Ransomware Threat Report Q2-2021

Cyble Research Labs has been continuously monitoring and analyzing the ongoing and upcoming ransomware threats. This blog showcases the top ransomware variants, ransomware predictions, and actionable intelligence on identifying and effectively mitigating ransomware attacks.

Figure 1 shows an overview of ransomware activities from April to June 2021. In Q2-2021, we witnessed 625 ransomware victims across the world, and our research indicates that the Conti ransomware group is responsible for the highest number of attacks with 139 victims, followed by the Avaddon and REvil ransomware groups. We found that a total of 29 ransomware groups were active this quarter. 

Figure 1: Ransomware Activities Overview 

Marking a severe threat to national security, the Colonial Pipeline cyberattack was one of the most significant attacks seen this quarter. Being a highly sophisticated cyberattack, it forced the largest fuel pipeline in the U.S. to shut down. 

Due to the increased activities of Law enforcement agencies, a few ransomware groups were impacted. The Avaddon ransomware group was made nonoperational in June 2021 due to law enforcement activities against cybercrime groups and was forced to release decryption keys for all of its victims. In addition to Avaddon, in June 2021, the Ukrainian police also arrested multiple individuals suspected to be associated with the Clop ransomware group. 

Total Victims	625
Total Ransomware groups	29
Most Impacted Region	United States
Total Countries Impacted	62
Most Impacted Industry	Manufacturing

A total of 62 countries were impacted by ransomware attacks from April to June 2021 and these include:  

Australia, Argentina, Austria, Belgium, Bermuda, Brazil, Canada, Chile, China, Colombia, Costa Rica, Cyprus, Czech Republic, Dominican Republic, England, Europe, Fiji, France, France , Germany, Greece, Honduras, Hong Kong, India, Indonesia, Iran, Ireland, Israel, Istanbul, Italy, Jamaica, Japan, Jordan, Kuwait, Luxembourg, Mexico, Monaco, Netherlands, New Zealand, Norway, Philippines, Portugal, Romania, Saudi Arabia, Singapore, South Africa, South Korea, Spain, Sweden, Switzerland, Taiwan, Turkey, United Arab Emirates, United Kingdom, United States, Vietnam, and Zambia. 

Figure 2 shows the top 10 affected regions, with these countries alone contributing to 81.76% of the total victims.  

Figure 3 shows the top 10 industry verticals impacted by ransomware attacks. The manufacturing sector was the most affected, with 69% of the ransomware groups having targeted organizations in the manufacturing industry atleast once. The manufacturing industry still makes use of traditional systems and often operates round-the-clock, making it difficult for companies to rapidly update the security patches released for vulnerable systems. The majority of the companies in the manufacturing industry are dependent on Industrial Control Systems (ICS) that are easy targets of hackers. A cyberattack launched on a single company in the manufacturing industry can have a severe impact on other organizations that are linked to it through the supply chain.  

Figure 3: Industry-wise attacks 

Figure 4 shows the number of victims affected by each ransomware group, with Conti having the most victims followed by Avadon and REvil. 

Figure 4: Active Ransomware Groups for Q2 

Figure 5 shows the common Tactics, Techniques, and Procedures (TTPs) of the ransomware samples analyzed by researchers at Cyble. We have observed that the top 3 ransomware groups use phishing attacks for the initial access of the victim systems. The payload execution is achieved through scripts and commands and application shimming for persistence. Figure 5 showcases the distribution of TTPs across highly active ransomware groups.

Figure 5: Common TTPs 

The table below showcases the details of common MITRE TTPs of ransomware groups. 

We have observed 4 Tactics, Techniques, and Procedures are commonly used by active ransomware groups Revil, Conti, and Avaddon. 

Tactic	Technique ID	Technique Name
Initial Access	T1566	Phishing
Execution	T1059	Command and Scripting Interpreter
Persistence	T1546.011	Event Triggered Execution: Application Shimming
Impact	T1486	Data Encrypted for Impact

MAJOR RANSOMWARE ATTACKS

Colonial Pipeline Cyberattack: 

The Colonial pipeline is a 5,500-mile oil pipeline that carries 45% of the fuel used on the US East Coast. On May 7, 2021, it suffered a ransomware attack when the IT products operating it were infected. The operations of the pipeline were halted to contain the cyberattack. The DarkSide ransomware group was behind this attack and demanded 4.4 million USD or 75 bitcoins as ransom. The FBI tracked the bitcoin public ledger and was able to identify multiple transfers made to the attacker’s bitcoin address. The FBI seized the funds after getting DarkSide’s bitcoin address private key. 

