These are the cybercriminal groups behind the main cyberattacks

Cyberattacks have become a constant in our daily lives. In recent times, we have seen how they affect hospitals, critical infrastructures, telephone operators, automotive companies, provincial councils, town councils, etc. Phishing campaigns, ransomware attacks, distributed denial of service (DDoS) attacks... Which groups are behind these cyberthreats? We find out with the help of Raquel Puebla, cyber intelligence analyst at Entelgy Innotec Security. 

Sparta Group and Hobbit, the ones that most affect Spanish targets:

• Sparta Group: ransomware subdivision of the KillNet hacktivist group that emerged in February 2022 in the wake of the Russian invasion of Ukraine. It has taken a pro-Russian stance and has targeted government organisations and infrastructure that have shown support for the Ukrainian side. A few months ago, KillNet declared cyberwar on several countries, including Spain. It was a major player, along with LockBit, in the ransomware operation that achieved the greatest impact within the Spanish sphere in 2022.
• Hobbit: a family of banking malware under development targeting Android environments that has been known since the last months of 2022 and which targets the apps of several Spanish banks. This family acts under the malware as a service (MaaS) model through private Telegram channels, using different social engineering techniques as access vectors, including phishing, SMS spoofing and downloading fraudulent mobile apps.

LockBit, BlackCat, Hive, Hydra and Alien have the greatest impact:

• LockBit: ransomware family developed by the Bitwise Spider group which, like the vast majority of its counterparts, is distributed as ransomware "as a service" (RaaS). It perpetrated 764 successful ransomware cyberattacks in 2022, making it the most active family throughout the year. The group that develops this malware is highly resilient in the face of adversity. 
• BlackCat: also known as ALPHV, is a ransomware family that has been known since mid-November 2021 and was the second most active ransomware in 2022. It also employs ransomware as a service (RaaS) techniques and quadruple extortion tactics (compromise, threat of data exfiltration, DDoS campaign and stage of harassment of customers, employees and business partners), presenting affinity with Russia.
• Hive: also known as HiveLeaks, is a ransomware family considered one of the most active during 2022. It is characterised by the use of ransomware as a Service (RaaS) and double extortion models. Its cyber-attacks target especially logistics and transport infrastructure, food, education, health, energy and government. In recent months, its alleged dismantling was announced in a joint US-German police operation, so it is unknown whether it will be active again in the future.
• Hydra: a family of banking malware targeting Android environments that has been known since early 2019 and has had a widespread impact on the banking sector internationally, especially from 2022 onwards. This malware uses seemingly legitimate apps hosted on Google Play as a lure and appears to be linked to cybercriminals specialising in dropper as a service (DaaS) models. 
• Alien: a family of banking malware targeting Android environments that has been known since the early 2020s and emerges as an advanced variant of the well-known Cerberus banking Trojan. It has been observed that it could be operating under the malware as a service (MaaS) business model, as it is being offered in various underground forums of this nature.