Beware of These Ransomware Gangs

Beware of These Ransomware Gangs

As the Middle East is on the radar of ransomware criminals, experts urge organisations to be wary of the identified cyber gangs

It was a typical day in October 2020 for the organisers of the Think 20 (T20) Summit. Preparations were smoothly underway when the attendees received an email invitation. When the unsuspecting victims opened it, the doorway to sensitive data was created for the hackers. Who could have imagined it to be a phishing email? A sophisticated attack led to a panic-stricken event. This was one of the many attacks that the Middle East has braved in the last few years.

In 2020, over 55 cyberattack incidents were targeted at the Middle East. Seventeen of them were related to ransomware. And five Middle Eastern companies were named victims on a ransomware gang Maze’s data dump extortion site. After Maze’s end of operations, four more companies were disclosed as victims in a ransomware variant to Maze, Egregor. Experts reckon that the highly successful and profitable extortion model cyber threat groups are mainly due to the digitisation in the region. Although many threat actors of the Egregor group were recently arrested, it hardly makes a difference in the increasing threat environment. With new ransomware groups and tools popping up rapidly, Middle East organisations should be on high alert and stay updated about the cyber gangs. Check out a list of top cyber threat groups that are targeting the Middle East.


In December 2016, a Middle Eastern human rights group started receiving spear-phishing messages in Persian and English. In the same month, the same threat patterns were targeted at an Iranian activist. The new group was Bahumat, and was found to be making reconnaissance and counter-reconnaissance attempts with breaking news content about the diplomatic relations between Qatar and other Gulf states to draw attention. Their most distinctive trait is that they use fake news to trap their targets. Using images embedded in the email they lured victims to open the mail and unleash the threat. The group uses advanced evasion tactics and work in a random targeted sequence, making them unpredictable and difficult to pin down. Researchers believe that Bahumat is a hack-for-hire group and it hires a minimum of one zero-day developer with advanced skill sets.


In 2020, several attacks against government organisations in the Middle East were linked to a Chinese threat group, LuckyMouse, that used a tool kit named SysUpdate. The group has been using the tool since its discovery in 2018. Also known as APT27, Threat Group 3390, Iron Tiger, and EmissaryPanda, the sophisticated cyberespionage group steals information, security-related digital certificates to avoid detection. Known to pose a worldwide threat, experts reckon the group to be powered by a political agenda. According to Kaspersky, using robust security with malicious-behaviour detecting technology can help unknown threats be diagnosed. 


At the beginning of December 2020, the FBI warned organisations about DoppelPaymer that had begun to attack critical industries. They were known to leave their victims struggling to carry out further operations. Experts believe the DoppelPaymer group is on the hunt in the Gulf States. They begin their infiltration at the network through malicious emails that hold spear phishing links. The threat actors use a tool called Process Hacker that can terminate security and database software-related processes and services. Like many other ransomware groups, DoppelPaymer ransom demands range from $25,000 to $1.2 million.

Also Read: 119,000 Cyber Threats Detected Per Minute in 2020

Snake Ransomware

A ransom note is dropped to the victim’s email with the title “Fix-Your-Files.Txt” containing a ransom demand. Snake Ransomware uses the programming language Golang and can confuse every anti-malware solution that not many threat actor groups can pull off. Research by SentinelLabs reveals that it is impossible to recover encrypted files without paying their ransom. Reports from MalwareHunters indicate that the Snake Ransomware targets the system, removes Shadow Volume Copies, and then eliminates processes related to SCADA Systems, Virtual Machines, Industrial Control Systems, Remote Management Tools, and Network Management Software. According to Saudi Arabia’s National Cybersecurity Authority, the group is suspected of using a malware named Dustman, which is a wiper used to target industrial and energy companies in the Middle East. Research points out that Dustman is linked to ZeroCleare, which is linked to Iranian threat groups. Putting two and two together, security experts believe that some Iranian threat actors could be the masterminds behind Snake. 


They possess the power to target any global organisation, but APT39 chose the Middle East as their attack hub. Identified as an Iranian cyberespionage group, they target personal information to support tracking, surveillance, and monitoring operations. Experts reckon that their activities align with another group often referred to as Chafer. The only difference lies in their track activity. Prioritising the telecommunications sector, the threat group leverages spear phishing and hyperlinks that result in a POWBAT infection. They also use the SEAWEED and CACHEMONEY backdoors to create a foothold in their target environment. Sometimes, the threat group utilises already compromised email accounts to increase their chances of success. During the escalation, the group is observed to use tools like Mimikats and Ncrack, ProcDump and Windows Credential Editor. Their attack mission ends with archiving stolen data with compression tools. 

Also Read: Endpoint Protection And Best Practices for Remote Network Security


A new disc-wiping malware called Apostle that can disguise itself as ransomware is attacking Israeli targets. Sentinel One observed a new threat group Agrius using Apostle as a disc-wiper but was unsuccessful due to a flaw in its code. They began using Deadwood wipers that had already been used as a target in Saudi Arabia in 2019. With time, Agrius leveraged a full-fledged version of Apostle that also has a backdoor called IPSec Helper. Apart from using ProtonVPN to hide their IP address, the threat group also uses web shells to laterally move inside a compromised network. Analysts believe that the threat group has evolved from basic espionage to making ransom demands despite destroying the data. Moreover, as the group uses a custom toolset, researchers reckon they are not a financially motivated threat group.