As a result of the attack, the Federal Engine Carrier Safety Administration (FMCSA) declared a state of emergency in 18 states in the U.S. The Colonial Pipeline was nonoperational for 5 days, with many areas in the U.S. suffering a shortage of fuel. In response to this, on May 13, Joe Biden, the President of America, signed an executive order to improve federal cybersecurity. 

DarkSide stole over 100GB of data in the attack for double extortion. This ransomware group was discovered in August 2020 and operates on the Ransomware-as-a-service model. According to security researchers, the DarkSide ransomware group used phishing, Remote Desktop Protocol (RDP) abuse, and exploiting vulnerabilities for gaining initial access. Few researchers also claim that DarkSide was previously affiliated with the REvil ransomware group. 

JBS Foods: 

JBS, the world’s largest meat producer, was attacked by the REvil ransomware, and the threat actors initially demanded $22.5 million as ransom, which was later reduced to $11 million after negotiation. On May 31, JBS was forced to shut down some of its food production sites after the REvil ransomware operators breached their network and encrypted some of its North American and Australian IT systems. 

Brenntag:

In May 2021, Brenntag, a world-leading chemical distribution company headquartered in Germany, was attacked by the DarkSide ransomware, demanding $4.4 million as ransom in Bitcoin. Darkside threatened to release the stolen data if Brenntag failed to pay the ransom. The company operates in over 77 countries with 17,000 employees, and this attack on Brenntag was executed by Darkside right after the Colonial Pipeline attack. 

Quanta: 

In April 2021, Quanta Computer, the leading supplier of Apple’s MacBook, suffered a major ransomware attack by the REvil ransomware group. REvil demanded $50M as ransom and threatened to release the data if Quanta failed to follow their instructions and within a specified time. The leaked data consisted of blueprints of Apple products that were supposed to be launched in upcoming Apple events. 

Q2 TOP RANSOMWARE OBSERVATIONS 

The Conti ransomware group came into the limelight in early 2020. It is a successor of the Ryuk ransomware. In comparison with other ransomware groups, Conti is known to perform encryption at a much faster rate. The reason behind this is that it executes upto 32 threads simultaneously, consuming most of the computational power of the victim systems. For Q2 -2021, the Conti ransomware is seen to have the highest number of victims. 

Figure 6 shows the top 10 industries Victims of Conti in Q2 2021. The manufacturing industry was the top target of Conti ransomware, followed by the services industry. 

Conti:

Figure 6: Industry-wise attack distribution of Conti Ransomware 

Figure 7 shows the Conti ransomware heat map, depicting the top countries targeted by Conti. These are: 

1. United States 

2. France 

3. United Kingdom 

4. Canada 

5. Italy 

Figure 7 Heat Map of Conti 

Table 2 shows the MITRE ATT&CK mapping for the Conti ransomware group.  

Tactic’s	Technique ID	Technique Name
Execution	T1059, T1106	Command and Scripting Interpreter, Native API
Persistence	T1547.001	Boot or Logon  Autostart Execution: Registry, Run Keys / Startup Folder
Privilege Escalation	T1055	Process Injection
Defense Evasion	T1134, T1562.001	Access Token Manipulation, Impair Defenses: Disable or Modify Tools
Discovery	T1057, T1083, T1016, T1036	Process Discovery, File and Directory Discovery, System Network Configuration Discovery, Masquerading
Impact	T1486, T1490, T1489	Data Encrypted for Impact, Inhibit System Recovery, Service Stop

Table 2: Mitre ATT&CK mapping- Conti 

Figure 8 shows the leak site used by the Conti ransomware group. The site is hosted on the darkweb and contains victims‘ information, along with the percentage of data that is published on the leak website of Conti.  

Figure 8: Conti Ransomware Leak Site 

REvil:

REvil (Ransomware Evil), also known as Sodinokibi, was formed in 2019 and was previously operated by the GOLD SOUTHFIELD threat group. REvil operates as Ransomware-as-a-Service, i.e., it provides prebuilt ransomware tools to its affiliates for executing attacks. It is one of the most sophisticated Ransomware groups and is behind several significant attacks.  

Figure 9 shows the top 10 industries attacked by REvil in Q2 2021. The manufacturing industry was the top target of the REvil ransomware group, and one of its victims from this industry was Quanta Computer.  

