The analysts from threat intelligence provider Digital Shadows observed 35 different data leak sites (DLS) from July to September 2021, on which the publication of stolen ransomware data is threatened. Since the beginning of the “Double Extortion” strategy, Digital Shadows has counted more than 3,000 victims. A total of 571 victims were recorded in the period of Q3 2021 – 13% fewer than in the previous quarter.
Trend towards re-branding
The slight decrease can most likely be attributed to the end of several very active data leak sites, including Avaddon, Happy Blog (REvil), DarkSide and Prometheus. The ransomware groups all follow the same pattern: After a successful attack, they first disappear from the scene, only to reappear later under a new name and with improved ransomware. In the third quarter, the SynAck group appeared under the name El_Cometa. DoppelPaymer appears to be acting as a grief, while the actors of Nemty are suspected to be behind the ransomware group Karma.
REvil followed a similar tactic. The ransomware group attacked the IT service provider Kaseya in July 2021, triggering a chain reaction in the IT network of managed service providers and their customers. Several hundred companies worldwide and one million users were affected by the cyber attack. After the high-profile attack on Kaseya, REvil disappeared before the group returned “from vacation” in early September. Finally, in late October, the blackmail group was hacked in an FBI-led operation and went offline. It remains to be seen whether the group can regroup under a different name.
Pressure from within, pressure from outside
The re-branding strategy of ransomware groups is largely due to the decisive action taken by law enforcement agencies. Politics and business are putting pressure on them. US President Biden only met with Russian President Putin in June to discuss the cybersecurity of critical infrastructures. Ransomware attacks are increasingly referred to as “terrorist acts” – for example the attack on the agricultural service provider NEW Cooperative in September 2021.
At the same time, the high-profile attacks also aroused much criticism from their own criminal ranks. Especially after the attack on the US Colonial pipeline in May 2021, many forums announced that they would ban posts and services relating to ransomware from their marketplaces in the future. RAMP is an exception here. The Russian-language forum was launched in the summer of 2021 and advertises specifically with Ransomware-as-a-Service (RaaS) and other relevant services. Parallel to the forum, RAMP also operates a data leak site called Grove, which lists victims of ransomware attacks and publishes announcements by the group.
Germany in third place after the USA and Canada
As in previous quarters, the ransomware attacks in Q3 2021 were mainly concentrated in North America. Almost half of all companies (47%) who identified Digital Shadows on DLS lists are in the US or Canada. In the past, this was the area where companies paid high ransom demands, which spurred attackers to new attacks. In other regions, the number of ransomware attacks has either decreased slightly or has remained stable compared to the second quarter. Germany is in third place with 24 ransomware attacks, followed by Great Britain (23) and France (21). However, these are only the ransomware victims listed on data leak sites. The number of unreported cases could be significantly higher.
Manufacturing and service sectors hardest hit
According to Digital Shadows, the manufacturing industry and the service sector are still among the sectors most frequently affected by ransomware. The trend from the previous quarters is thus continuing. In second place is the technology sector, followed by the construction, legal and financial sectors. However, across industries, the number of attacks has decreased compared to Q2 2021. In the manufacturing industry as well as in the service sector, ransomware attacks fell by as much as 42%. The healthcare sector also saw 31.8% fewer attacks in the third quarter than in the previous quarter. One reason for this could be the spread of ransomware attacks to other industries. The only exception is the technology sector, where the number of ransomware attacks increased by 29.8%.
LockBit 2.0 among the top ten
The ten most active ransomware groups in Q3 2021 include LockBit 2.0, Conti, Hive, PYSA, BlackMatter, AvosLocker, Grief, Clop, Payload.bin, Everest, and Sodinokibi (REvil). The relatively new group around LockBit 2.0 appeared for the first time in July 2021 and quickly took the top spot. A total of 203 ransomware victims were listed on the LockBit 2.0 DLS from July to September – almost three times as many as the previous leader, Conti (71 victims). The ransomware malware is the successor and improved update of LockBit, a ransomware-as-a-service (RaaS) that has been known since December 2019. The group was responsible for the attack on the consulting firm Accenture in August. At the time, the group was demanding a ransom of $ 50 million. But although the deadline for payment on the LockBit DLS has long expired, no sensitive company data has yet been published.