Emerging Ransomware Groups

Palo Alto Networks’ Unit 42 threat intelligence team observed four emerging ransomware groups that are currently affecting organizations and show signs of having the potential to become more widespread in the future.

AvosLocker Ransomware

It is ransomware as a service (RaaS) that is utilizing a blue beetle logo to identify itself in communications with victims and “press releases” aimed at recruiting new affiliates.


Researchers observed AvosLocker was promoting its RaaS program and looking for affiliates on dark web discussion forums and other forums.

AvosLocker ransom notes
"AvosLocker offers technical support to help victims recover after they’ve been attacked with encryption software that the group claims is “fail-proof,” has low detection rates and is capable of handling large files”, says a research team from Palo Alto Networks.

The report says the ransomware impacted six organizations in the following countries: the US, the UK, the UAE, Belgium, Spain and Lebanon. Researchers observed initial ransom demands ranging from $50,000 to $75,000.

Hive Ransomware

Double-extortion ransomware is double-extortion ransomware. The ransomware uses all tools available in the extortion toolset to create pressure on the victim, including the date of initial compromise, countdown, the date the leak was disclosed on their site, and the option to share the disclosed leak on social media.

Hive Leaks

The research says the ransomware has impacted 28 organizations including a European airline company and three U.S.-based organizations.

HelloKitty Ransomware Group

This ransomware group is mainly targeting Windows systems. Researchers observed a Linux variant of HelloKitty targeting VMware’s ESXi hypervisor, which is used in cloud and on-premises data centers.

HelloKitty chats
“We also observed two clusters of activity. Across the observed samples, some threat actors preferred email communications, while others used TOR chats for communication with the victims”, Palo Alto Networks.

It has impacted five organizations in Italy, Australia, Germany, the Netherlands and the U.S. The highest ransom demand observed from this group was $10 million.

LockBit 2.0 Ransomware

It is a RaaS operator that has been linked to some high-profile attacks. It claims to offer the fastest encryption on the ransomware market.

Affiliation program description and leak site

LockBit 2.0 has impacted multiple industries – 52 victims. Its victims include organizations in the U.S., Mexico, Belgium, Argentina, Malaysia, Australia, Brazil, Switzerland, Germany, Italy, Austria, Romania, and the U.K.

Therefore, experts mention that Palo Alto Networks Next-Generation Firewall customers are protected from these threats with Threat Prevention and WildFire security subscriptions. Customers are also protected with Cortex XDR and can use AutoFocus for tracking related entities.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.