Top 10 Most Notorious Hacker Groups in History

Bian Lian’s adaptability makes them unpredictable, as they constantly evolve tactics, tools, and targets. The criminal group has targeted organisations in the critical infrastructure sectors of the US and Australia. BianLian has been able to exploit security vulnerabilities and place encryptions on sensitive data within breached networks by using an open-source ransomware variant. They utilize multi-pronged extortion, combining data encryption with the threat of leaks, and have a global reach.  BianLian has been able access to victim systems through valid Remote Desktop Protocol (RDP) credentials and then extort money by threatening to release the stolen data if a payment is not made. 

Victims have been reported across sectors with a typical focus on media and entertainment, as well as examples in healthcare, manufacturing and education. Their technical proficiency, including leveraging legitimate tools for malicious purposes, and shifting from ransomware to data extortion, highlights their evolving tactics.

BlackByte operates under the RaaS (ransomware-as-a-service) model, they offer their custom ransomware. This model allows them to distribute the technical burden and profit from attacks without directly carrying them out themselves. They seem to primarily target manufacturing and energy sectors, suggesting potential insider knowledge or exploiting specific vulnerabilities within these industries.

In 2021, Trustwave publicly released a BlackByte decrypter. However, BlackByte developers quickly released newer versions that used multiple keys, even warning victims against using the decrypter. BlackByte leverages technical expertise, including exploiting legitimate software, and employs "double extortion" tactics to maximize pressure on victims.

Vice Society has gained notoriety for targeting schools and universities. They exploit vulnerabilities in these educational institutions, often using pre-existing ransomware like HelloKitty, before resorting to "double extortion" tactics. Unlike other groups, Vice Society doesn't operate a RaaS (Ransomware-as-a-Service) model. This means they generally carry out the attacks themselves, demonstrating a higher level of technical sophistication and coordination. Vice Society’s initial ransom demands have exceeded $1 million. 

The cyber gang gained significant press attention in early 2023 because of a series of high-profile attacks including the San Franciso rapid transit system. Vice Society's exploitation of vulnerable sectors highlights the critical need for increased cybersecurity funding in the education sector, especially for smaller schools and districts

Royal ransomware has gained notoriety for targeting critical infrastructure and employing multi-extortion" tactics. They focus on phishing campaigns with 66% of their initial access is done through phishing, and have shown a global reach despite US-centric targeting.

Royal is estimated to have attacked over 350 victims, demanding ransom payments exceeding $275 million collectively. They have also been observed reinfecting victims months after their initial malware has been cleared. 

Black Basta quickly gained notoriety for its rapid attacks, sophisticated ransomware, and "double extortion" tactics. Despite initial reports of targeting English-speaking countries, Black Basta has expanded its reach, attacking organizations worldwide. 

Their first major attack targeted the American Dental Association (ADA) leading to the shut down of multiple systems. Just four days after the data was allegedly stolen it appeared on the Black Basta leak site. Operating on a RaaS (Ransomware-as-a-Service) model, they target organizations globally with their custom C++ ransomware, leaving little time for victims to react. 

REvil operated as a Ransomware-as-a-Service (RaaS), providing their tools and infrastructure to other cybercriminals for a cut of the profits. This model allowed them to widespread their reach and impact, targeting high-profile organizations. REvil was known for its ruthless tactics and high ransom demands, often targeting critical infrastructure and causing significant disruption.

REvil employed the "double extortion" tactic, not only encrypting data but also stealing it and threatening to leak it publicly. In 2022, the Russian Federal Security Service stated that they had dismantled REvil and criminally charged several of its members.

Evil Corp, believed to operate from Russia, gained notoriety for developing and deploying the Dridex banking Trojan. This malware specifically targets financial institutions and individuals, maximizing potential ransom payouts and operational disruption. Through this method, Evil Corp has been responsible for stealing millions of dollars through fraudulent transactions and credential theft. 

Authorities in the US and UK authorities have alleged that Evil Corp operates with support from the Russian government, allowing them to function with a degree of impunity within Russian borders. Some analysts argue that Evil Corp's attacks align with Russian strategic interests, such as targeting Western critical infrastructure and institutions.

Also known as ALPHV and Noberu, BlackCat is known for its sophistication and effectiveness. They have demonstrated adaptability, constantly evolving their tactics, tools, and targets. This makes it particularly challenging to detect and defend against compared to other ransomware strains.

They employ a "triple extortion" tactic, not only encrypting data and threatening to leak it but also offering to launch Denial-of-Service (DoS) attacks against the victim. This overwhelms a website, server, or network with excessive traffic, making it unavailable, further amplifying pressure and potential damage. The hacker group is one of the most well-known ransomware gangs as it operates a public data leak site that further pressures victims to pay ransom demands. As of February 2024, the US government is offering up to $10 million in rewards for leads that could identify Blackcat gang leaders. The hacker group’s most recent cyber attack impacted thousands of pharmacies across the US after the gang claimed responsibility for a cyber attack on the health tech firm Change Healthcare.

CLOP, also known as CL0P, is a ransomware gang that has been prominent since 2019. It utilizes both traditional data encryption and "encryption-less" extortion, often targeting universities and employing advanced techniques to evade detection. Clop is most famous for its exploit of a critical vulnerability in Progress Software's MOVEit – a widely used managed file transfer (MFT) platform. The attack impacted over 2,700 organizations and 62 million individuals worldwide Based on the number of confirmed organizations affected, the cost of the MOVEit incident stands at around $9.9 million. However, considering not all victims have reported the number of individuals impacted, the potential cost could continue to rise to as much as $65 million. 

The US Cybersecurity and Infrastructure Security Agency (CISA) states that CLOP is a key driver of trends in malware distribution. It also typically avoids targets in former Soviet countries, with its malware unable to breach a computer that operates primarily in Russia.Their adaptability and willingness to shift strategies mean that institutions must implement robust cybersecurity measures to stay protected.

LockBit is largely considered to be the most notorious hacker gang known for using the Ransomware-as-a-Service (RaaS) model. It develops and distributes ransomware software that other threat actors can use to target and extort victims Since 2021, LockBit has employed a "double extortion" tactic, where they not only encrypt data but also exfiltrate it before threatening to leak it publicly if the ransom isn't paid. This increases pressure on victims to comply. In February 2024, a significant development occurred when international law enforcement agencies collaborated to seize control of LockBit's dark web infrastructure, disrupting their operations.

LockBit is responsible for numerous large-scale ransomware attacks against businesses, and organizations, with victims including the UK Ministry of Defence, Royal Mail and the NHS, and it has racked up victims in recent months with companies and organisations from around the world falling victim to its onslaught. The group has far outpaced other ransomware gangs since it emerged in late 2019, with researchers at Recorded Future attributing nearly 2,300 attacks to the group. For comparison, CLOP – the second most notorious gang – has only been several hundred attacks. LockBit’s website was recently taken down in “Operation Cronos” – a joint move by the UK’s National Crime Agency (NCA), the FBI, and Europol to disrupt its operations. It’s yet to be seen if LockBit will remain the most notorious hacker group as we head into 2024 because of this.