With the closing of another quarter, it’s once again time to have a look back at the cyber threat landscape drawing out the key events that marked the previous three months. Q2 2021 proved to be one of the most pivotal periods in ransomware, with quite a few key events occurring. This quarter we saw the targeting of one of the largest oil pipelines in the US, saw new ransomware groups emerge, and others disappear. We saw prominent cybercriminal forums denounce ransomware and some law enforcement activity shaking up a few ransomware operations.

In this blog, we’ll roll up all the significant events that took place in the world of ransomware over 01 Apr – 30 Jun 2021 and analyze the key trends arising from our coverage of the ransomware space.

Q2 2021 ransomware key events

Q1 2021 was dominated by supply-chain attacks such as the Microsoft Exchange Server and the aftermath of SolarWinds, comparatively this most recent quarter has been one full of critical moments in defining the current and future ransomware threat landscape. Here is just a few in detail.

Colonial Pipeline and DarkSide

On 07 May 2021, a ransomware attack impacted the network of the US energy operator Colonial Pipeline disrupting operations and the wider oil supply chain. Colonial Pipeline was distributing almost half of the oil-related fuels on the American East Coast. This campaign represented a severe cyberattack against critical national infrastructure (CNI) in the United States. The attack was attributed to DarkSide, a ransomware group that emerged back in September 2020. DarkSide began gaining notoriety thanks to its highly targeted attacks and its semi-professional approach to cybercrime. 

US Law Enforcement Responds

As predicted, this attack caused a swift response from US law enforcement agencies resulting in DarkSide claiming that “its affiliate program is closed” on their dark web data leak site (DLS). We still don’t know whether this business shutting down is a result of law enforcement activity or DarkSide’s own decision to go underground for a while. However, we know for sure that law enforcement managed to seize $2.3 million dollars in cryptocurrency from the ransom paid by Colonial to DarkSide, suggesting attacks against critical infrastructure might cause unwanted attention and aren’t the best of targets.

Ransomware Bans on Cybercriminal Forums

Another significant byproduct of the Colonial Pipeline attack has been the cybercriminal forums’ decision to ban all things ransomware from their platforms. Less than one week after the news of the attack made headlines, cybercriminal forums like XSS and Exploit announced they would remove all ransomware discussions and hinder future ones. This decision likely comes from increasing media and law enforcement attention on the ransomware industry following the Colonial Pipeline cyberattack. 

These three intertwined events have significantly marked the ransomware threat landscape over the last quarter. Law enforcement has demonstrated that Bitcoin payments aren’t impossible to trace back and seize, causing ransomware groups like REvil to switch to Monero (XMR) for ransom payments. Additionally, the cybercriminal forums ban on all things ransomware has forced ransomware gangs to move most of their communications to private messaging channels.

An analysis of H1 Ransomware victims

The emergence of double-extortion tactics has provided a unique insight into ransomware activity. Ever since the Maze ransomware group introduced the data leak site concept, this trend has been adopted by a large portion of active ransomware groups. These pages are often hosted on the dark-web and are utilized by threat actors to name their victims publicly and release data stolen during a ransomware attack. Every day Digital Shadows (now ReliaQuest) identifies and reports on new victims named across 31 DLS to keep an eye on the ransomware market and help our customers identify exposures involving their third parties or suppliers.

Digital Shadows (now ReliaQuest) has reported nearly 2,600 victims that have been named to a data leak site (DLS) since the broader ransomware landscape adopted the tactic.

In Q2 2021 alone, this included 740 different victims as being named to the various active data leak sites. This is a 47% increase when compared to the same activity identified in Q1 2021. The following subsections are based on an analysis of victims named to a DLS in Q2 2021.

Ransomware activity by group

Ransomware activity by group 1H 2021

Conti Ransomware is the most active

The Conti ransomware group was the most active throughout the reporting period, with Avaddon, PYSA, and REvil following closely behind. This is the second consecutive quarter that we have seen Conti as the most active in terms of victims named to their DLS. Conti, believed to be related to the Ryuk ransomware, has consistently and ruthlessly targeted organizations in critical sectors, including emergency services. Notable attacks attributed to the group in Q2 included an attack against Ireland’s healthcare system (Health Service Executive) and the reported targeting of US healthcare and first responder networks, including law enforcement agencies and 911 dispatch centers as reported in a May 2021 TLP: White FBI Flash.

