Select Page

Ransomware Gangs are as scary as day-to-day street gangs but are capable of causing even more harm, at a large scale (to businesses of up the hundreds or thousands of employees).

And the next four we’ll mention today, are still notorious in 2022… And may still be for next year. 

Want to find out who they are?



Clop (sometimes stylized as “Cl0p”) has been one of the most prolific ransomware gangs in the last three years. It has gained infamy for compromising high-profile organizations in various industries around the world using multi-level extortion techniques resulting in huge payouts estimated at US$500 million as of November 2021.

Clop evolved as a variant of the CryptoMix ransomware family. In February 2019, security researchers necessitated the use of Clop by the threat group known as TA505 when they launched a large-scale spear phishing email campaign.

Clop is an example of Ransomware as a Service (RaaS) operated by a Russian-speaking group. Furthermore, this ransomware used a digitally signed and verified binary, which made it look like a legitimate executable file that could evade security detection.

While other well-known RaaS operators claim to avoid the healthcare sector as a target out of humanitarian consideration, our detections reveal that this is not the case for Clop, as this sector received the highest number of detections with 959, followed by the financial industry with 150.

By breaking down detections by month, we can determine that 2021 saw the peak of Clop attacks in June of the same year with 784 attack attempts. March also saw a sharp increase in attempts to 663, which was significantly higher than detections in previous months.

Our detections suggest trades that Clop has remained strong as the numbers consistently hovered in the 300-400 range from July 2021 to January 2022.

In concerted efforts to dismantle ransomware cartels, a global coalition across five continents involving law enforcement and private partners led to the arrest in Ukraine of six suspected Clop members in June 2021.

While the arrests in Ukraine may have dealt a major blow to Clop’s operations, the group’s criminal activities have not abated: our attempted attack detections showed ongoing malicious activity from January 2021 to January 2022.

The reports mention that only parts of the ransomware operations, such as the server infrastructure used by affiliates to spread the malware and the channels used to launder illegally obtained cryptocurrency ransom payments, were seized and deleted, respectively.

As companies ponder ways to bolster their security defenses in the post-pandemic era, learning more about potential threats is essential to take a proactive approach to cybersecurity.



Jokeroo is the name of a Ransomware as a Service (RaaS) that appeared on underground hacking sites (one called in March 2019, where it masqueraded as a variant of GandCrab Ransomware.

It is a recent threatening member of the Ransomware family that is using Twitter and other social media for its spread.

Jokeroo Ransomware makes it easy to create custom versions of this Ransomware virus by offering its subscribers (cyber criminals), multiple membership packages.

With access to completely well-designed Ransomware and its payment server, numerous versions of this Ransomware with different names are now being created.

Jokeroo offered a stand-alone service to affiliates where they could purchase RaaS membership packages ranging from $90 to $600.

Depending on the membership package chosen, affiliates can customize Ransomware by choosing the extension, creating their own ransom note, and earning up to 85% – 100% of the ransom payments.

Once Jokeroo Ransomware has infected the system, it uses AES or Salas20 encryption algorithm to encrypt user and system files. Files are renamed with a custom extension (given by affiliates who purchased RaaS) and are therefore not available to victims.

The Ransomware can make further entries in the Windows Registry to start the crypto-virus automatically after every system reboot.


Circus Spider 

The data collected so far indicates that the Netwalker ransomware was created by a group of Russian-speaking hackers. The concept behind Netwalker is also that of Ransomware-as-a-Service (RaaS), as these provide others with the tools and infrastructure to hold files hostage in exchange for affiliate payment.

This type of ransomware attack belongs to a newer class of malware, namely the one that spreads via VBScripts. The downside of this technique is that, if successful, it reaches all machines connected to the exact Windows network as the original point of infection.

When Netwalker started to gain traction among affiliates around March 2020, its modus operandi was standard enough.

The partners distributed the malware via spam emails that enticed victims to click on phishing links and infect computers on their network. His focus on massive volume meant anyone was at risk of becoming a target.

Affiliates are offered up to an 84% payout cut if the previous week’s earnings exceed $300,000. If the winnings are below this sum, they can still easily win around 80% of the total value.

The rest of the 16-20% goes to the group behind Netwalker. Through this method, those involved made $25 million in just five months starting on March 1.

However, joining comes with its own set of rules. Affiliates are prohibited from going against organizations located in the region of Russia and the Commonwealth of Independent States.

In addition, it is stipulated that the collaborators must always return the files of the victims who paid the ransom. However, this is never a guarantee when it comes to ransomware hackers.



Zeppelin is the latest member of the VegaLocker ransomware family, which also contains strains like Jamper, Storm, or Buran.

Zeppelin is an example of a well-organized threat actor, as those behind Zeppelin have been incredibly strategic in carefully targeting these ransomware attacks.

First seen in November 2019, VegaLocker’s Zeppelin has primarily targeted large companies in Europe and the United States, as well as Russian-speaking accountants.

Zeppelin reaches its target networks primarily through phishing emails. These emails contain macro-enabled documents that will initiate the download and execution of the ransomware file on the victim’s machine.

Furthermore, other samples of Zeppelin were also distributed via malicious advertisements that are designed to trick its victims into clicking fake advertisements that will trigger downloading of the malicious file.

Lastly, Zeppelin, like other ransomware, uses the use of public remote desktop software via web interfaces to remotely control a victim’s machine and run the ransomware.

Zeppelin ransomware takes over a victim’s computer and network to encrypt all the files it can access. The attacker then demands a ransom to restore access to the data. However, even when the ransom is paid, there is no guarantee that the files will be decrypted.

With each generation, ransomware expands its reach and changes its signature, making it harder for antivirus tools to detect.

However, Zeppelin is picky in one respect. Before running, it checks the geolocation of the victim computer’s IP address and the computer’s language settings to avoid infecting computers in Russia, Belarus, Kazakhstan, or Ukraine.

This will close in 0 seconds