top 5 scariest
extortion groups
When it comes to protecting your organization from cybercriminals, there are plenty of threat groups to be concerned about. But a select few are frightening enough to send shivers down any analyst's back. How do you make sure you are protected from the worst of the worst?
This guide will help you make informed decisions about your cybersecurity hygiene by shedding light on the groups that rank among the scariest threat actors around. And just like overcoming any fear, the best way to protect your organization is to identify and understand the threats you face. Here are the top five scariest extortion groups of 2022.
Hover and click each icon to learn how to spot - and defend against - these nefarious characters.
threat intelligence report
of 2022...
GOLD MYSTIC
Gold blazer
Gold matador
Gold rainforest
GOLD tomahawk
GOLD MYSTIC is a financially motivated crime group that operates the LockBit name-and-shame Ransomware-as-a-Service (RaaS) scheme. The group began operating in September 2019 but by January 2021 it had only posted the details of nine victims to its leak site. Following an apparent six-month gap in activity, during which time no victim names were posted, GOLD MYSTIC relaunched its RaaS scheme with LockBit 2.0 in mid-July 2021. Since then, LockBit steadily became the most prolific RaaS scheme, posting an average of around 70 victim names a month to the leak site. In June 2022, GOLD MYSTIC launched another variant of their ransomware called LockBit 3.0 (aka LockBit Black), and took the unusual step of launching a bug bounty program to allow third parties to identify issues with the malware for remediation.
GOLD MYSTIC
GOLD blazer
close
learn more
GOLD BLAZER is the financially motivated cybercriminal group responsible for coordinating use of the BlackCat, also known as ALPHV, ransomware. The group was first seen in late 2021, advertising their ransomware on underground criminal forums and looking for experienced ransomware operators to join their crew. Their name and shame site quickly started adding victims, rapidly making it one of the most active ransomware groups of 2022 based on numbers of publicly listed victims. BlackCat is written in the Rust language, and has versions that will encrypt Windows and Linux systems.
GOLD MATADOR is a financially motivated cybercriminal threat group that currently operates as an affiliate of GOLD HAWTHORNE's Hive ransomware program. CTU researchers have observed GOLD MATADOR attempting to deploy Hive ransomware on victim environments since April 2022.
The group uses a variety of tools to meet its ultimate objectives of data exfiltration and network encryption, deploying ransomware through group policy objects (GPO) from domain controllers and scheduled tasks.
GOLD matador
GOLD RAINFOREST (also known as Lapsus$ or Lapsus$ Group) is a financially motivated cybercriminal threat group, first reported on in December 2021, that has been responsible for a number of hack and leak intrusions against large corporations. GOLD RAINFOREST communicates through email and an open Telegram group that was created in December 2021, and at least some of the individuals appear to speak Portuguese as their native language. GOLD RAINFOREST has exfiltrated large volumes of data from its victims, primarily intellectual property, credentials, and personally identifiable information (PII), and leaked it via Torrent and AWS sites.
GOLD rainforest
GOLD TOMAHAWK, also known as Karakurt, Karakurt Lair or Karakurt Team, is a financially motivated cybercrime group that steals data before demanding payment from victims by threatening its publication. The group relies exclusively on data theft to extort victims; GOLD TOMAHAWK does not deploy ransomware to encrypt files and systems. The group exploits vulnerabilities or weak credentials in SonicWall or Fortigate virtual private networks (VPN) to gain initial access. GOLD TOMAHAWK does not deploy custom tools or malware in its intrusions. Once inside the network, it uses off-the-shelf tools and applications, often native to the victim system, to meet its objectives. The group uses remote desktop protocol (RDP) for lateral movement and has been observed using AnyDesk for remote access, as well as the Cobalt Strike offensive security tool.
GOLD tomahawk
close
and how to defend against them.
Effective vulnerability management is critical to hardening your organization’s security posture against ransomware.
how to defend
how to defend
go back
how to defend
close
In addition to implementing detection and response solutions and requiring MFA, organizations should educate employees about how to recognize social engineering attempts and report suspicious activity.
how to defend
go back
how to defend
Get early warnings about emerging ransomware campaigns by leveraging the original research by the Secureworks Counter Threat Unit™ (CTU) covering APTs, criminal groups, ransomware-as-a-service providers, and other threat actors.
how to defend
go back
close
how to defend
close
Relying on a single-factor authentication mechanism (username and password) on external portals poses a security risk. Rolling out Multi-factor Authentication (MFA) provides an extra layer of security to help prevent account takeover.
how to defend
go back
how to defend
close
Taegis™ Extended Detection and Response (XDR), can detect malware like Cobalt Strike, giving you an advantage during the early stages of an attack.
how to defend
go back
top 5 scariest
extortion groups
of 2022...
When it comes to protecting your organization from cybercriminals, there are plenty of threat groups to be concerned about. But a select few are frightening enough to send shivers down any analyst's back. How do you make sure you are protected from the worst of the worst?
