Ransomware ecosystem targeting individuals, small firms remains robust

Ransomware attacks on major companies and large government organizations have dominated the headlines in 2023 but researchers from several companies are warning that smaller-scale attacks on individuals and small businesses are causing significant harm and damage too.

Researchers at Netenrich examined the Adhubllka ransomware, which has targeted regular people and small businesses with ransoms ranging from $800 to $1,600 since at least January 2020.

Rakesh Krishnan, senior threat analyst at Netenrich, said it is common for ransomware gangs to eschew larger targets in favor of victims they know will not have the technical know-how to deal with an incident.

Many gangs crib their ransomware from leaked versions of established brands like Conti or LockBit, Krishnan explained.

“They might not have the bandwidth to develop something from scratch. Another possibility is: They might have a simple ransomware which can be decoded by researchers and those who could obtain decryption keys for free,” he said.

“So it would be their aim to keep their project under the hoods so that no one picks it up. Hence, a small amount is being ransomed as compared to the big fishes in this industry.”

In a report last month, Chainalysis noted this trend, highlighting that while media attention and focus is on the gangs demanding millions from large companies, there was also a significant growth in activity from groups like Dharma, Phobos and Stop/Djvu that demanded ransoms under $1,700.

Dharma and Phobos are ransomware-as-a-service strains that are “typically used in spray and pray attacks against smaller targets and can be deployed by relatively unsophisticated actors,” they explained.

Allan Liska, senior security architect at cybersecurity firm Recorded Future, noted that these kinds of strains were almost all of what ransomware was before 2017 and is still the most popular type of ransomware despite the shift in media and researcher coverage.

“I think most people don’t realize this, but for the last 4 years the most popularly deployed ransomware, and it is not even close, have been variants of STOP/DJVU. The second most popular have been variants of Phobos ransomware. Both STOP and Phobos are single machine ransomware that encrypt and extort,” he said. The Record is an editorially independent unit of Recorded Future.

“There isn’t (usually) data theft involved in these attacks, and there is definitely no double extortion. We tend to see these hitting individual users or small businesses that don’t have the resources for any sort of security measures. We often see them disguised as popular software downloads or delivered through mass phishing campaigns.”

Adhubllka origins

The Netenrich report focuses on a ransomware strain the company observed in the wild this month. They were able to trace the ransomware back to Adhubllka, noting that it is increasingly common for groups to tweak ransomware codebases to create their own version with new encryption schemes and ransom notes.

The researchers also found ties to CryptoLocker, a ransomware that has been around since 2016.

Krishnan looked at the negotiation tactics and other clues that revealed a web of strains that all descended from Adhubllka. Many of the ransom notes were identical and took victims to similar interfaces where they could communicate with the hackers. Similar email addresses were used by those operating a range of different strains, indicating ties between them all.

He said Adhubllka was an “anchor point” because of the “the large number of reports covering the same email address [email protected], which belongs to the ransomware group.”

The researchers noted that they also saw Adhubllka used in attacks on businesses in Australia throughout 2020.

Krishnan warned that it may continue to get more difficult for researchers and experts to identify ransomware gangs and strains as groups crib from each other and amend leaked versions of ransomware.

But researchers may have luck tracing ransomware gangs through their communication channels and more – as he did with Adhubllka.

“In the future, this ransomware may be rebranded with other names; or other groups may use it to launch their own ransomware campaigns,” he said. “However, as long as the threat actor does not change their mode of communication, we will be able to trace all such cases back to the ADHUBLLKA family.”