Top 5 Hacker Groups and their Attacks

One of the frightening cybersecurity risks for businesses today is undoubtedly ransomware. It doesn’t discriminate and leaves in its wake encrypted, unreadable files, threats of data leaks, and often millions of dollars in damages. Moreover, large-scale and sophisticated ransomware attacks are usually carried out, not by an individual but by highly organized and skilled hacker groups.

These “ransomware gangs,” as they have been called, often use compromised credentials for launching ransomware attacks. Let’s look at a few of these groups and the ransomware they use. Additionally, we will consider how compromised credentials play a part in successful ransomware attacks.

Famous hacker groups

1. DarkSide

One of the most damaging ransomware attacks in recent history was carried out on May 9, 2021, targeting Colonial Pipeline. Colonial is a major fuel supplier providing a large percentage of fuel to the Eastern Seaboard in the United States. The attack on Colonial helps to give visibility to the real-world fallout resulting from a large-scale ransomware attack on critical service industries.

The attack on Colonial effectively shut down almost 6,000 miles of pipeline which resulted in widespread shortages. On top of the fuel shortages and disrupted services, Colonial Pipeline paid a reported $4.4 million in ransom. After the attack unfolded, Colonial later in August reported a data breach, disclosing names, birth dates, contain information, social security numbers, and other personally identifiable information (PII) data.     

The ransomware gang that attacked Colonial is known as DarkSide. DarkSide is a relatively new ransomware gang on the scene. They have claimed responsibility for attacks since the third quarter of 2020. However, according to the eSentire threat report, DarkSide has claimed over 59 victims in the U.S., South America, the Middle East, and the U.K. across many industries since then. Additionally, some 37 ransomware attacks have been carried out in 2021.

DarkSide is a ransomware gang that operates as a Ransomware-as-a-Service (RaaS) operation that sells its services to affiliate malware gangs on the dark web. This model is becoming increasingly popular for ransomware gangs as it provides a secondary source of revenue on top of ransom payments. Interestingly, this model gives many other malicious groups and even individuals ransomware capabilities they may not have otherwise without the RaaS service.

The major ransomware attack on Colonial started with an old VPN password found on the dark web. It is reported that DarkSide or one of its affiliates used a stale VPN account password to break into the Colonial Pipeline network. The password was discovered inside a leaked password list, according to Bloomberg.          

2. REvil/Sodinokibi

The REvil (also known as Sodinokibi) ransomware gang is a relatively newer player in the Ransomware-as-a-Service market, victimizing some 161 organizations with 52 attacks so far in 2021. However, the threat actors have been around since around 2019 and allow customers to lease its REvil ransomware for ransomware targets.

Earlier in 2021, REvil targeted Acer Computer and Quanta Computer and demanded $50 million ransom payments from each. REvil operators can use various means to compromise a network initially. However, they are known to use compromised credentials for infiltrating internal networks. Sophos recently reported:

Sophos experts investigating a recent REvil attack found a direct link between an inbound phishing email and a multi-million-dollar ransom attack two months later. The phishing email, which succeeded in capturing an employee’s access credentials, probably came from an Initial Access Broker, who, a few weeks later, appears to have used PowerSploit and Bloodhound to move through the breached network to locate high value domain admin credentials. The broker later sold these credentials to the REvil adversaries so they could breach the target’s network.

These Initial Access Brokers on the dark web are becoming increasingly popular and are helping to accelerate the use of compromised credentials as an easy entry point for ransomware compromise.

3. Ryuk/Conti

The Ryuk/Conti ransomware gang first appeared in 2018, targeting U.S. institutions, including technology companies, healthcare providers, educational institutions, and financial services. They have accumulated an impressive list of victims, including 352 victims located in North America, the U.K., and France. The total of new victims since the beginning of 2021 is numbered around 63.   

Ryuk/Conti ransomware gang victims have included the high-profile spree on small U.S. communities. These include Jackson County, Georgia, which paid a $400,000 ransom; Riviera Beach, Florida, which paid $594,000; and LaPorte County, Indiana, which paid $130,000.

Ryuk ransomware has been seen particularly in attacks against U.S. hospitals and health systems. As a result, in conjunction with Homeland Security and Health and Human Services, the FBI issued guidance to healthcare organizations.

