2021 has finally come to an end and it is time for us to look back at some of the key ransomware-related stories and events that happened during Q4 2021. While most security professionals took advantage of the holiday season to rest and spend time with their families, the ransomware business remained highly active and had one of its most prolific quarters. In this latest quarter, we may not have seen any large events such as Kaseya’s VSA supply-chain attack in Q3 2021, but there were interesting developments in the ransomware threat landscape, and many new faces joined the ever-growing ransomware business.

In this blog, we will look back and analyze trends affecting the ransomware threat landscape between 01 Oct – 31 Dec 2021, and also look forward at how that is likely to affect Q1 2022. 

Q3 2021 RANSOMWARE RECAP

Before we dive into the events of Q4 2021, let’s take a quick look back at key events of Q3 2021. The last quarter saw a high number of cyber-attacks, high-profile events, and shifts in the ransomware threat landscape. A notable event was the return of the “LockBit” ransomware group, with the new “LockBit 2.0” variant. LockBit leaked three times the number of victims as any other ransomware group in Q3 2021.

The most impactful ransomware incident in Q3 2021 was the Kaseya VSA supply-chain attack by REvil, which allegedly infected more than one million systems. Although the group had demanded USD 70 million for the universal decryptor, the decryption key was exposed for free due to an alleged mistake by one of its coders

At last, in Q3 2021 we saw the release of a new ransomware-focused forum called “RAMP”. This was a Russian-language forum that was created to be a safe haven for ransomware groups to promote their ransomware-as-a-service (RaaS) offerings or discuss any topics ransomware-related. 

Now let’s look at how these events have affected the last quarter of 2021.

KEY RANSOMWARE EVENTS Q4 2021

RAMP’s success 

RAMP was first introduced in Q3 2021 as a response to the ban on ransomware-related content in many high-profile cybercriminal forums like XSS, Exploit, and RaidForums. Since its creation, RAMP has had a difficult path to success. The forum suffered from frequent distributed denial of service (DDoS) attacks, admins had to move their servers multiple times, and the forum was eventually forced to change to a completely new URL. 

Despite its setbacks, RAMP has become successful in achieving what it set out to accomplish – establish a safe haven for ransomware affiliate programs and cybercriminals interested in ransomware. Representatives and operators of many large ransomware groups use the forum to advertise and update their affiliate programs. 

RAMP has gathered the attention of cybercriminals in the international community, and there is now a diverse set of users operating in multiple languages to include English, Russian, and Mandarin. Activity in the forum has been steadily increasing, and it is likely that it will continue to grow over the next quarter.

FIN12 found success in fast ransomware attacks

In October 2021, it was reported that the FIN12 group found success in launching single-extortion attacks. That is, FIN12 has been effectively launching ransomware attacks and skipping the popular “extortion” component, where data is stolen and then held for ransom. 

By skipping the hassle of exfiltrating data and uploading it to a data-leak site, FIN12 was able to minimize their time on targets significantly. According to Mandiant, the group was able to conduct attacks in less than three days, when compared to the average of over 12 days for incidents involving data theft. This significantly decreases the time incident responders have to detect and mitigate ransomware based intrusions.

The trend of cybercriminal groups using single-extortion attacks has remained popular in Q4 2021, with some groups also preferring exfiltration over encryption. Focusing on one factor can bring many benefits to groups, such as quicker attacks and less attention from law enforcement.

Ransomware groups jumped to exploit new vulnerabilities

At last, a big trend in Q4 2021 was the continued exploitation of new vulnerabilities by ransomware groups. Ransomware developers have become skilled at capitalizing on opportunities presented by new vulnerabilities and have shown flexibility in adapting their attacks to increase the likelihood of successful infection. 

Shortly after CVE-2021-44228 (aka “Log4Shell”) was disclosed, many reports of ransomware groups exploiting the vulnerability were made. Operators of the ransomware variants “Conti”, “Muhstik”, and “Khonsari” allegedly targeted the exploit shortly after its disclosure, and the Iranian threat actor PHOSPHORUS” (AKA APT35) was also found to use the exploit to deploy ransomware, according to Microsoft

The Atomsilo ransomware group was also reported to be exploiting a critical vulnerability in Atlassian’s Confluence collaboration software (CVE-2021-26084) in October 2021, and BlackByte was identified leveraging the ProxyShell Microsoft Exchange vulnerabilities for initial access in November 2021.

This is not a new trend, but it highlights the dangers associated with failing to patch or mitigate vulnerabilities in a timely manner. Considering the high threat that ransomware poses, the need for quick and effective patch management procedures has become ever more important.

ANALYSIS OF Q4 RANSOMWARE VICTIMS

In this latest quarter, ransomware was once again a leading threat to organizations across all sectors, and ransomware groups with data-leakage websites remained highly active. Digital Shadows (now ReliaQuest) monitors 56 ransomware data-leakage websites daily, although only 29 remain active at the time of writing. We also monitor data-leak sites who do not affiliate themselves with ransomware, such as Bonaci Group, CoomingProject, and Marketo, but these are excluded from the numbers reported in this blog. Digital Shadows (now ReliaQuest)’ monitoring helps our customers identify exposures involving their third parties or suppliers.

We have reported on close to 4,000 victims that have been named to a data leak site (DLS) since the broader ransomware landscape adopted the tactic in late 2019. 

In Q4 2021, a total of 781 victims were named to ransomware data-leakage websites. This was a significant increase (36.8%) compared to last quarter, when we saw 571 victims. There was a significant increase in the number of victims for many groups. For example, Conti posted 157 victims to its site, an 121% increase from the last quarter. Other increases included LV Blog (360%), PYSA (165.6%), AvosLocker (60%), and LockBit 2.0 (8.4%).

RANSOMWARE ACTIVITY BY GROUP

 Ransomware activity by group Q4 2021
 Ransomware activity by group Q4 2021

 

LockBit 2.0 remained the most active ransomware group in Q4 2021 accounting for 28.2% of all attacks recorded during the quarter. LockBit 2.0 first appeared in July 2021 and had almost triple the number of victims as any other group in Q3 2021. While LockBit increased the number of its victims in Q4 from 203 to 220, other groups made a strong effort for the top positions. Conti came in second, same as last quarter, but Conti more than doubled the number of its victims compared to Q3 2021. PYSA and Grief remained in the top 5, and AvosLocker broke into the top 5 for the first time since its release. 

A notable attack in Q4 2021 was Grief’s attack on the National Rifle Association (NRA), which occurred in late October 2021. Grief posted the NRA to its data-leakage website and leaked documents that contained NRA endorsements from US politicians, national grants awarded by the NRA, and corporate insurance information. To apply further pressures on the NRA, Grief created a series of Twitter bot accounts that were used to share and amplify the story.

NRA named on Grief data-leak site
NRA named on Grief data-leak site

 

The new and the retired

In Q4, we saw many groups shut down operations and new ransomware groups emerge. Groups that shut down their data-leakage websites in Q4 2021 included BlackMatter, REvil (following a brief return), DarkRypt, BlackByte Blog, Spook Blog, and Atomsilo. On the other side, there were many new groups who created data leakage websites and joined the double-extortion threat landscape in Q4 2021, and these included ROOK, Entropy, Alphv (BlackCat), Macaw, 54bb47h (Sabbath), Spook, and BlackByte. 

As we can see, both Spook and BlackByte created and shut down their data-leakage websites within the same quarter. This highlights the high volatility of the ransomware threat landscape. While the data leakage websites may be inactive for these groups, it is realistically possible that they may still remain active behind the scenes. 

Happy Blog, REvil’s data-leak site, became inactive again in Q4 2021 following a brief return in September. However, shortly before it was taken down, it appears that REvil’s dark web domain was compromised (see picture below). Happy Blog was changed to a login page that read (translated from Russian): 

“They are such masters, they rate themselves so highly”

[Boxes for entering username and password”

“We have skills and experience”

“Do you want to be with the most qualified or with the biggest losers?”

Happy Blog modified in November 2021
Happy Blog modified in November 2021

 

It is unknown who was responsible for the attack, or if the change was made by REvil members themselves. However, the website was shut down shortly after in November and has remained down since.

User on XSS criminal forum claims that REvil’s website was “pwned”
User on XSS criminal forum claims that REvil’s website was “pwned”

RANSOMWARE ACTIVITY BY SECTOR

The most targeted sector in Q4 2021 was the Industrial Goods & Services sector.

Ransomware by victim sector Q4 2021
Ransomware by victim sector Q4 2021

 

The industrial goods & services sector continued to be the most heavily targeted sector in Q4 2021, accounting for 18.7% of all attacks. The industrial goods & services sector was the number one most targeted sector in all quarters of 2021. The second place was the construction & materials sector (9.8% of incidents), followed by the Technology (6.7%), Legal Services (6.3%), and Retail (5.5%) sectors.

Q4 2021 saw many increases in the number of attacks for most sectors. The industrial & services sector was targeted 22.5% more than the last quarter, construction & materials increased by 24.5%, and retail targeting increased by 21.2%. However, the most impressive increases came to the real estate (150% increase) and travel & leisure (123.5%) sectors. One exception to these was the technology sector, which saw a decrease in targeting by 19.6% by ransomware groups. 

RANSOMWARE ACTIVITY BY GEOGRAPHY

Ransomware by victim geography Q4 2021
Ransomware by victim geography Q4 2021

 

The most targeted country continued to be the United States, which made up 46.2% of all victims. The number of victims in the country increased by 37.1% compared to Q3 2021. The United States is a popular target for ransomware operators likely due to the success that cybercriminals have had in receiving large ransom payments from U.S. companies. Additionally, many of these ransomware gangs operate in countries that the United States does not have extradition treaties with, such as Russia and China. Therefore, the threat of prosecution for cybercrimes against the United States may not be high for these threat actors. 

In second came the United Kingdom (78.3% increase from Q3 2021), closely followed by Germany (54.2% increase), France, Canada (19.2% increase), and Italy (76.5% increase). Most countries experienced a noticeable increase in targeting over Q4 2021.

Q1 2022 RANSOMWARE PREDICTIONS

In this last section we will look into threats that are likely to affect the ransomware threat landscape in the upcoming quarter. As we have seen, the ransomware business has continued to grow exponentially over the past few months, and the number of victims has been consistently increasing with every quarter. This is a trend that we expect to continue in 2022.

The collaboration between ransomware groups is likely to be a topic of concern for security teams over the next year. The RAMP ransomware-focused forum has provided a perfect platform for ransomware groups to share ideas, exploits, and communicate with each other. This collaboration was highlighted when a user on RAMP shared an exploit and proof-of-concept (PoC) for CVE-2021-44228 (Log4Shell) on 10 Dec 2021, a day after the vulnerability was disclosed. The user provided detailed instructions on how to leverage the vulnerability, and embedded images showing JavaScript code for the exploit. Many users replied to this post discussing what types of servers and services were still vulnerable to these exploits. 

User on RAMP advertises Log4Shell exploit
User on RAMP advertises Log4Shell exploit

 

RAMP also allows for ransomware groups to openly discuss new projects and find partners. The Alphv ransomware group, for example, used RAMP to announce their partner program on 09 Dec 2021. The group described their program to be “the next generation of ransomware” and claimed to have fixed gaps that other ransomware variants like LockBit, REvil , and Conti had not accounted for. 

Alphv is one of many ransomware groups that used RAMP to advertise their programs, other groups have included Conti and the “Sugar” ransomware group. 

Alphv being advertised on RAMP
Alphv being advertised on RAMP

 

Another threat to look forward to in the future is one that is not often talked about – insider threats. While these are not as common as other types of attack vectors, there have been reported instances of ransomware groups using insiders to gain access to companies. In late 2020, a man named Egor Igorevich Kriuchkov was indicted after attempting to bribe a Tesla employee into inserting malware (likely Ragnar Locker) into Teslas’ systems. 

In another example, in Q3 2021, LockBit 2.0 claimed that it used an insider to gain access to Accenture’s network and steal six terabytes of data. LockBit 2.0 also advertised an “insider program” on its site offering “millions of dollars” to insiders who provided them with access to RDP, VPN, corporate email addresses, or any other type of access.

LockBit 2.0 offers millions to insiders
LockBit 2.0 offers millions to insiders

 

Finally, in 2022 Ransomware is likely to continue getting more organized and business-like, and this is likely due to increased law enforcement operations against ransomware. These operations have had a lot of success in 2021, with arrests of suspected REvil affiliates, and the shutdown of the BlackMatter ransomware gang, which the operators claimed occurred due to “unsolvable circumstances associated with pressure from local authorities”. In 2022, we have already seen the arrest of more REvil operators in early January. Therefore, the margin for error has only become smaller, but that simply means that threat actors have become more professionalized. 

You can get a comprehensive look at the data that we used to build this blog and our quarterly ransomware reporting with a free demo request of SearchLight here. You can additionally get a customized demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) to gain visibility of your organization’s threats and potential exposures, including access to a finished threat intelligence library with MITRE associations and mitigations from Photon Research.

REvil’s Threat Intelligence profile in Searchlight
REvil’s Threat Intelligence profile in Searchlight

For further info—our previous blog article Tracking Ransomware Within SearchLight shows you how SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) tracks emerging variants, enables you to export and block associated malicious indicators in various formats, instantly analyze popular targets, and map to your security controls with ease.