The Part Time Ransomware Groups.
by Dominic Alvieri
February 18th, 2024
It seems like everyone is attacking critical infrastructure these days. There are several nation states and 12 current active ransomware groups that have attacked critical infrastructure around the world. Here are 7 of the 12 active ransomware groups:
ALPHV BlackCat
Black Basta
Hunters International
LockBit
Play Ransomware
RansomHouse
Rhysida Ransomware
Can you name any of the other 5?
Remember the dentist/part time ransomware operator?
There may be another dentist deploying ransomware. Or maybe even a slick lawyer. The rash of bad actors attacking critical infrastructure has to be dealt with immediately.
Who are these part time ransomware operators and why we should make examples out of them? Tracking several of these groups and I can safely say it wouldn't take long to take down at least 2 of the 5 groups I mention below. I predict that at least one of the groups listed below should be comfortably viewing life behind some cold steel bars sometime this year.
Attacking critical infrastructure should be heavily penalized and actors jailed for so long that it should never cross the pea brain of any ransomware idiot.
What is a part time operator?
A part time ransomware operator attacks and posts fewer than about 8 victims per month by my definition and for the purposes of this analysis and article. The part time operator more than likely has another job and or profession in addition to breaching companies.
Cuba Ransomware would be a perfect example but exempt from this discussion due to their backing which is fairly safe to say it stems from the Russian Government and has nothing at all to do with Cuba.
Who are the part time ransomware operators?
Qilin Ransomware
Infrastructure breached - Electric utility
Qilin started quietly on the ransomware seen in 2023 but has ramped up and is set to graduate to a full time operator. Business is good for Qilin who breached and evidentially negotiated with Electric Power of Serbia posting and removing the utility serval times before finally leaking them.
Qilin appears to have quit his day job and about to deploy ransomware full time. 17 posts year to date thru 6 weeks of 2024.
Lorenz
Infrastructure breached - Hospital
Strictly business includes critical infrastructure.
Lorenz is a classic part time operator. A dentist? Probably not. Lorenz has more technical skills than some of the other part timers. I could write a whole other article about Lorenz but let me just say for the purposes of this topic that Lorenz has also breached critical infrastructure in Cogdell Memorial Hospital.
Daixin Team
Infrastructure breached - Hospitals, health networks & water districts
Daixin is the worst of the part timers. Daixin is not a dentist, not by far. I would define the group as the state sponsored nasty version of Cuba. I say this with a moderate degree of certainty from some of their TTPs. Daixin has the most experience and is probably the most likely to continue to cause havoc of any group on this list.
A majority of the Daixin Team attacks have been against critical infrastructure.
Here is a visual snapshot of Daixin critical infrastructure attacks:
Meow Leaks (seriously)
Infrastructure breached - Hospital
Meow Leaks breached Vanderbilt University Medical Center and Hospital early in 2023 before they created their leak site later in the year. It is difficult to take a group calling themselves Meow seriously but they have attacked critical infrastructure and eventually I will take a deeper look at the group.
Money Message
Infrastructure breached - Hospital
The Money Message group came on the scene in 2023 and joins the not so famous list by breaching Anna Jaques Hospital. MM also breached a major dental company in 2023 so this may not be the first or last venture towards critical level companies.
Money Message is trying to stay quiet behind the scene but they are now on radar.
Something has to be done.
Examples have to be made of these bad actors otherwise every pimple faced ransomware wannabe may start attempting to attack critical infrastructure. That will not end well.
The Cyber Show
Dominic Alvieri
X - @AlvieriD