Certain groups disappear, new ones emerge

In Q2 2021, we saw the disappearance of a few different ransomware operations. It is difficult to identify whether the groups simply went into hiding, were arrested, rebranded, or are now operating with a different ransomware group. The previous three months saw a few groups call it quits including Avaddon, Babuk Locker, DarkSide, and Astro Locker ransomware groups. 

Conversely, new groups such as Hive, Vice Society, Prometheus, LV Ransomware, Xing, and Grief ransomware operations emerged with their own DLS.

Ransomware activity by sector

The Industrial Goods & Services sectors lead the list of organizations named to data leak sites in Q2 

Ransomware by victim sector 1H 2021

This has been a consistent trend of targeting and matches DS findings in Q1. After Industrial Goods & Services, Construction and Materials, Retails, Technology, and Healthcare closely followed each other.

When comparing Q1 to Q2, we found increases in every sector, with the retail sector showing the most significant jump — a 183 % increase. Additionally, organizations in healthcare continue to be a popular target despite many ransomware groups publicly denouncing the targeting of organizations in health-related verticals.

Ransomware activity by geography

It should come as no surprise that organizations in the US are the most targeted by ransomware operations. What might be a surprise is the significant disproportion of that targeting compared to the rest of the world.

  Of all the victims of ransomware that were named to data leak sites in Q2 2021, 60% of those were organizations based in the US.

Compared to findings from Q1, Canada was the country that showed the most significant decrease in ransomware activity (28% decrease). Each other country showed increases or remained consistent with Q1 reporting. 

Ransomware by victim geography 1H 2021

After the US, France (46), the United Kingdom (39), and Italy (35) were the top targeted victim geographies by ransomware groups.

Ransomware Predictions for Q3

Part of any intelligence analyst’s job is to make educated guesses on how certain events might unfold in the future. That’s why we always like to include a small section where we look at how things may appear in the coming quarter.

In this case, our job was facilitated by an event that happened right after the new quarter began. We’re talking about the REvil’s ransomware supply chain attack against Kaseya VSA. In this attack, the REvil ransomware group leveraged a zero-day vulnerability in Kaseya’s software to compromise more than 40 Managed Service Providers (MSPs) and hundreds more of their clients. This attack resulted in the widespread encryption of organizations across most industry verticals and well beyond Kaseya’s customers.

Could the Kaseya attack be a symbol of a throwback to ransomware being sprayed across as many organizations as possible? That’s probably too soon to say, but it’s certainly interesting to see how this trend we’ll evolve in the coming months. Still, we can deduce a few points from this story. First, in this instance, REvil decided to drop the traditional double extortion technique by encrypting as many companies as possible. Extracting and selling data from ransomware has become a crucial aspect of these campaigns in the past two years, and it symbolizes the highly targeted nature of the so-called big game hunting trend. 

The second key point from this attack is that REvil disappeared a few days after this operation became public. Although nothing has been confirmed yet, security researchers and journalists have hypothesized that law enforcement may have taken it down, that REvil has decided to lay low for a while, or that the groups simply went on vacation, as our colleague Sean likes to imagine. A few months from now, we’ll probably have a clearer idea of what happened to REvil—or DarkSide, for what it’s worth. So far, the apparent connection is that after massive attacks like the one on Colonial Pipeline or Kaseya, these groups disappear. And please, let us take this as a win for the moment. 

Finally, Digital Shadows (now ReliaQuest) suspects ransomware operations will continue to be brash in their selections of targets. In light of the fallout of the DarkSide attack against Colonial Pipeline and the significant backlash that resulted, one would assume that ransomware groups would be more selective in their operations. This assumption was quickly put to rest shortly after the Colonial Pipeline incident. A ransomware attack impacted JBS, the world’s largest meat processing company. A few weeks after that, we find REvil targeting multiple organizations as a result of the Kaseya VSA compromise. Ransomware operations will likely continue to operate brazenly into the third quarter of 2021, giving limited thought to who they are targeting and more to how much money they might make..

You can get a comprehensive look at the data that we used to build this blog and our quarterly ransomware reporting with a free demo request of SearchLight here. You can additionally get a customized demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) to gain visibility of your organization’s threats and potential exposures, including access to a finished threat intelligence library with MITRE associations and mitigations from Photon Research.

REvil’s Threat Intelligence profile in Searchlight

For further info—our previous blog article Tracking Ransomware Within SearchLight shows you how SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) tracks emerging variants, enables you to export and block associated malicious indicators in various formats, instantly analyze popular targets, and map to your security controls with ease.