3 most prominent ransomware gangs CIOs and CISOs need to watch out for:Microsoft’s Cyber Signals report


The specialization and consolidation of the cybercrime economy has fueled the rise of a unique “business model” which enables a wider range of criminals to take part in it, regardless of their technical expertise. 

“Ransomware as a service” (RaaS) is one such arrangement. The RaaS economy allows cybercriminals to purchase access to ransomware payloads and data leakage as well as payment infrastructure. Ransomware “gangs” are in reality RaaS programs like Conti or REvil, used by many different actors who switch between RaaS programs and payloads.  

The following are the three most prominent ransomware threat actors that CIOs and CISOs must watch-out for to help safeguard their organizations, as highlighted in Microsoft’s latest Cyber Signals report. 


ELBRUS has been known to be in operation since 2012 and has run multiple campaigns targeting a broad set of industries for financial gain. ELBRUS has deployed point-of-sale (PoS) and ATM malware to collect payment card information from in-store checkout terminals. They have also targeted corporate personnel who have access to sensitive financial data, including individuals involved in SEC filings. ELBRUS has also created fake security companies called “Combi Security” and “Bastion Security” to facilitate the recruitment of employees to their operations under the pretense of working as penetration testers. However, despite law enforcement actions against suspected individual members, Microsoft has observed sustained campaigns from the ELBRUS group. 


DEV-0237 is a prolific RaaS affiliate that alternates between different payloads in their operations based on what is available. Beyond RaaS payloads, DEV-0237 uses the cybercriminal gig economy to also gain initial access to networks. DEV-0237’s proliferation and success rate come in part from their willingness to leverage the network intrusion work and malware implants of other groups versus performing their own initial compromise and malware development. Like all RaaS operators, DEV-0237 relies on compromised, highly privileged account credentials and security weaknesses once inside a network.  


Unlike more opportunistic attackers, LAPSUS$ targets specific companies with an intent. Their initial access techniques include exploiting unpatched vulnerabilities in internet-facing systems, searching public code repositories for credentials, and taking advantage of weak passwords. In addition, there is evidence that LAPSUS$ leverages credentials stolen by the Redline password stealer, a piece of malware available for purchase in the cybercriminal economy. The group also buys credentials from underground forums which were gathered by other password-stealing malware.


Please enter your comment!
Please enter your name here