The way it works: Attackers usually encrypt techniques after exfiltrating delicate knowledge. Play retains a reasonably low profile on the darkish net except for its leak website, not promoting itself on darkish net boards. “It has even claimed to not be an RaaS gang in any respect, saying it maintains a ‘closed group to ensure the secrecy of offers,’ despite proof on the contrary,” Searchlight Cyber’s Donovan explains.
Focused victims: The group has focused numerous sectors, together with healthcare, telecommunications, finance, and authorities service.
Attribution: Play might have connections to North Korean state-aligned APT teams.
In October 2024, safety researchers at Palo Alto Networks’ Unit 42 printed proof of a deployment of Play ransomware by a menace actor backed by North Korea, particularly APT45. “The hyperlink between this menace actor and Play is unclear, however demonstrates the potential for crossover between state-sponsored cyber exercise and ostensibly unbiased cybercrime networks,” Donovan says.
Qilin
Historical past: Qilin, also referred to as Agenda, is a Russia-based RaaS group that has been working since Might 2022.
The way it works: The group targets Home windows and Linux techniques, together with VMware ESXi servers, utilizing ransomware variants written in Golang and Rust. Qilin follows a double extortion mannequin — encrypting victims’ recordsdata and threatening to leak stolen knowledge if the ransom isn’t paid.
Focused victims: Qilin recruits associates on underground boards and prohibits assaults on organizations in Commonwealth of Unbiased States (CIS) international locations bordering present-day Russia.
Attribution: The make-up of Qilin stays unknown however a Russian-speaking organized cybercrime operation is strongly suspected.
RansomHub
Historical past: RansomHub emerged in February 2024 and rapidly turned a serious cyber menace. The group, initially generally known as Cyclops and later Knight, rebranded and expanded its operations by recruiting associates from different disrupted ransomware teams resembling LockBit and ALPHV/BlackCat.
The way it works: As soon as inside a community, RansomHub associates exfiltrate knowledge and deploy encryption instruments, typically using reliable administrative utilities to facilitate their malicious actions. RansomHub operates an “affiliate-friendly” RaaS mannequin, initially providing a hard and fast 10% price for those who make assaults utilizing its ransomware and the choice to gather ransom funds instantly from victims earlier than paying the core group. “These components make it a lovely possibility for associates which can be in search of a assured return, the place different RaaS operations have been unreliable in paying out up to now,” Searchlight Cyber’s Donovan says.
Focused victims: RansomHub has been linked to greater than 210 victims throughout numerous vital sectors, together with healthcare, finance, authorities companies, and demanding infrastructure in Europe and North America, in line with Rapid7.
Attribution: Attribution stays unconfirmed however circumstantial proof factors towards an organized Russian-speaking cybercrime operation with ties to different established ransomware menace actors.
