Microsoft: We are tracking these 100 active ransomware gangs using 50 types of malware

More than one hundred different cyber criminal gangs are actively conducting ransomware attacks, deploying over 50 different ransomware families in campaigns which see them encrypt networks and demand a ransom payment for the decryption key. 

The analysis from Microsoft Security Intelligence notes that some of the most prominent ransomware attacks of recent times include Lockbit, BlackCat, Vice Society, and Royal. 

The attacks are also being helped along by how ransomware groups offer ransomware-as-a-service (RaaS) schemes, enabling cyber criminals who don't develop their own ransomware to get in on the action. 

Access to RaaS schemes is sold on underground forums, providing aspiring ransomware attackers with all the tools they need to conduct and manage attacks and extort ransom payments. In many cases, the author of the ransomware takes a cut of any ransom payments the attackers receive. 

Some of the most disruptive ransomware attacks have been carried by attackers using affiliate schemes, with high-profile attacks involving the likes of Conti and LockBit ransomware being conducted by affiliates. 

According to Microsoft, phishing attacks are the most common means of attackers gaining initial access to networks.  

Also: Ransomware has now become a problem for everyone, and not just tech

Targeting usernames and passwords with phishing emails or brute force attacks provides cyber criminals with access to networks using legitimate credentials which are less likely to arouse suspicion – and it's become easier for cyber criminals to access networks in this way since the rise of hybrid and remote working. 

The attackers can move around the network, potentially even using the compromised account to conduct phishing attacks against other users, gaining the permissions and control required to compromise as much of the network with ransomware as possible, before eventually triggering the encryption process, locking files and servers and demanding a ransom payment. 

But while phishing is the most common method used by ransomware gangs to access networks, it isn't the only one. 

For example, Microsoft warns about the rise of malvertising as the initial stage of attacks, where cyber criminals buy online adverts – commonly to promote false software downloads – which if downloaded and installed, will infect the user with trojan malware which the attackers then use to distribute ransomware.  

Cyber criminal affiliates using Royal ransomware have been seen using this technique to deliver the payload. 

Fake software updates have also become a common means of delivering ransomware. These false warnings which claim your software needs to be updated typically come from malvertising links or drive-by-downloads – downloads which happen in the background without the user knowing.  

Also: The real cost of ransomware is even bigger than we realised

The aim of the false update alerts is to scare victims into downloading the malware – all while they believe they're doing the right thing to protect their system. 

Cyber criminals are also using the tried and tested method of abusing unpatched cybersecurity vulnerabilities to access networks. 

"Even as they evolve, ransomware attacks continue to rely on common security weaknesses that allow them to succeed," said Microsoft, which recommendations that computers and networks should be updated with the latest security patches as a matter of urgency, in order to prevent cyber criminals from exploiting known vulnerabilities to access networks. 

It's also important that security updates are only downloaded from official sources, to avoid the possibility of a fake software update infecting you with ransomware. 

Meanwhile, organizations can try to prevent phishing attacks by ensuring that accounts are secured with strong, preferably unique, passwords and that accounts are secured with Multi-Factor Authentication (MFA). 

This additional layer of protection can help to stop attackers from accessing accounts, even if they've gained access to the correct username and password. 

MORE ON CYBERSECURITY