The way it works: Attackers usually encrypt programs after exfiltrating delicate knowledge. Play retains a reasonably low profile on the darkish net except for its leak web site, not promoting itself on darkish net boards. “It has even claimed to not be an RaaS gang in any respect, saying it maintains a ‘closed group to ensure the secrecy of offers,’ regardless of proof on the contrary,” Searchlight Cyber’s Donovan explains.
Focused victims: The group has focused varied sectors, together with healthcare, telecommunications, finance, and authorities service.
Attribution: Play could have connections to North Korean state-aligned APT teams.
In October 2024, security researchers at Palo Alto Networks’ Unit 42 revealed proof of a deployment of Play ransomware by a menace actor backed by North Korea, particularly APT45. “The hyperlink between this menace actor and Play is unclear, however demonstrates the potential for crossover between state-sponsored cyber exercise and ostensibly unbiased cybercrime networks,” Donovan says.
Qilin
Historical past: Qilin, also referred to as Agenda, is a Russia-based RaaS group that has been working since Might 2022.
The way it works: The group targets Home windows and Linux programs, together with VMware ESXi servers, utilizing ransomware variants written in Golang and Rust. Qilin follows a double extortion mannequin — encrypting victims’ information and threatening to leak stolen knowledge if the ransom is just not paid.
Focused victims: Qilin recruits associates on underground boards and prohibits assaults on organizations in Commonwealth of Unbiased States (CIS) international locations bordering present-day Russia.
Attribution: The make-up of Qilin stays unknown however a Russian-speaking organized cybercrime operation is strongly suspected.
RansomHub
Historical past: RansomHub emerged in February 2024 and rapidly grew to become a significant cyber menace. The group, initially generally known as Cyclops and later Knight, rebranded and expanded its operations by recruiting associates from different disrupted ransomware teams comparable to LockBit and ALPHV/BlackCat.
The way it works: As soon as inside a community, RansomHub associates exfiltrate knowledge and deploy encryption instruments, typically using official administrative utilities to facilitate their malicious actions. RansomHub operates an “affiliate-friendly” RaaS mannequin, initially providing a set 10% payment for those who make assaults utilizing its ransomware and the choice to gather ransom funds instantly from victims earlier than paying the core group. “These components make it a sexy possibility for associates which might be on the lookout for a assured return, the place different RaaS operations have been unreliable in paying out previously,” Searchlight Cyber’s Donovan says.
Focused victims: RansomHub has been linked to greater than 210 victims throughout varied vital sectors, together with healthcare, finance, authorities providers, and important infrastructure in Europe and North America, in accordance with Rapid7.
Attribution: Attribution stays unconfirmed however circumstantial proof factors towards an organized Russian-speaking cybercrime operation with ties to different established ransomware menace actors.
