Leaked ransomware variants speed up attacks on individual and novice cybercriminals despite their lack of professionalism, a threat that Kaspersky experts warn about due to the risk it poses to the security of companies and Internet users.
The report, ‘How professional ransomware variants drive cybercriminal groups’, sheds light on the tools and methods used by organised ransomware groups as well as individual attackers.
Generally speaking, organised groups have a wide range of tools and models at their disposal and have their own ransomware variants, while independent criminals often resort to the dark web, affiliate programs or leaked variants to launch their attacks.
In this context, Kaspersky’s Global Research and Analysis Team (GReAT) has identified that the latest ransomware attacks use leaked source codes, allowing threat actors to quickly seek out victims and spread malicious activities.
In April, the attack on IxMetro using a newly identified ransomware variant, SEXi, uncovered a group targeting ESXi applications – a virtual machine operating system – with the particularity that it used different leaked variants (Babuk for Linux and Lockbit for Windows) depending on the target platform.
The Key group, also known as keygroup777, has used at least eight different ransomware families since its creation in April 2022, and its techniques and persistence mechanisms have evolved with each new variant over time. Kaspersky’s report highlights that its operations are not very professional, as shown, for example, by the fact that C2’s main channel is a GitHub repository, which makes it easy to track, and that communication is maintained via Telegram.
The Mallox variant first appeared in 2021 and started its affiliate program in 2022. Its authors claim to have purchased the source code, although its origin is unclear.
This group works exclusively with experienced, Russian-speaking affiliates and targets companies with revenues of over $10 million. Its affiliates, tracked through unique identifiers, contributed to significant spikes in activity in 2023.
As Kaspersky explains, although the groups using leaked variants may not display high levels of professionalism, their effectiveness lies in the success of their affiliate schemes or in targeting specific niches. Therefore, the publication and leak of ransomware variants pose significant threats to both organizations and individuals.
“With commercial ransomware and affiliate programs, even novice cybercriminals can pose a significant threat,” said Jornt van der Wiel, senior cybersecurity analyst at Kaspersky’s GReAT, in a press release.