk also\r\nwarned that it would continue to attack the US state sector.\r\nhttps://securelist.com/ransomware-world-in-2021/102169/\r\nPage 13 of 15\n\nBabuk operator’s screenshots of stolen files from the D.C. Police Department’s network published on the\r\ndarknet leak site\r\nConclusion\r\nOn April 23, 2021, we released ransomware statistics that revealed a significant decline in the number of users\r\nwho had encountered this threat. These numbers should not be misinterpreted: while it is true that random\r\nindividuals are less likely to encounter ransomware than they used to, the risk for companies has never been\r\nhigher.\r\nEver eager to maximize profits, the ransomware ecosystem has evolved and can now be considered a systemic\r\nthreat for corporations all around the world.\r\nThere was a time where SMBs could mostly ignore the challenges posed by information security: they were small\r\nenough to stay under the radar of APT actors, but still big enough not to be affected by random and generic\r\nattacks. Those days are over, and all companies today are now in a position where they must be prepared to fend\r\noff criminal groups.\r\nThankfully, such attackers will usually go after the low-hanging fruit first, and setting up appropriate security\r\npractices will make a world of difference.\r\nhttps://securelist.com/ransomware-world-in-2021/102169/\r\nPage 14 of 15\n\nOn May 12, which is Anti-Ransomware Day, Kaspersky encourages organizations to follow these best practices\r\nto help safeguard your organization against ransomware:\r\nAlways keep software up to date on all your devices to prevent attackers from infiltrating your network by\r\nexploiting vulnerabilities.\r\nFocus your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay\r\nspecial attention to the outgoing traffic to detect cybercriminal connections. Set up offline backups that\r\nintruders cannot tamper with. Make sure you can quickly access them in an emergency.\r\nTo protect the corporate environment, educate your employees. Dedicated training courses can help, such\r\nas the ones provided in the Kaspersky Automated Security Awareness Platform. A free lesson on how to\r\nprotect against ransomware attacks is available here.\r\nCarry out a cybersecurity audit of your networks and remediate any weaknesses discovered in the\r\nperimeter or inside the network.\r\nEnable ransomware protection for all endpoints. There is the free Kaspersky Anti-Ransomware Tool for\r\nBusiness that shields computers and servers from ransomware and other types of malware, prevents\r\nexploits and is compatible with other installed security solutions.\r\nInstall anti-APT and EDR solutions, enabling capabilities for advanced threat discovery and detection,\r\ninvestigation and timely remediation of incidents. Provide your SOC team with access to the latest threat\r\nintelligence and regularly upskill them with professional training. Ask for help from your MDR provider if\r\nyou lack internal threat hunting experts. They will take responsibility for continuously finding, detecting\r\nand responding to threats targeting your business. All of the above is available within the Kaspersky Expert\r\nSecurity framework.\r\nIf you become a victim, never pay the ransom. It won’t guarantee you get your data back but will\r\nencourage criminals to continue their activities. Instead, report the incident to your local law enforcement\r\nagency. Try to find a decryptor on the internet – quite a few are available at\r\nhttps://www.nomoreransom.org/en/index.html\r\nSource: https://securelist.com/ransomware-world-in-2021/102169/\r\nhttps://securelist.com/ransomware-world-in-2021/102169/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securelist.com/ransomware-world-in-2021/102169/" ], "report_names": [ "102169" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "2c348851-5036-406b-b2d1-1ca47cfc7523", "created_at": "2022-10-25T16:07:24.039861Z", "updated_at": "2026-04-10T02:00:04.847961Z", "deleted_at": null, "main_name": "Parisite", "aliases": [ "Cobalt Foxglove", "Fox Kitten", "G0117", "Lemon Sandstorm", "Parisite", "Pioneer Kitten", "Rubidium", "UNC757" ], "source_name": "ETDA:Parisite", "tools": [ "Cobalt", "FRP", "Fast Reverse Proxy", "Invoke the Hash", "JuicyPotato", "Ngrok", "POWSSHNET", "Pay2Key", "Plink", "Port.exe", "PuTTY Link", "SSHMinion", "STSRCheck", "Serveo" ], "source_id": "ETDA", "reports": null }, { "id": "6e3ba400-aee3-4ef3-8fbc-ec07fdbee46c", "created_at": "2025-08-07T02:03:24.731268Z", "updated_at": "2026-04-10T02:00:03.651425Z", "deleted_at": null, "main_name": "COBALT FOXGLOVE", "aliases": [ "Fox Kitten ", "Lemon Sandstorm ", "Parisite ", "Pioneer Kitten ", "RUBIDIUM ", "UNC757 " ], "source_name": "Secureworks:COBALT FOXGLOVE", "tools": [ "Chisel", "FRP (Fast Reverse Proxy)", "Mimikatz", "Ngrok", "POWSSHNET", "STSRCheck", "Servo", "n3tw0rm ransomware", "pay2key ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "871acc40-6cbf-4c81-8b40-7f783616afbc", "created_at": "2023-01-06T13:46:39.156237Z", "updated_at": "2026-04-10T02:00:03.232876Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "UNC757", "Lemon Sandstorm", "RUBIDIUM", "PIONEER KITTEN", "PARISITE" ], "source_name": "MISPGALAXY:Fox Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d070e12b-e1ce-4d8d-b5e3-bc71960cc0cb", "created_at": "2022-10-25T15:50:23.676504Z", "updated_at": "2026-04-10T02:00:05.260839Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "Fox Kitten", "UNC757", "Parisite", "Pioneer Kitten", "RUBIDIUM", "Lemon Sandstorm" ], "source_name": "MITRE:Fox Kitten", "tools": [ "China Chopper", "Pay2Key", "ngrok", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439070, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/931bcdeebbc1062abe68f84a51abe1809c7ce35a.pdf", "text": "https://archive.orkl.eu/931bcdeebbc1062abe68f84a51abe1809c7ce35a.txt", "img": "https://archive.orkl.eu/931bcdeebbc1062abe68f84a51abe1809c7ce35a.jpg" } }