This guide will help you make informed decisions about your cybersecurity hygiene by shedding light on the groups that rank among the scariest threat actors around. And just like overcoming any fear, the best way to protect your organization is to identify and understand the threats you face. Here are the top five scariest extortion groups of 2022.
Click each icon to learn how to spot - and defend against - these nefarious characters.
GOLD tomahawk
GOLD rainforest
GOLD blazer
top 5 scariest
extortion groups
When it comes to protecting your organization from cybercriminals, there are plenty of threat groups to be concerned about. But a select few are frightening enough to send shivers down any analyst's back. How do you make sure you are protected from the worst of the worst?
This guide will help you make informed decisions about your cybersecurity hygiene by shedding light on the groups that rank among the scariest threat actors around. And just like overcoming any fear, the best way to protect your organization is to identify and understand the threats you face. Here are the top five scariest extortion groups of 2022.
Hover and click each icon to learn how to spot - and defend against - these nefarious characters.
threat intelligence report
of 2022...
GOLD MYSTIC
Gold blazer
Gold matador
Gold rainforest
GOLD tomahawk
GOLD MYSTIC is a financially motivated crime group that operates the LockBit name-and-shame Ransomware-as-a-Service (RaaS) scheme. The group began operating in September 2019 but by January 2021 it had only posted the details of nine victims to its leak site. Following an apparent six-month gap in activity, during which time no victim names were posted, GOLD MYSTIC relaunched its RaaS scheme with LockBit 2.0 in mid-July 2021. Since then, LockBit steadily became the most prolific RaaS scheme, posting an average of around 70 victim names a month to the leak site. In June 2022, GOLD MYSTIC launched another variant of their ransomware called LockBit 3.0 (aka LockBit Black), and took the unusual step of launching a bug bounty program to allow third parties to identify issues with the malware for remediation.
close
GOLD MYSTIC
learn more
GOLD blazer
close
learn more
GOLD BLAZER is the financially motivated cybercriminal group responsible for coordinating use of the BlackCat, also known as ALPHV, ransomware. The group was first seen in late 2021, advertising their ransomware on underground criminal forums and looking for experienced ransomware operators to join their crew. Their name and shame site quickly started adding victims, rapidly making it one of the most active ransomware groups of 2022 based on numbers of publicly listed victims. BlackCat is written in the Rust language, and has versions that will encrypt Windows and Linux systems.
GOLD MATADOR is a financially motivated cybercriminal threat group that currently operates as an affiliate of GOLD HAWTHORNE's Hive ransomware program. CTU researchers have observed GOLD MATADOR attempting to deploy Hive ransomware on victim environments since April 2022.
The group uses a variety of tools to meet its ultimate objectives of data exfiltration and network encryption, deploying ransomware through group policy objects (GPO) from domain controllers and scheduled tasks.
GOLD matador
close
learn more
GOLD RAINFOREST (also known as Lapsus$ or Lapsus$ Group) is a financially motivated cybercriminal threat group, first reported on in December 2021, that has been responsible for a number of hack and leak intrusions against large corporations. GOLD RAINFOREST communicates through email and an open Telegram group that was created in December 2021, and at least some of the individuals appear to speak Portuguese as their native language. GOLD RAINFOREST has exfiltrated large volumes of data from its victims, primarily intellectual property, credentials, and personally identifiable information (PII), and leaked it via Torrent and AWS sites.
GOLD rainforest
close
learn more
GOLD TOMAHAWK, also known as Karakurt, Karakurt Lair or Karakurt Team, is a financially motivated cybercrime group that steals data before demanding payment from victims by threatening its publication. The group relies exclusively on data theft to extort victims; GOLD TOMAHAWK does not deploy ransomware to encrypt files and systems. The group exploits vulnerabilities or weak credentials in SonicWall or Fortigate virtual private networks (VPN) to gain initial access. GOLD TOMAHAWK does not deploy custom tools or malware in its intrusions. Once inside the network, it uses off-the-shelf tools and applications, often native to the victim system, to meet its objectives. The group uses remote desktop protocol (RDP) for lateral movement and has been observed using AnyDesk for remote access, as well as the Cobalt Strike offensive security tool.
GOLD tomahawk
close
how to defend
top 5
extortion groups
of 2022
top 5 scariest
extortion groups
of 2022
Taegis Extended Detection and Response (XDR), can detect Cobalt Strike, giving you an advantage during the early stages of an attack.
Effective vulnerability management is critical to hardening your organization’s security posture against ransomware.
In addition to implementing endpoint detection and response solutions and requiring MFA, organizations should educate employees about how to recognize social engineering attempts and report suspicious activity.
Get early warnings about emerging ransomware campaigns by leveraging the original research by the Secureworks Counter Threat Unit™ (CTU) covering APTs, criminal groups, ransomware-as-a-service providers, and other threat actors.
Relying on a single-factor authentication mechanism (username and password) on external portals poses a security risk. Rolling out Multi-factor Authentication (MFA) provides an extra layer of security to help prevent account takeover.
Click each icon to get to know these nefarious characters.
and how to defend against them.