We have reached the end of another quarter, and it is time again for us to have a look back at some of the key cyber events that happened during Q3 2021. The trend of ransomware being one of the most devastating threats to organizations has continued over the past three months. In this quarter, we saw a large ransomware supply-chain attack that allegedly targeted one million organizations, many new data-leak sites created, and a new leader in the ransomware threat landscape. Despite ransomware activity being denounced and banned from multiple cybercriminal forums in Q2 2021, a new forum was created this quarter that aimed to be the “hub” for ransomware discussions.
In this blog, we will cover the significant events that happened in the ransomware threat landscape over 01 Jul – 30 Sep 2021 and analyze the trends affecting the ransomware space during the quarter.
Q3 2021 Ransomware Key Events
In Q2 2021, we saw a large ransomware attack on the US energy operator Colonial Pipeline by the DarkSide gang, increased activity by US law enforcement resulting in the retrieval of ransom some payments, such as a partial payment DarkSide received from Colonial Pipeline, and a ban of discussions related to ransomware from most cybercriminal forums. In Q3 2021, we had many new stories unravel.
REvil’s supply-chain attack on Kaseya
On 02 Jul 2021, multiple MSPs running Kaseya VSA fell victim to a ransomware attack. REvil (aka Sodinokibi) claimed responsibility for the attack on its data-leak site “Happy Blog” and said that it had infected more than 1 million users via the supply-chain attack. The ransomware group also offered the universal decryptor for BTC 70 million. On 22 July 2021, Kaseya confirmed that it had obtained a universal decryptor, but did not disclose how this decryptor was obtained. REvil members later took it to cybercriminal forums to reveal that the decryptor was accidentally exposed due to a misclick by one of its coders, which led to the universal key being given to victims who paid the ransom, instead of just the individual decryption key.
New Cooperative hit by BlackMatter
On 20 Sep 2021, the Iowa-based agriculture supply-chain company New Cooperative announced that it had fallen victim to a BlackMatter ransomware attack. The company stated that the attack resulted in locked computers, which are used to manage supply chains and animal feeding schedules. New Cooperative officials claimed that 40 percent of United States’ grain production depended on the software that was encrypted, and the ransomware attack could break the supply chain very quickly. BlackMatter attempted to put pressure on New Cooperative by warning that the attack would be “bigger than DarkSide’s attack on Colonial Pipeline”. New Cooperative reportedly did not pay the ransom and called the cyber incident a “terrorist attack”.
New Ransomware Forum
A new ransomware-focused forum, RAMP, was opened in mid-2021. This new Russian-language forum was hosted on the same URL as the Babuk ransomware data-leak site, despite administrators denying claims that the forum is related to Babuk. RAMP aimed at becoming a ransomware-focused forum where groups could recruit new affiliates, promote ransomware-as-a-service (RaaS) offerings, and discuss anything ransomware-related. The platform was launched in response to a ransomware ban announced on cybercriminal forums in May 2021, which happened following the Colonial Pipeline attack by DarkSide. RAMP also launched its own data-leak site called “Groove”, which is the forum’s “blog” where it posts victims of ransomware attacks, and where the group makes announcements.
AN ANALYSIS OF Q3 RANSOMWARE VICTIMS
Ransomware remained one of the most popular attack methods targeting organizations across all sectors in Q3 2021. Double-extortion tactics (encrypting & exfiltrating) and data-leak sites typically caused the most public impact, but other ransomware variants remained successful without the need for data-leak sites, such as Ryuk. Digital Shadows constantly monitors ransomware data-leak sites on a daily basis and reports on victims across 35 data-leak sites, helping our customers identify exposures involving their third parties or suppliers.
Digital Shadows has reported on more than 3,000 victims that have been named to a data leak site (DLS) since the broader ransomware landscape adopted the tactic.
In Q3 2021, this included 571 different victims as being named to the various active data leak sites. This is a 13% decrease when compared to the same activity identified in Q2 2021. The decrease is likely due to a closure of multiple highly active data-leak sites, such as Avaddon, Happy Blog, DarkSide, and Prometheus. The following subsections are based on an analysis of victims named to a DLS in Q3 2021.
RANSOMWARE ACTIVITY BY GROUP
LockBit 2.0 Ransomware was the most active
LockBit 2.0 emerged in July 2021 and quickly took up the number one spot for the most active group in Q3 2021, beating Conti who was the most active group for the past two quarters (Q2 and Q1 2021). LockBit had a whopping 203 victims listed on its data-leak site, almost triple the amount of the rank two spot, Conti, who had 71 victims. LockBit 2.0 is an alleged continuation and improvement of “LockBit”, discovered in December 2019 that operates as ransomware-as-a-service (RaaS). A notable attack by the group in Q3 2021 was its attack on the professional services company Accenture. LockBit allegedly demanded USD 50 million from Accenture following a ransomware attack. However, while the timer on LockBit’s data-leak site reached zero—indicating when data will be published—no data was leaked.
Groups disappearing, returning, and rebranding
In Q3 2021, many high-profile ransomware groups disappeared, reappeared, and some rebranded. Often when ransomware groups disappear, it is difficult to know the underlying circumstances behind their disappearance. However, a recent trend is that many ransomware groups have vanished or temporarily disappeared after launching large cyber attacks, such as DarkSide (Colonial Pipeline) and REvil (Kaseya). It is likely that additional pressure by law enforcement agencies may have contributed to the disappearance of many of these ransomware groups. In Q3 2021, we saw the disappearance of the following ransomware groups REvil, Avaddon, Noname, and Prometheus.
REvil eventually made their return in early September and began posting new victims, later claiming that the group simply chose to take a “vacation”. The most notable return this quarter, however, was LockBit, with the release of their new data-leak site and ransomware variant.
There were also rebrandings that occurred this quarter. The SynAck ransomware group, which hosted a data-leak site called “File Leaks”, rebranded itself as “El_Cometa”. The DoppelPaymer ransomware was found to likely have rebranded as the “Grief” ransomware group, and it is believed that the Karma ransomware group is a rebrand of the Nemty ransomware gang.
RANSOMWARE ACTIVITY BY SECTOR
The Industrial Goods & Services sectors lead the list of organizations named to data leak sites in Q3
The industrial goods & services sector has been a consistently targeted sector throughout 2021, ranking in the number one spot in all quarters of the year so far. In second place, there was the technology sector, which was followed by construction & materials, legal services, and financial services sectors.
There were decreases in most sectors when comparing to Q2 2021. Despite industrial goods & services being most targeted, the sector saw a significant decrease in the number of attacks (42%), likely because ransomware operators targeted a more diverse range of sectors in Q3 2021. Attacks against healthcare organizations also had a notable decrease (31.8%). One exception was the technology sector, which saw a 29.8% increase in the number of attacks by ransomware groups.
RANSOMWARE ACTIVITY BY GEOGRAPHY
The United States has continued to be the most targeted sector for ransomware operations, which was followed by Canada. North America is a common target for ransomware activity, likely because threat actors have been successful in receiving large ransom payments from the region in previous campaigns.
Of all the victims of ransomware that were named to data leak sites in Q3 2021, 47% of those were organizations based in the US or Canada.
Every other geography showed a slight decrease or stayed relatively consistent since Q2 2021. After the US and Canada, Germany (24), the United Kingdom (23), and France (21) were top targeted geographies by ransomware groups.
RANSOMWARE PREDICTIONS FOR Q4
In this last section, we like to look into the future to identify what upcoming threats may look like in the ransomware threat landscape. The last quarter of 2021 is likely to continue many of the trends observed in Q3 2021, with North America being the most targeted region, and the industrial goods & services sector remaining the preferred sector for attacks.
One interesting point of discussion for the next quarter are the issues related to data-leak sites that we observed in over the past few months. Many ransomware groups have experienced difficulties managing data-leak sites and hosting data on the dark web for download. This has resulted in some ransomware groups exposing data using public file-sharing websites, such as Mega[.]nz or PrivatLab[.]com. As these services are hosted on the clear web, they can often be taken down, and most download links are removed within a day or two.
Another issue with data-leak sites relates to the inherently slow download speeds of the dark web. Regardless of how fast a user’s internet speed may be, the download speeds in the dark web are capped to significantly slower speeds (typically 10-200 KBPS), which depend on multiple factors related to Tor relays and circuits. Downloading a 5-10GB file on the dark web may take several days, depending on where it is being hosted. The slow download speeds combined with frequent failed downloads can make downloading large datasets from the dark web a very difficult task.
These difficulties were highlighted when the Clop ransomware group leaked data for the IT company Qualys in March 2021. The initial phase of the data leak had three files that were approximately 4GB. Many threat actors attempted to download this data, but ended up taking their frustrations to criminal forums after encountering difficulties with their downloads. The download speeds were so slow that some users claimed it took them nearly one week to download the first dataset, while other users reportedly gave up.
Data-leak sites also can leave ransomware gangs vulnerable to attacks. Most recently, on 17 Oct 2021, a representative of the REvil ransomware gang took it to a Russian-speaking criminal forum to reveal that their data-leak sites had been “hijacked”. The REvil member explained that an unknown individual accessed the hidden services of REvil’s website’s landing page and blog using the same key owned by the developers. The user believed that the ransomware gang’s servers had been compromised and the individual responsible for the compromise was “looking for” him. The representative stated that REvil planned to go offline while they handle the issue.
As Q4 comes near, it will be interesting to see if issues relating to managing data leak sites will discourage new ransomware groups to continue to pursue the path of data-leak sites, or what creative solutions they will create to work around these issues. The Ryuk ransomware group has proven itself to remain effective and a top player in the ransomware threat landscape without the need for a data-leak site. In fact, Ryuk has thrived by not needing a data leak site and data exfiltration. A recent report by Mandiant revealed that FIN12, the group responsible for Ryuk and Conti, has managed to conduct ransomware attacks in less than 3 days, when compared to over 12 days for attacks involving data exfiltration.
Nevertheless, data-leakage websites are here to stay, and we can expect that many more will be opened up over the next quarter. To see more information about Digital Shadows’ Q3 ransomware reporting, see our Ransomware Quarterly Threat Report.
You can get a comprehensive look at the data that we used to build this blog and our quarterly ransomware reporting with a free 7-day trial of SearchLight here. You can additionally get a customized demo of SearchLight to gain visibility of your organization’s threats and potential exposures, including access to a finished threat intelligence library with MITRE associations and mitigations from Photon Research.
For further info—our blog article Tracking Ransomware Within SearchLight shows you how SearchLight tracks emerging variants, enables you to export and block associated malicious indicators in various formats, instantly analyze popular targets, and map to your security controls with ease.