StorCentric’s Top 5 Ransomware Groups You Need To Know

Sep 15, 2021 | Blog, StorCentric

 In Q2 of 2022, there was a significant rise of ransomware attacks compared to Q1. When looking at ransomware activity in the last 12 months, attacks were up 13%. This ransomware rise is a bigger increase than the last five years combined according to Verizon’s Data Breach Investigations Report (DBIR). The rest of this year is projected to get worse as nation-state groups target critical infrastructure, methodologies change, and threat actors continue to exploit supply chain vulnerabilities.

When identifying the top ransomware families organizations need to defend against, StorCentric’s team took into consideration the following:

  • If the group has been a consistent threat for the past couple of years.
  • The impact of their ransomware attacks.

Learn what makes these five ransomware families so dangerous to better adapt your data protection plan in 2022.


Using Ransomware-as-a-Service (RaaS) model, REvil is deployed by affiliates who get a 70% cut of the ransom brought in while the ransomware covers of REvil get 30% of all gains.

It has since been discovered REvil had a backdoor letting leadership cheat affiliates of their 70% cut – leaving the REvil ransomware coders to keep 100% of the profits.

In March 2022 the group re-emerged with notable changes to the source codes string decryption logic, the configuration storage location, and the hard-coded public keys.

REvil originally infiltrated systems using Oracle WebLogic vulnerabilities. Since then, the threat actors have expanded delivery to exploit kits, malicious spam campaigns, brute forcing RDP servers, and taking advantage of backdoor software installers.

What makes them in the top 5:

REvil publicly recruits affiliates and hackers with the lure of one million dollars and has a proven track record of causing mass devastation in major cyberattacks like Acer and Kaseya

This particular ransomware is believed to have evolved from GandCrab, which is estimated by BitDefender to be responsible for 40% of all ransomware infections globally. This indicates just how devastating this ransomware family could become if this latest version is as effective as its predecessor.



Evolving from “ABCD” ransomware and earlier versions of LockBit, LockBit 2.0 uses the Ransomware-as-a-Service (RaaS) model. To gain initial access to a target, LockBit 2.0 recruits current employees of the targeted company with the promise of a large cut of the ransom if they become an insider threat. Once turned, the insider deploys the ransomware through an RDP connection or vulnerabilities in VPN server or other public server.

What makes them in the top 5:

Comparing the first half of 2022 to the last half of 2021, LockBit 2.0 has decreased its dwell time by an average 37-day difference. The group has announced a new variant of LockBit, LockBit 3.0 or “LockBit Black” unveiled this year, coinciding with the launch of the new leak site and bug bounty program.

LockBit 3.0 boasts a better management interface for affiliates and a faster encryption phase. The new additions to LockBit demonstrate just how quickly ransomware changes to remain major threats to organizations everywhere.



This ransomware is designed to be controlled by an adversary using command line options rather than automatic deployment. It targets network-based organizations and at this time no specific infection vector is known.

What makes them in the top 5:

This ransomware accelerates data encryption and can linger in your systems for weeks without notice. Conti takes advantage of Windows Restart Manager to disable security, backup, database, and email solution services to prep for encryption. This family of ransomware can encrypt hard drives, network shares, and even specific IP addresses.

This ransomware group was created by a Russian-based cybercriminal group Wizard Spider and is responsible for critical infrastructure attacks to Ukraine, Costa Rica’s government, and more.



SamSam ransomware is manually deployed and uses RSA-2048 encryption to create two keys, one public and another private. After encrypting the data, the ransomware group demands payment in exchange for the private key. The private key is the only way for an infected organization to fully decrypt the data.

What makes them in the top 5:

SamSam forever changed the ransomware landscape when the group started to offer prompt customer service to its victims in 2015. Other groups followed suit as SamSam became more successful.

This method, along with infecting an organization’s entire network, has made this group a top threat for years. In 2021 alone SamSam, along with Ryuk and Cerber, accounted for 62% of all the ransomware attacks and since its creation has brought in $6 million.



Ryuk is a banking trojan malware which deploys TrickBot malware to gain initial access to a device and disable any antivirus protections in place to infect as many endpoints as possible across the network. In 2021 a new strain of Ryuk was identified with worm-like capabilities, allowing it to self-propagate within the network. No matter where your data resides, your valuable data would be stolen and encrypted by Ryuk ransomware.

What makes them in the top 5:

Ryuk made up 3 out of the 10 largest ransom demands in 2020 for $5.3 million, $9.9 million, and $12.5 million. Ryuk ransomware targets larger organizations instead of deploying a ‘spray and pray’ technique other groups use. By targeting larger organizations and using advanced encryption algorithms on stolen data, Ryuk can demand higher ransom payments. In 2021, cybersecurity researchers estimated the criminal gang was worth over $150,000,000.


Ransomware is Targeting Organizations of All Sizes

In cybersecurity, you’ll often hear people say it is a matter of when, not if. No matter the organization’s size, you are at risk of being hit by a ransomware attack. Coveware cybersecurity researchers documented a “tactical shift” by various ransomware gangs in 2021 deliberately extorting mid-size companies of less than 1000 employees. Medium sized companies, as well as smaller organizations, are ideal targets because they are “small enough to keep attack operating costs and resulting media and Law Enforcement attention low.”

