Ransomware remains a major threat in the cybersecurity field, causing substantial harm to both individuals and organizations. Due to the challenges in recovering encrypted files and the risk of data exposure, it's crucial to monitor active ransomware families. This overview examines three notable ransomware threats currently on the rise.
BlueSky ransomware, first detected in the second quarter of 2022, continues to pose a major cybersecurity threat. It takes advantage of the Windows multithreading architecture to encrypt files quickly.
This ransomware uses advanced encryption techniques, specifically the ChaCha20 symmetric encryption algorithm. It can also spread across a network, affecting multiple endpoints.
After encrypting files, BlueSky appends the .bluesky
extension to the affected files and creates a ransom note that instructs victims to pay by visiting a page on Tor. Recent incidents have shown that BlueSky often infiltrates systems through vulnerabilities in Microsoft SQL Servers, including brute force attacks. The ransomware also includes features that hinder analysis, making it challenging for researchers to investigate and develop defenses.
Lockbit ransomware has been a major cybersecurity threat since its debut in 2019. It operates as Ransomware-as-a-Service (RaaS), offering its software to affiliates who carry out the attacks. One notable incident involved the Royal Mail, where attackers demanded a record ransom of $80 million.
Lockbit uses the Advanced Encryption Standard (AES) to encrypt files and then encrypts the AES key with the RSA algorithm. This dual-layer encryption makes it very difficult for victims to recover their data without the decryption key.
Before encrypting files, the malware also extracts data from infected machines, adding an extra layer of threat. The Lockbit group maintains a website to list their victims and pressure companies into paying the ransom. If the ransom is not paid, the stolen data is publicly released.
The ransomware has evolved over time, with the latest version being Lockbit v3, also known as Lockbit Black. Although law enforcement agencies dismantled its infrastructure in early 2024, Lockbit has resumed its operations. Recent campaigns involved distributing malware through phishing emails using the Phorpiex botnet, with the malware hidden in attached archives.
Beast ransomware, developed using the Delphi programming language, first appeared in March 2022 under the name Monster ransomware. Unlike many other ransomware variants that target only Windows systems, Beast can also attack Linux machines.
The malware is designed to avoid infecting users in CIS countries, which suggests its creators might be based in that region. Beast ransomware uses advanced encryption techniques and includes additional features, such as archiving each encrypted file.
Primarily distributed through email attachments and phishing links, Beast exploits human susceptibility to these attacks. Although it is relatively new, Beast ransomware has the potential to become a significant and widespread threat, comparable to LockBit.