Skip to main content

DIY Ransomware: novice cybercriminals bigger threat thanks to off-the-shelf code

August 1, 2024

Kaspersky’s Global Research and Analysis Team (GReAT) has published a report describing the recent ransomware attacks with the use of leaked code. This research sheds light on the tools and methods utilized by both organized ransomware groups and individual attackers.

With a vast array of tools and samples at their disposal, organized ransomware cybercriminal groups often have proprietary ransomware samples, while standalone criminals frequently rely on leaked DIY variants to launch their attacks. Latest research by Kaspersky reveals the recent ransomware attacks using the leaked source codes, which enables threat actors to seek out victims and propagate malicious activities swiftly – making new cybercriminals a menace. 

In April this year, the SEXi group launched a ransomware attack against IxMetro, utilizing a newly identified variant dubbed SEXi. This group targets ESXi applications, with all known victims running unsupported versions. SEXi group distinguishes itself by using different ransomware variants for different platforms – Babuk for Linux and Lockbit for Windows. Uniquely, they employ the Session communication app for contact, using a universal user ID across multiple attacks. This lack of professionalism and the absence of a TOR-based leak site further set them apart.

The Key Group, also known as keygroup777, has utilized eight different ransomware families since its inception in April 2022. Their techniques and persistence mechanisms have evolved with each new variant. The UX-Cryptor variant, for example, employed multiple registry entries for persistence, while the Chaos variant used a different approach involving the Startup folder. Despite their diverse methods, Key Group is noted for its unprofessional operations, including the use of a public GitHub repository for C2 communication and Telegram for interaction, making them easier to track.

Mallox, a lesser-known ransomware variant, first appeared in 2021 and began its affiliate program in 2022. Unlike SEXi and Key Group, Mallox’s authors claim to have purchased the source code. This group exclusively collaborates with Russian-speaking affiliates and targets organizations with revenues exceeding US$10 million, avoiding hospitals and educational institutions. Mallox’s affiliates, tracked through unique IDs, contributed to significant spikes in activity in 2023.

“The barrier to entry for launching ransomware attacks has plummeted. With off-the-shelf ransomware and affiliate programs, even novice cybercriminals can pose a significant threat,” comments Jornt van der Wiel, a senior cybersecurity researcher at Kaspersky’s GReAT.

While groups using leaked variants may not exhibit high levels of professionalism, their effectiveness lies in successful affiliate schemes or niche targeting, as demonstrated by Key Group and SEXi. The publication and leakage of ransomware variants thus pose substantial threats to both organizations and individuals.

Read more on Securelist.

To keep your data protected from ransomware, Kaspersky experts recommend:

  • Provide your staff with basic cybersecurity hygiene training. Conduct a simulated phishing attack to ensure that your employees know how to distinguish phishing emails.
  • Use protection solutions for mail servers with anti-phishing capabilities, to decrease the chance of infection through a phishing email. Kaspersky Security for Mail Server prevents your employees and business from being defrauded by socially engineered scams.
  • Use a protection solution for endpoints and mail servers with anti-phishing capabilities, such as Kaspersky Endpoint Security for Business, to decrease the chance of infection through a phishing email. 
  • If using Microsoft 365 cloud service, don’t forget to protect it too. Kaspersky Security for Microsoft Office 365 has a dedicated anti-spam and anti-phishing as well as protection for SharePoint, Teams and OneDrive apps for secure business communications.
  • Use lightweight and easy-manageable but still effective solutions such as Kaspersky Small Office Security. It helps prevent being locked out of your own computer due to phishing emails or malicious attachments.
  • Finding a dedicated solution for small and medium businesses with simple management and proven protection features; such as Kaspersky Endpoint Security Cloud. File Threat Protection, Mail Threat Protection, Network Threat Protection, and Web Threat Protection within the product include technologies that shield users from malware, phishing, and other types of threats.

DIY Ransomware: novice cybercriminals bigger threat thanks to off-the-shelf code

Kaspersky’s Global Research and Analysis Team (GReAT) has published a report describing the recent ransomware attacks with the use of leaked code. This research sheds light on the tools and methods utilized by both organized ransomware groups and individual attackers.
Kaspersky logo

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help over 200,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

Related Articles Press Releases