Ransomware groups: here are the most dangerous and how they operate

Ransomware groups are becoming an increasingly lucrative industry for criminals who exploit companies’ vulnerabilities and take their data hostage for ransom. According to data from Check Point Research, economic damages for ransomware victims during 2022 ranged from 0.7 per cent to 5 per cent of their revenue, averaging just under 3 per cent. Numbers that may seem low, but when multiplied by the number of victims, about 10 per day in the United States alone last year, become significant.

With so much money to be made, so-called “ransomware groups” or “ransomware gangs” are becoming very large and specialized. These are now organized collectives, with experts also scattered locally at scattered points around the Planet, which makes identification even more complex and allows them to ‘work’ 24/7. In recent years, because of the pandemic, we have seen the formation of ransomware groups that are devastating in their attacks. Still, it is short-lived: they target targets with above-average critical mass before their members disband and join other gangs.

The landscape of ransomware threat actors is constantly evolving, so companies must keep up with potential ransomware threats. This article will examine some of the largest and most dangerous ransomware groups companies should be aware of, including some of their highest-profile targets.


The Clop ransomware group first appeared in February 2019 and is believed to operate in Russian-speaking countries. The attackers use a “double extortion” strategy, threatening to release users’ data into the Dark Web if they refuse to pay ransom for their encrypted files. Clop is known for its attacks against targets such as U.S. pharmaceutical company ExecuPharm, South Korean retail giant E-Land, and Singapore’s offshore maritime services company, Swire Pacific Offshore. Clop ransomware spreads via attack vectors such as phishing emails, infected Web sites, and Remote Desktop Protocol (RDP) exploits. Clop is known for spreading malware, such as SDBOT, through an organization’s network.


First detected in February 2020, the Conti ransomware group is believed to be an offshoot of Ryuk, a ransomware variant developed by the Russian cybercriminal gang Wizard Spider from St. Petersburg. Like the Clop ransomware group, Conti uses a “double extortion” strategy, threatening victims with the release of their confidential data if they fail to send a ransom. What makes Conti different from others is the speed with which files are encrypted. Conti is responsible for major ransomware attacks on both private companies and governments such as Ireland, the United States, and Costa Rica. Although much of the group’s critical infrastructure was shut down in June 2022, members of the group have likely joined other ransomware gangs, so the situation requires further monitoring.

The landscape of ransomware threat actors is constantly evolving


The ransomware group DarkSide was first observed in August 2020. DarkSide is a major provider of the “ransomware as a service” (RaaS) business model, in which gangs pay other groups for using their ransomware kits and software tools. They often make use of vulnerabilities CVE-2019-5544 and CVE-2020-3992. Although both have already been patched, the attackers focus on companies running outdated or unpatched software. DarkSide is best known for its May 2021 ransomware attack against Colonial Pipeline, which abruptly shut down the company’s operations and temporarily left many gas stations in the United States without fuel.


Also known as “Sodinokibi,” the Revil ransomware group first appeared in April 2019 and quickly became one of the most dangerous and infamous ransomware gangs. According to IBM, it was responsible for one in three ransomware attacks in 2020. Like many other ransomware groups, it is believed to be based in Russia or at least Russian-speaking members. In one egregious case, the team hacked Apple supplier Quanta Computer, stealing several designs for future Apple products. In January 2022, Russian authorities claimed to have arrested members of Revil and that the group had “ceased to exist.” However, new attacks appeared last April, casting doubt on this claim.


The LockBit ransomware group has undergone several iterations since its first appearance in 2019, from LockBit 1.0 to 2.0 to the current LockBit 3.0 version. Consulting firm NCC Group reported that LockBit 3.0 was responsible for 40 per cent of all ransomware attacks observed in August 2022, making it one of the “most dangerous ransomware threat actors.” LockBit can spread on its own under the control of pre-designed automated mechanisms. LockBit ransomware attacks tend to focus on private businesses in the United States, Europe, and Asia. The group is believed to be responsible for attacks on companies such as Accenture and Foxconn.

How they are composed

In April 2022, Yoroi, a cybersecurity consulting firm in the Tinexta Group, compiled a brief profile of the average composition of ransomware groups, which act almost like legitimate businesses. At the top are the group’s veterans, representing the board of directors. Then, the group of developers highly specialized in producing malware and supporting tools to carry out the attacks. Next are the experienced penetration testers and red teamers who carry out advanced intrusion operations inside the target organizations. Accountants and money launderers, and particularly in bitcoin management. The ‘recruiters’ who try to attract people into the loop. Negotiation experts are used to deal with victims. Marketing experts focused on positioning the brand within the community, including social.

Their targets

There is no single answer to the question “how do criminals choose their ransomware targets?” but recent research by Coveware attempts to give a more accurate picture. The study shows that victims’ profit margins and likelihood of paying the ransom play a key role in targeting. The latter point has become more important than ever because the number of victims who tend to pay ransoms is dropping significantly over time, thanks in part to preemptive models and the use of backup.

Coveware’s research found that the percentage of victims willing to pay a potential ransom dropped from 85 per cent in the first quarter of 2019 to 37 per cent in the fourth quarter of 2022. That’s why ransomware groups have begun to examine the types of organizations most likely to pay, demanding higher payments from industries with higher revenues. Thus, there is a move away from small law firms and financial services companies, the most used in the past, to focus more on healthcare organizations, hospitals, and public administrations.

Antonino Caffo has been involved in journalism, particularly technology, for fifteen years. He is interested in topics related to the world of IT security but also consumer electronics. Antonino writes for the most important Italian generalist and trade publications. You can see him, sometimes, on television explaining how technology works, which is not as trivial for everyone as it seems.