In 2021, Barracuda Networks discovered employees of small businesses, less than 100 employees, will experience 350% more social engineering attacks than larger enterprise employees. And with 82% of attacks in 2021 impacting organizations with less than 1,000 employees, it is clear ransomware is not solely affecting large enterprises.

So what is a small to medium sized business (SMB) or larger enterprise to do about ransomware?

Use a Dual Approach to Secure Data from Ransomware

When it comes to data security, organizations need to address how to stop ransomware from infiltrating their networks and what steps should be taken if it does become infected. Investing in solutions designed to prevent a widespread infection and protect you from complete data loss are a smart way to stretch a tight budget addressing both the needs of IT and cybersecurity.

A key feature to look for in any solution coming into direct contact with your data is immutable backups. Immutable Backup, also referred to as Write-Once-Read-Many (WORM) storage, is a retention policy for a specific version of a file impervious to changes from any user, including the administrator. Immutable backups are similar to traditional air-gapped backup copies because there is no way to delete that file. This means any backup set with a retention period on supporting cloud platforms cannot be altered by any user, even if ransomware or a malicious actor acquires the root credentials.

Another feature to look out for is anomaly detection which helps an organization detect ransomware as early as possible to remediate those resources and stop the threat early on. Anomaly detection detects all major ransomware variants using an algorithm that focuses on file metadata anomalies for behavior-based monitoring. The key to detecting always changing ransomware variants is combining signature detection in processes with file-based irregulates. To detect anomalies, solutions like StorCentric’s Retrospect Backup provides a per-policy option for filtering and threshold to decide whether or not certain file changes are an anomaly with option for notifications. Retrospect Backup’s ransomware protection is certified with Amazon S3, Microsoft Azure Blog Storage, Google Cloud Storage, Wasabi, Backblaze B2, and MinIO to also create immutable backups.When combined with features like immutable backups, anomaly detection, and other security layers, businesses will be equipped with the tools they need to remediate an attack and move on.

For enterprises looking to deploy an Unbreakable Backup solution, StorCentric’s Nexsan Unity with Assureon platform supports immutable snapshots with backup providers like Retrospect Backup, Commvault, or Veeam to secure data from tampering. Along with tamper-proof backups, the Assureon data storage solution is equipped with additional security features to ensure secure, long-term file retention for HIPAA, CJIS, GDPR, PCI-DSS, SOZ, SEC-17, and WORM corporate compliance regulations.

Assureon exceeds even the strictest regulatory requirements for data integrity, protection, privacy, security, longevity, and availability with full audit trails. To prevent unauthorized users from accessing your data, Nexsan’s, a StorCentric company, Assureon as part of an Unbreakable Backup solution encompasses secure digital fingerprints utilizing a combination of two cryptographic hashes for a unique file identifier to prevent unauthorized users from gaining access in the first place.

Ready to learn more about StorCentric’s Solutions Prioritizing Data Security?

Our experts are here to help you determine which StorCentric solution is the ideal fit for you. Whether you’re looking to optimize your current data storage infrastructure or looking to build a new data storage environment from the ground up, StorCentric offers a wide variety of options to fit your needs. Our solutions are trusted in a variety of industries like  education, healthcare, government, media and entertainment, financial, and a variety of other demanding sectors which rely upon us to provide secure, reliable, affordable, and flexible data storage solutions.

Hundreds of thousands of customers trust StorCentric with highly sensitive and valuable data. Learn what makes StorCentric the top choice for top businesses like NASA, Kaiser Permanente, and other leading brands by contacting us today at

About StorCentric

StorCentric provides world-class, award-winning, and data security focused data management solutions. The company has shipped over 1M storage solutions and has won over 100 awards for technology innovation and service excellence. StorCentric innovation is centered around customers and their specific data requirements, and delivers quality solutions with unprecedented flexibility, data protection, performance and expandability. For further information, please visit:

About Nexsan

Nexsan® is a global enterprise storage leader, enabling customers to securely store, protect and manage business data. Established in 1999, Nexsan has earned a strong reputation for delivering highly reliable and cost-effective storage while remaining agile to deliver purpose-built storage. Its unique and patented technology addresses evolving, complex enterprise requirements with a comprehensive portfolio of unified storage, block storage and secure data protection. Nexsan is transforming the storage industry by turning data into a business advantage with unmatched security and compliance standards. It is ideal for a variety of use cases including Government, Healthcare, Education, Life Sciences, Media & Entertainment, and Call Centers. Nexsan is part of the StorCentric family of brands. For further information, please visit:

About Retrospect

Protecting 100 Petabytes in over 500,000 homes and businesses in over 100 countries, Retrospect provides reliable backup and recovery tools for professionals and small- to- midsize businesses with Retrospect Backup and Retrospect Virtual, covering physical servers and endpoints, virtual environments, and business applications. With three decades of field- tested expertise, Retrospect meets the needs of organizations that require the highest level of recoverability. Retrospect is a proud member of the StorCentric family of brands. For further information, please visit: