How “professional” ransomware variants boost cybercrime groups

Introduction

Cybercriminals who specialize in ransomware do not always create it themselves. They have many other ways to get their hands on ransomware samples: buying a sample on the dark web, affiliating with other groups or finding a (leaked) ransomware variant. This requires no extraordinary effort, as source code is often leaked or published. With a set of standard tools and a freshly built (and sometimes slightly altered) ransomware sample, victims can be sought, and the malicious activity can spread.

In the past months, we released several private reports detailing exactly this. You will find a few excerpts from these below. To learn more about our crimeware reporting service, contact us at crimewareintel@kaspersky.com.

SEXi

This past April, IxMetro was hit by an attack that used a still-new ransomware variant dubbed “SEXi”. As the name suggests, the group focuses primarily on ESXi applications. In each of the cases we investigated, the victims were running unsupported versions of ESXi, and there are various assumptions about the initial infection vector.

The group deploys one of two types of ransomware variants depending on the target platform: Windows or Linux. Both samples are based on leaked ransomware samples, namely Babuk for the Linux version and Lockbit for Windows. This is the first time we’ve seen a group use different leaked ransomware variants for their target platforms.

Another thing that sets this group apart is their contact method. Attackers will typically leave a note with an email address or leak site URL in it, but in this case, the note contained a user ID associated with the Session messaging app. The ID belonged to the attackers and was used across different ransomware attacks and victims. This signifies a lack of professionalism, as well as the fact that the attackers did not have a TOR leak site.

Key Group

While the SEXi group has employed leaked ransomware variants from two malware families, other groups have taken this approach to a whole different level. For example, Key Group, aka keygroup777, has used no fewer than eight different ransomware families throughout their relatively short history (since April 2022) – see the image below.

Use of leaked ransomware builders by Key Group

We were able to link different variants to Key Group by their ransom notes. In a little over two years that the group has been active, they have adjusted their TTPs slightly with each new ransomware variant. For example, the persistence mechanism was always via the registry, but the exact implementation differed by family. Most of the time, autorun was used, but we’ve also seen them using the startup folder.

For example, UX-Cryptor added itself to the registry as shown below.

While the Chaos ransomware variant copied itself to $user\$appdata\cmd.exe and launched a new process, the new process in turn created a new file in the startup folder: $user\$appdata\Microsoft\Windows\Start Menu\Programs\Startup\cmd.url. This contained the path to the ransomware file: URL=file:///$user\$appdata\cmd.exe.

Russian-speaking groups typically operate outside of Russia, but Key Group is an exception to this rule. Their operations are not very professional, as well as SEXi’s, and show a lack of comprehensive skills. For example, the main C2 channel is a GitHub repository, which makes them easier to track, and communication is maintained over Telegram rather than a dedicated server on the TOR network.

Mallox

Mallox is another relatively new ransomware variant that first came to light in 2021 and kicked off an affiliate program in 2022. The way the authors obtained the source code is unclear — they could have written it from scratch, used a published or a leaked one, or purchased it, as they claim. Since Mallox is a lesser-known and hence, also less-documented, ransomware variant compared to the likes of Lockbit and Conti, we decided to cover Mallox in this post.

Although starting as a private group conducting their own campaigns, Mallox launched an affiliate program shortly after inception. Interestingly, the group only wants to do business with Russian-speaking affiliates and not with English-speaking ones, they do not welcome novices as well. They are also very explicit about what types of organizations affiliates should infect: no less than $10 million in revenue and no hospitals or educational institutions.

Mallox uses affiliate IDs, making it possible to track affiliate activity over the course of time. In 2023, there were 16 active partners, which explains the spike in activity, most notably in the spring and autumn of 2023 as evidenced by the PE timestamp.

Number of discovered Mallox samples by PE timestamp (download)

In 2024, only eight of the original affiliates were still active, with no newcomers. Aside from this, Mallox has all the typical Big Game Hunting attributes that other groups also have, such as a leak site, a server hosted on TOR, and others.

Conclusion

Getting into the ransomware business has never been too difficult. Of-the-shelf solutions have been available, or else one could become an affiliate and outsource many tasks to others. Initially, with tools like Hidden Tear, the impact was relatively low: the tools were easy to detect and contained implementation errors, which helped decryption. They targeted regular consumers rather than large organizations. This has changed these days, as the impact can be much bigger with the advent of the Big Game Hunting era and the release of “professional” ransomware variants, which can affect entire companies, organizations, hospitals and so on. Such samples are more efficient in terms of speed, configurability, command line options, platform support and other features. That said, while getting your hands on a “professional” ransomware variant might be easy, the whole process of exploiting and exploring an organization can be quite time consuming, if not impractical, for newbies.

We also see that groups using leaked variants seldom look professional, with Key Group and SEXi among the examples of this. The reason why they are effective is either that they are able to set up a successful affiliate scheme (Key Group), or that they have found a niche where they can deploy their ransomware effectively (SEXi). In these two scenarios, the leaking or publication of ransomware variants can be considered a threat to organizations and individuals.

If you would like to stay up to date on the latest TTPs being used by criminals, or if you have questions about our private reports, contact us at crimewareintel@kaspersky.com.

Indicators of compromise

SEXi
4e39dcfb9913e475f04927e71f38733a
0a16620d09470573eeca244aa852bf70

Key Group
bc9b44d8e5eb1543a26c16c2d45f8ab7
acea7e35f8878aea046a7eb35d0b8330

Mallox
00dbdf13a6aa5b018c565f4d9dec3108
01d8365e026ac0c2b3b64be8da5798f2