Group-IB, a global cybersecurity firm, has unveiled its second annual guide to the evolution of threat number one ‘Ransomware Uncovered 2021/2022’. The findings of the report’s second edition indicate that the ransomware empire kept its winning streak going with the average ransom demand growing by 45% to reach US$247,000 in 2021.

“Ransomware gangs have become way greedier since 2020. A record-breaking ransom of US$240 million (US$30 mln in 2020) was demanded by Hive from MediaMarkt. Hive and another 2021 newcomer to Big Game Hunting, Grief, quickly made its way to the top 10 gangs by the number of victims posted on ransomware dedicated leak sites (DLS),” it said in a statement.

Between 1Q21 and 1Q22, APAC became the third most frequently targeted region after North America and Europe based on the analysis of victim data posted on ransomware DLS. Data belonging to 335 companies from the Asia-Pacific region were uploaded to ransomware DLS in the review period.

The ‘Top 10 Countries’ in the Asia-Pacific by the number of victim companies posted on DLS are as follows: Australia (68), followed by India (48), Japan (32), China (30), Taiwan (22), Hong Kong (20), Thailand (19), Indonesia (17), Singapore (17), Malaysia (14).

In Singapore, Group-IB said the most active ransomware gang between 1Q21 and 1Q22 was Lockbit with 10 companies posted on DLS, followed by LV v.1 (2), Prometheus (2), Clop (1), Conti (1) and Midas (1). Industry-wise, most of the affected local companies posted on DLS were from the science and engineering sector (4), followed by F&B (2), and transportation (2).

Ransomware assembly line

The new report takes stock of the most up-to-date tactics, techniques, and procedures (TTPs) of ransomware threat actors observed across all geographic locations by the Group-IB Digital Forensics and Incident Response (DFIR) team. In addition to the analysis of more than 700 attacks investigated as part of Group-IB’s own incident response engagements and cyber threat intelligence activity in 2021, the report also examines ransomware DLS for the period between Q1 2021 – Q2 2022.

Human-operated ransomware attacks have maintained the global cyber threat landscape lead by solid margins over the last three years. The rise of initial access brokers described in Group-IB’s Hi-Tech Crime Trends report, and the expansion of Ransomware-as-a-Service programs (RaaS), have become the two main driving forces behind the continuous growth of ransomware operations. RaaS made it possible for low-skilled cybercriminals to join the game and ultimately bring the victim numbers up.

Based on the analysis of more than 700 attacks in 2021, Group-IB DFIR experts estimated that the ransom demand averaged US$247,000 in 2021, 45% more than in 2020. Ransomware evolved with more sophistication, which is clearly visible from the victim’s downtime, which increased from 18 days in 2020 to 22 days in 2021.

Bots are not what they seem

The exploitation of public-facing RDP servers has again become the most common way to gain an initial foothold in the target network in 2021 – 47% of all the attacks started with compromising an external remote service, said Group-IB.

Spear phishing emails carrying commodity malware on board have remained second in the ranking (26%).  Commodity malware deployed at the initial stage has become increasingly popular among ransomware actors.

However, in 2021 the attribution of ransomware attacks became increasingly complicated since many bots such as Emotet, Qakbot, and IcedID were being used by various threat actors unlike in 2020 when certain commodity malware families had a strong affiliation with specific ransomware gangs. For instance, the Group-IB DFIR team observed that IcedID was used to gain initial access by various ransomware affiliates, including Egregor, REvil, Conti, XingLocker, RansomExx.

“Given multiple rebrands forced by the law enforcement actions as well as the merge of TTPs due to the constant migration of affiliates from one Ransomware-as-a-Service (RaaS) program to another, it is becoming increasingly challenging for security professionals to keep track of the ever-evolving tactics and tools of the ransomware threat actor,” said Oleg Skulkin, head of Group-IB DFIR team.

“To help corporate cybersecurity navigate through and prepare for ransomware incidents we outlined the main trends and TTPs changes and turned them into actionable insights mapped to and organised according to the MITRE ATT&CK matrix.”

LEAVE A REPLY

Please enter your comment!
Please enter your name here