Figure 9: Industry-wise attack distribution of REvil ransomware 

Figure 10 shows the REvil ransomware heat map. The top 5 countries attacked by REvil are:  

1. United States 

2. France 

3. United Kingdom 

4. Italy 

5. Canada 

Figure 10: Heat Map of REvil 

Table 3 consists of the MITRE ATT&CK mapping of the REvil ransomware group.  

Tactic	Technique ID	Technique Name
Initial access	T1078	Valid Accounts
Persistence	T1098, T1547	Account Manipulation, Boot or Logon Autostart Execution
Privileged Escalation	T1548, T1134	Abuse Elevation Control Mechanism, Access Token Manipulation
Defense Evasion	T1112, T1027, T1562.001	Modify Registry, Obfuscated Files or Information, Impair Defences: Disable or Modify Tools
Discovery	T1083, T1135	File and Directory Discovery, Network Share Discovery
Impact	T1486, T1490	Data Encrypted for Impact, Inhibit System Recovery

Table 3: MITRE ATT&CK mapping of REvil 

Figure 11 showcases the website of the REvil ransomware group as present in a ransom note. The ransomware leak site shows the details of the ways in which the victim organizations can pay the ransom amount.  

Figure 11: REvil ransomware group website 

Avaddon:

The Avaddon ransomware was discovered in February 2020. This group is operating as a Ransomware-as-a-Service. Avaddon came up with improved variants of its ransomware after its decryptor was made available for free in the wild by a student from Spain. This group is known to carry out double extortion using DDOS on its victims that are not able to pay the ransom demanded. In June 2021, this group became nonoperational and released the decryption keys for its 3000 victims.

Figure 12 shows the top 10 industries attacked by Avaddon for Q2 2021.

Figure 12: Industry-wise attack distribution of Avaddon 

Figure 13 shows the Avaddon ransomware heat map. The top 5 countries affected by Avaddon are: 

1. United States. 

2. Germany 

3. Australia 

4. France 

5. Italy 

Figure 13: Heat Map of Avaddon 

Table 4 shows the MITRE ATT&CK mapping for the Avaddon ransomware group. 

Tactic	Technique ID	Technique Name
Initial Access	T1566.001	Phishing: Spearphishing Attachment
Execution	T1059	Command and Scripting Interpreter
Persistence	T1546.011	Event Triggered Execution: Application Shimming
Privilege Escalation	T1546.011	Event Triggered Execution: Application Shimming
Impact	T1486	Data Encrypted for Impact

Table 4: MITRE ATT&CK matrix of Avaddon 

Figure 14 shows the leak site used by Avaddon rasnomware hosted on the darkweb.  

Figure 14: Leak Site used by Avaddon 

Future Predictions 

Ransomware gangs are advancing their techniques day by day. Earlier, ransomware groups were encrypting the victim’s files and asking for ransom in exchange of decryptors. This trend, however, has changed over time. Presently, TAs have been including an additional part in their existing chain, wherein they steal the data and carry out extortion activities if the victims fail to pay the ransom, in which case, they leak the data. We have also observed ransomware groups evolving with new enhancements like the use of 0-day or 1-day exploits and password spray attacks on well-known ports. We expect ransomware attacks to continue to grow in sophistication and number in the future.  

CONCLUSION AND RECOMMENDATIONS 

In four major attacks reported in Q2-2021, threat actors have cumulatively demanded for 80.4 million dollars. This is a reflection of the monetary losses suffered by organizations.  

Ransomware threats are continuously evolving and growing in number and sophistication. As more ransomware attacks make the headlines, it’s interesting to see how these kinds of attacks can be compared with data breaches. Most ransomware groups are working using the Ransomware-as-a-service model and steal data for extortion. If a victim fails to pay the ransom, the groups make the breached data available for free or put it up for sale.  

Ransomware attacks are fast becoming a topic of national security with rise in incidents like the colonial pipeline attack where one a critical infrastructure of was rendered nonoperational by a cyberattack. We have also observed that most victims do not receive the decryptor even after paying ransom, and in many cases, the decryptor may not work properly. In certain scenarios, the TAs may engage in double extortion by selling off the extracted data on the darkweb despite the payment of the ransom by the victim. 

We’ve listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below: 

Security recommendations: 

• Conduct regular backup practices and keep those backups offline or in a separate network.    
• Businesses should conduct routine password reset exercises, enforce multi-factor authentication, and conduct cybersecurity awareness programs within their employee base.
• Conduct regular & timely patching of vulnerabilities on your infrastructure.  
• Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.  
• Refrain from opening untrusted links and email attachments without verifying their authenticity.  
• Collect and use IoCs from various resource to monitor and block the malware infection. 

About Us

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.