Ransomware gangs are consistently rebranding or merging with other groups, as highlighted in our 2022 Year in Review, or these actors work for multiple ransomware-as-a-service (RaaS) outfits at a time, and new groups are always emerging.

This trend is already continuing this year. Since 2021, there have been multiple leaks of ransomware source code and builders — components that are essential to creating and modifying ransomware. This has had a significant effect on the threat landscape, giving unsophisticated actors the ability to easily generate their own ransomware with little effort or knowledge. As more actors enter this space, Cisco Talos is seeing an increasing number of ransomware variants emerge, leading to more frequent attacks and new challenges for cybersecurity professionals, particularly regarding actor attribution.

Code leaks are benefitting threat actors

Since September 2021, we have seen actors publicly disclosing source code and builders for prominent ransomware families, including Babuk, Conti, LockBit 3.0 and Chaos. In some cases, such as LockBit 3.0’s ransomware builder, these leaks have been intentional, with affiliates posting these tools and codes to protest against broader group policies they are unhappy with. In other instances, such as the Babuk source code, the leaks were seemingly an operational error. Regardless of the cause, these leaks are having a significant effect on the threat landscape, making it easier for novice or unskilled actors to develop their own ransomware variants without much effort or knowledge.

Ransomware source code is a malicious program that contains the instructions and algorithms that define the ransomware’s behavior. It is usually complex and often requires skilled technicians to create. Therefore, having access to such code allows threat actors with minimum programming knowledge to modify and compile their own ransomware variants.

Ransomware builders usually have a user interface that allows users to choose the underlying features and customize the configurations to build a new ransomware binary executable without exposing the source code or needing a compiler installed. The availability of such builders allows novice actors to generate their own customized ransomware variants. An example of a leaked Chaos ransomware builder V5 is shown in the picture below.

When ransomware source code or builders are leaked, it becomes easier for aspiring cybercriminals who lack the technical expertise to develop their own ransomware variants by making only minor modifications to the original code. Additionally, by using leaked source code, threat actors can confuse or mislead investigators, as security professionals may be more likely to misattribute the activity to the wrong actor.

New variants based on leaked code are becoming more common

We have continued seeing various malicious campaigns since the start of 2023, where the threat actors have used new ransomware variants based on leaked source code or builders. Early this year, Talos discovered a new ransomware family called MortalKombat generated by the leaked Xorist ransomware builder. Xorist ransomware, which operates under the RaaS model, has a builder called “Encoder Builder v.24” that is available on underground forums. Based on our research, we discovered an unknown threat actor using MortalKombat ransomware since December 2022 to target individuals and smaller companies. This campaign has a multi-stage attack chain that begins with a phishing email delivered to victims impersonating CoinPayments, a legitimate global cryptocurrency payment gateway.

In April, Talos discovered a new ransomware actor, RA Group, conducting double extortion attacks using their ransomware variant based on leaked Babuk source code. Babuk, a Russian ransomware group that emerged in 2021, has conducted a series of high-profile ransomware attacks across various industries, including government, healthcare, logistics, and professional services. Since an alleged member of the Babuk group leaked the full source code of its ransomware in September 2021, several new variants based on the leaked code have emerged, with many appearing in 2023, including ESXiArgs, Rorschach and RTM Locker, in addition to RA Group. RA Group, in its ongoing campaigns, has targeted the U.S., South Korea, Taiwan, the U.K. and India across several business verticals, including manufacturing, wealth management, insurance providers, pharmaceuticals and financial management consulting companies.

Most recently, Talos observed a surge in new ransomware strains emerging from the Yashma ransomware builder. Yashma ransomware builder, which first appeared in May 2022, is a rebranded version of the Chaos ransomware builder V5, which was leaked in April 2022. Since early 2023, we have seen several new Yashma strains emerge, including ANXZ, Sirattacker, and Shadow Men Team. Shadow Men Team — whose name we derived from a translation of their Hindi name in the ransom note — appears to be a new actor in the ransomware space. The actors appear to target victims in Kuwait, as the ransom note demands payment in Kuwaiti dinar before translating that sum to its U.S. dollar equivalent in Bitcoin.

Another new actor we discovered, seemingly of Vietnamese origin, uses a Yashma ransomware variant to target victims in Bulgaria, China, Vietnam and other countries. The campaign started in at least June 2023, and the ransom note appears to mimic certain aspects of the ransom note used in the global WannaCry attacks from 2017.

Actors repurposing leaked code are demanding low ransom payments

Cybercriminals leveraging leaked code and builders are seemingly more conservative in their ransom demands, a possible indication that they are lone wolf operators, proceeding cautiously as they test their new variants or are new players in this space. Actors behind many of these new ransomware variants, including Sirattacker, Chaos 2.0, Chaos 4.0, DCrypt, and Shadow Men Team, are demanding payments ranging from USD $3.50 to $4,390 in Bitcoin from victims. These ransom demands are significantly lower than those made by many well-known ransomware gangs like RYUK, Babuk, REvil, Conti, DarkSide, BlackMatter, BlackCat, and Yanluowang, which are typically in the millions of dollars. These more profitable groups usually operate under the RaaS model, meaning their affiliates are free to set their own (often high) ransom demands, and/or are structured so they pay their operators and developers, thereby driving up the amount of money they seek to take in during the course of their operations.

Below is a comparison of ransom demands made by actors using leaked code or builders and well-known ransomware gangs.

Opportunities for security researchers and defenders

While these changes in the threat landscape have largely benefitted threat actors, security researchers and defenders also have an advantage with access to the leaked code. It allows security researchers to analyze the source code and understand the attacker’s tactics, techniques and procedures (TTPs), which helps security professionals develop effective detection rules and enhance security products' capabilities in combating ransomware threats.

By analyzing the source code, researchers can identify similar patterns and techniques used by different threat actors, providing defenders with a way to proactively detect and block the new variants at the initial stage of an attack. Security researchers can also share the intelligence information derived from the leaked code with the broader security community, thereby contributing to strengthening the cybersecurity space. By understanding the TTPs of the leaked source codes, defenders will gain invaluable insights that are helpful in identifying and mitigating any existing security weakness in their environment and improving their security defense against these attack vectors.