Skip to main content
Need help with a cyber incident now?
Call 24/7: +31 88-2747800

Ransomware groups and their methods

By 8 June 2023 July 3rd, 2023 Blog, CERT

Companies and organizations are becoming increasingly aware of the danger presented by cybercriminals. The consequences of a cyber incident can be enormous for your business operations and with that, for your employees, clients and supply chain partners. Contractual agreements, physical security, and your reputation are at risk, effectively your company’s future.

What is Ransomware?

Ransomware is one of organized (cybercrime’s favorite means of pressuring victims. Traditionally, this malicious software causes systems to be unusable by encrypting files. This encryption is generally so strong, that criminals ‘sell’ a decryptor against a very short time limit. There is of course no voluntary purchase, seeing as your company has come to a (partial) standstill.

Nowadays, when it comes to the more well-known ransomware groups, the extortion is twofold: the (sensitive) files are often already stolen before the encryption is started. In this case, there must also be paid in order to not publish or offer the files for sale on the dark web. This data exfiltration, combined with the encryption, is known as “double extortion”.

A third means of pressure is being added as an additional stress factor to coerce victims into paying the ransom sum: DDoS attacks on the victim’s critical infrastructure or aimed at that of their supply chain partners, making systems unavailable. So, maximum pressure to proceed with the payment. Yet, you can still see that there are differences in the ways ransomware groups operate. In this blog we will highlight some of them.


The ransomware group PLAY emphasizes that non-payment leads to a cascade of possible losses: damage claims, the order portfolio growing empty, loss of value on the stock exchange, and reputational damage. PLAY estimates these damages to be higher than the cost of paying for a decryptor. In this way, the option of paying is presented as the most favorable.


BlackCat (or ALPHV), another ransomware group, does not shy away from the triple-extortion method and expresses itself very aggressively on its dark web blog when victims are uncooperative. What is remarkable here, is that they themselves are convinced that they are protecting the world from organizations that don’t have their security measures in order. They put the blame for the breaches on their victims.

Figure 1 The aggressive ‘warning’ to the world for the dangers of working with a company hacked by BlackCat (ALPHV)


The Royal ransomware group does something similar: they claim to be a service provider in pentesting in their ransom note, for which they request a small fee with the cynical undertone that you should not have skimped on security measures. Of course, the big difference is that they were not asked to conduct a penetration test. Normally that would involve a clear scope to be determined beforehand so that the exact assignment and the goal are clear, and agreements are concluded.

The professionalization of ransomware groups

It may be obvious that every ransomware group has its own tactics and methods to coerce victims into payment. In addition, just like with legitimate organizations, the market is in full development. In this regard, what really stands out in the battle against ransomware is the high degree of professionalization and innovation in the development of ransomware. These creators of ransomware are led by mutual (hostile) competition, but also inspire each other and are challenged non-stop by their victims’ security solutions, which keep getting better and smarter.


The group Karakurt (Russian name for the poisonous spider “European Black Widow”) positions itself as an intellectual gang that feels challenged by the ever-improving security measures. Supposedly, this would make them tap into their creativity and would remove the routine from hacking. They decorate their blog with images from the work of the medieval Dutch painter Jheronimus Bosch. This group is currently making big strides in Northwestern Europe.


Figure 2 Logo Karakurt, referring to the poisonous European Black Widow

Karakurt also explicitly calls on disgruntled employees who hate their boss or company and want to contribute to the downfall of said person or company. These employees would be considered “insider threats”.


Figure 3 Karakurt actively recruits

Contradictory to other groups’ aggression and recklessness, is the willingness to help the victims with payment and decrypting the environment by running their own support desks. Reaching out via TOX, XMPP or a contact form seem to be preferred.

Ransomware-as-a-Service and affiliate programs

The aforementioned form of helpfulness is ingrained in a relatively new form of ransomware. This form is also known as Ransomware-as-a-Service (RaaS).

The ransomware’s developers essentially give out licenses to self-selected criminal hackers (affiliates). These affiliates are equipped with an automatically built and unique package of ransomware they can roll out to their victims. In return, the developers request 20% of the received ransom sums, for example.

They actively help these affiliates. That could be in the form of automatization of the encryption process, communicating with the victim, publishing files or receiving the payment.

Figure 4 AvosLocker’s services and capabilities

Selecting these affiliates is a lot like a regular recruitment process where certain qualifications are required and tested. Additionally, it is possible to put forward referrals that will testify for the applicant’s reliability. For example, think of someone’s reputation on various dark web fora, the value of their crypto wallet balances, and previous ‘accomplishments’.

Lockbit 3.0

The Ransomware-as-a-service Lockbit 3.0 even released a bug bounty program on their website where they hope to locate vulnerabilities in their encryption/decryption in exchange for a reward. They also want to know whether the platform TOX messenger or the TOR network which they use are vulnerable. As the cherry on top, Lockbit’s boss has offered 1 million US dollars to the person that is able to “doxx” them in a private message. Normally that would involve releasing private information online, with the goal of damaging that person or people around him/her.

Figure 5 Bug Bounty Program Lockbit 3.0

For their affiliates, Lockbit 3.0 and AvosLocker have a couple of rules in place: post-Soviet Union countries and critical infrastructure can not be targeted. The health sector is fair game as long as the encryption of files bring life-threatening risks with it. For this reason, midwifery, cardiac surgery and neurosurgery are off limits. For affiliates that are in doubt, Lockbit 3.0 and Avoslocker refer to their help desks.

As the affiliates get to work, things can move very fast. BlackBasta, for example, has made 180+ victims in the past 9 months whose malware is updated regularly to keep avoiding detection. BianLian anonymizes new victims on its blog at first, until files are going to get released. Just like AvosLocker they do not just release all stolen data but want to yield maximum returns by selling this data to other interested parties.

Figure 6 Stolen data offered under conditions by BianLian

How do I protect my organization?

The various groups all have their own style, motives, are distinguishable in methods and level of knowledge, but also each have their own ideal victim.

A number of groups targets specific targets with (spear) phishing campaigns or exploit vulnerabilities in systems. In other cases, access is gained opportunistically in the most efficient way; say credentials from infostealer malware that is sold by Initial Access Brokers on dark web marketplaces. So, the threat posed by ransomware does not really have a specific target’s profile.

Figure 7 Russian Market, a dark web marketplace where login credentials are traded among others


We have discussed a number of ransomware groups and their characteristics. By getting started with the basic measures listed below, both the probability of an incident occurring, as well as the possible impact of an incident are reduced. While doing so, it is important to realize that cybersecurity must be on everyone’s agenda, which starts in the board room.

  • Forced multi-factor authentication (MFA) wherever possible;
  • Network segmentation;
  • Implementing monitoring and detection, such as Endpoint/Network Detection & Response and dark web monitoring;
  • A patching policy that takes into account patching under time pressure;
  • A good disaster recovery plan and backup policy which are periodically tested;
  • An incident management process aimed at cybersecurity incidents;
  • Structural training of employees’ and directors’ behavior and awareness.

Incident or a gut feeling?

Despite being well-prepared and all implemented measures, training and processes aside, even in this case there is never 100 percent certainty that your organization will not fall victim. Thus, make sure that you are also prepared for that scenario.

In case you have been struck by a ransomware attack it is best to act quick alongside experts. Tesorion is available 24/7 to assist in suspicious situations. The Tesorion Computer Emergency Response Team (T-CERT) specializes in helping your company in the event of a cyber incident. This could be by providing short triaging on the phone to an extensive forensic investigation into the incident’s severity and cause.