At the end of September 2021, three top federal cybersecurity agencies published a warning about the continued threat from Ryuk/Conti ransomware. The official warning, Alert (AA21-265A), initial attack techniques are documented to include:

  • Valid accounts – Conti actors have been observed gaining unauthorized access to victim networks through stolen Remote Desktop Protocol (RDP) credentials.
  • Phishing, Spearphishing (attachment) – Conti ransomware can be delivered using TrickBot malware, which is known to use an email with an Excel sheet containing a malicious macro to deploy the malware.
  • Phishing, Spearphishing (link) – Conti ransomware can be delivered using TrickBot, which has been delivered via malicious links in phishing emails.

Stolen or compromised credentials are among the primary ways Ryuk ransomware gangs use to compromise business-critical environments and begin reconnaissance and ransomware operations.

4. Avaddon

The Avaddon ransomware and its operators have been around since around 2019. Like the other ransomware variants on the list, it is sold as Ransomware-as-a-Service (RaaS). A high-profile victim of an attack using the Avaddon ransomware is the French insurance company AXA. In this attack, threat actors stole customer IDs, contracts, reports, and other information. It is spread using phishing and SPAM campaigns that contain malicious Javascript files.

Avaddon is also known for its initial network infiltration using remote access login credentials used for Remote Desktop (RDP) connections and Virtual Private Network (VPN) connections.     

5. Clop

Clop ransomware first came onto the scene around February 2019 and has been wildly successful. They are noted as the first ransomware operator to demand a $20 million ransom of their victim, Software AG in Germany. They had many victims coming from the Acellion breach. It is unknown whether they are responsible for the attack initially or are simply beneficiaries of the attack by one of their associates. Clop has many high-profile victims to its name, including:

  • Royal Shell
  • Qualys security company
  • U.S. bank Flagstar
  • University of Colorado
  • Canadian jet manufacturer Bombardier
  • Stanford University

Clop is known for the unique activity of searching through victims’ stolen data and emailing the contacts, urging them to make the victim pay the ransom. They also are known for releasing stolen information to the dark web. Clop has victimized around 35 companies since the beginning of 2021. Interestingly Ukrainian policy arrested several Clop gang members earlier this year. However, just days after the arrests, Clop claimed responsibility for two more victims.

Clop has shown the ability to install password-stealing trojans as part of the initial compromise of the network. Additionally, Clop has previously released sensitive files and network passwords to the dark web. Undoubtedly, they help fuel additional breaches and ransomware attacks that use stolen credentials leaked by Clop attacks.

Bolster password security to protect against ransomware

It is evident that ransomware often finds an entry point into the network using compromised credentials. All of the ransomware gangs we have listed have used compromised credentials in previous attacks to some degree. It helps to underscore the need for businesses to have strong password policies in place and use breached password protection.

Specops Password Policy is a robust password policy solution that helps overcome the limitations of native Active Directory Password Policy capabilities. With Specops Password Policy, organizations have access to the following features:

  • Length-based password aging
  • Password character group requirements
  • Custom disallowed password dictionaries
  • Regular expression password filtering
  • Passphrases
  • Prevent the use of more than 4 billion compromised passwords with Breached Password Protection which includes passwords found on known breached lists as well as passwords being used in attacks happening right now
  • Find compromised passwords in your Active Directory environment
  • Intuitive and informative client messaging
  • Block user names, display names, specific words, consecutive characters, incremental passwords, and password reuse
  • GPO-driven implementation, aligning with current group policies already configured

Ransomware gangs often use known compromised or breached passwords to carry out ransomware and other attacks on organizations. It was seen with the Colonial Pipeline attack and holds true in many other attacks. Specops Password Policy provides powerful protection against breached passwords.

With the Specops Breached Password Protection, organizations receive continuous protection from breached passwords. Specops protects against known breached passwords and newly discovered passwords using brute force or other password spraying attacks. In addition, Specops operates its own network of honeypots worldwide that capture breached password telemetry data. The data collected is used to bolster the Breached Password protection provided in Specops Password Policy.

As shown with the Express List option, IT admins can:

  • Prevent users from changing to a leaked password
  • Continuously check for leaked passwords and force users to change them
  • Notify users when they are forced to change a password
Specops Breached Password Protection

In addition to the Express List, the Specops Complete API solution provides additional capabilities.

Specops Breached Password Protection Complete API

Using Specops Breached Password protection in your environment helps to strengthen your organization’s cybersecurity posture against ransomware gangs and the increasing risk of ransomware. Learn more about Specops Password Policy and see how you can bolster Active Directory password protection in your environment.

brandon lee writer

Written by

Brandon Lee

Brandon Lee has been in the industry 20+ years, is a prolific blogger focusing on networking, virtualization, storage, security & cloud, and contributes to the community through various blog posts and technical documentation primarily at

Back to Blog