With a vast array of tools and samples at their disposal, organised ransomware cybercriminal groups often have proprietary ransomware samples while standalone criminals frequently rely on leaked DIY variants to launch their attacks. The latest research by Kaspersky reveals the recent ransomware attacks using leaked source codes enable threat actors to seek out victims and propagate malicious activities swiftly – making new cybercriminals a menace.

SEXi

In April 2024, the SEXi group launched a ransomware attack against data centre and hosting provider IxMetro using a newly identified software variant. This group targets ESXi applications with all known victims running unsupported versions. The SEXi group distinguishes itself by using different ransomware variants for different platforms: Babuk for Linux and Lockbit for Windows. Uniquely, they use the session communication app for contact with a universal user ID across multiple attacks. This unprofessional approach and absence of a TOR-based leak site further set them apart.

Key Group

Key Group, also known as keygroup777, has used eight different ransomware families since its inception in April 2022. Their techniques and persistence mechanisms have evolved with each new variant. The UX-Cryptor variant, for example, employed multiple registry entries for persistence while the Chaos variant used a different approach involving the startup folder. Despite their diverse methods, Key Group is noted for unprofessional operations, including the use of a public GitHub repository for C2 communication and Telegram for interaction, making them easier to track.

Mallox

Mallox, a lesser-known ransomware variant, first appeared in 2021. Soon after its inception, the group began its affiliate programme. In 2023, there were 16 active partners. Unlike SEXi and Key Group, Mallox’s authors claim to have purchased the source code. They are also very explicit about what types of organisations affiliates should infect: no less than US$10 million in revenue and no hospitals or educational institutions. Mallox’s affiliates, tracked through unique IDs, contributed to significant activity spikes in 2023.

“The barrier to entry for launching ransomware attacks has plummeted. With off-the-shelf ransomware and affiliate programmes, even novice cybercriminals can pose a significant threat,” said Jornt van der Wiel, a senior cybersecurity researcher at Kaspersky’s GReAT.

While groups using leaked variants may not exhibit high levels of professionalism, their effectiveness is in successful affiliate schemes or niche targeting, as demonstrated by Key Group and SEXi. The publication and leakage of ransomware variants thus pose substantial threats to organisations and individuals.

Read more on Securelist.