WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 16, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
We have reached the end of another quarter, and it is time again for us to have a look back at some of the key cyber events that happened during Q3 2021. The trend of ransomware being one of the most devastating threats to organizations has continued over the past three months. In this quarter, we saw a large ransomware supply-chain attack that allegedly targeted one million organizations, many new data-leak sites created, and a new leader in the ransomware threat landscape. Despite ransomware activity being denounced and banned from multiple cybercriminal forums in Q2 2021, a new forum was created this quarter that aimed to be the “hub” for ransomware discussions.
In this blog, we will cover the significant events that happened in the ransomware threat landscape over 01 Jul – 30 Sep 2021 and analyze the trends affecting the ransomware space during the quarter.
In Q2 2021, we saw a large ransomware attack on the US energy operator Colonial Pipeline by the DarkSide gang, increased activity by US law enforcement resulting in the retrieval of ransom some payments, such as a partial payment DarkSide received from Colonial Pipeline, and a ban of discussions related to ransomware from most cybercriminal forums. In Q3 2021, we had many new stories unravel.
On 02 Jul 2021, multiple MSPs running Kaseya VSA fell victim to a ransomware attack. REvil (aka Sodinokibi) claimed responsibility for the attack on its data-leak site “Happy Blog” and said that it had infected more than 1 million users via the supply-chain attack. The ransomware group also offered the universal decryptor for BTC 70 million. On 22 July 2021, Kaseya confirmed that it had obtained a universal decryptor, but did not disclose how this decryptor was obtained. REvil members later took it to cybercriminal forums to reveal that the decryptor was accidentally exposed due to a misclick by one of its coders, which led to the universal key being given to victims who paid the ransom, instead of just the individual decryption key.
On 20 Sep 2021, the Iowa-based agriculture supply-chain company New Cooperative announced that it had fallen victim to a BlackMatter ransomware attack. The company stated that the attack resulted in locked computers, which are used to manage supply chains and animal feeding schedules. New Cooperative officials claimed that 40 percent of United States’ grain production depended on the software that was encrypted, and the ransomware attack could break the supply chain very quickly. BlackMatter attempted to put pressure on New Cooperative by warning that the attack would be “bigger than DarkSide’s attack on Colonial Pipeline”. New Cooperative reportedly did not pay the ransom and called the cyber incident a “terrorist attack”.
A new ransomware-focused forum, RAMP, was opened in mid-2021. This new Russian-language forum was hosted on the same URL as the Babuk ransomware data-leak site, despite administrators denying claims that the forum is related to Babuk. RAMP aimed at becoming a ransomware-focused forum where groups could recruit new affiliates, promote ransomware-as-a-service (RaaS) offerings, and discuss anything ransomware-related. The platform was launched in response to a ransomware ban announced on cybercriminal forums in May 2021, which happened following the Colonial Pipeline attack by DarkSide. RAMP also launched its own data-leak site called “Groove”, which is the forum’s “blog” where it posts victims of ransomware attacks, and where the group makes announcements.
Ransomware remained one of the most popular attack methods targeting organizations across all sectors in Q3 2021. Double-extortion tactics (encrypting & exfiltrating) and data-leak sites typically caused the most public impact, but other ransomware variants remained successful without the need for data-leak sites, such as Ryuk. Digital Shadows (now ReliaQuest) constantly monitors ransomware data-leak sites on a daily basis and reports on victims across 35 data-leak sites, helping our customers identify exposures involving their third parties or suppliers.
Digital Shadows (now ReliaQuest) has reported on more than 3,000 victims that have been named to a data leak site (DLS) since the broader ransomware landscape adopted the tactic.
In Q3 2021, this included 571 different victims as being named to the various active data leak sites. This is a 13% decrease when compared to the same activity identified in Q2 2021. The decrease is likely due to a closure of multiple highly active data-leak sites, such as Avaddon, Happy Blog, DarkSide, and Prometheus. The following subsections are based on an analysis of victims named to a DLS in Q3 2021.
LockBit 2.0 emerged in July 2021 and quickly took up the number one spot for the most active group in Q3 2021, beating Conti who was the most active group for the past two quarters (Q2 and Q1 2021). LockBit had a whopping 203 victims listed on its data-leak site, almost triple the amount of the rank two spot, Conti, who had 71 victims. LockBit 2.0 is an alleged continuation and improvement of “LockBit”, discovered in December 2019 that operates as ransomware-as-a-service (RaaS). A notable attack by the group in Q3 2021 was its attack on the professional services company Accenture. LockBit allegedly demanded USD 50 million from Accenture following a ransomware attack. However, while the timer on LockBit’s data-leak site reached zero—indicating when data will be published—no data was leaked.
In Q3 2021, many high-profile ransomware groups disappeared, reappeared, and some rebranded. Often when ransomware groups disappear, it is difficult to know the underlying circumstances behind their disappearance. However, a recent trend is that many ransomware groups have vanished or temporarily disappeared after launching large cyber attacks, such as DarkSide (Colonial Pipeline) and REvil (Kaseya). It is likely that additional pressure by law enforcement agencies may have contributed to the disappearance of many of these ransomware groups. In Q3 2021, we saw the disappearance of the following ransomware groups REvil, Avaddon, Noname, and Prometheus.
REvil eventually made their return in early September and began posting new victims, later claiming that the group simply chose to take a “vacation”. The most notable return this quarter, however, was LockBit, with the release of their new data-leak site and ransomware variant.
There were also rebrandings that occurred this quarter. The SynAck ransomware group, which hosted a data-leak site called “File Leaks”, rebranded itself as “El_Cometa”. The DoppelPaymer ransomware was found to likely have rebranded as the “Grief” ransomware group, and it is believed that the Karma ransomware group is a rebrand of the Nemty ransomware gang.
The industrial goods & services sector has been a consistently targeted sector throughout 2021, ranking in the number one spot in all quarters of the year so far. In second place, there was the technology sector, which was followed by construction & materials, legal services, and financial services sectors.
There were decreases in most sectors when comparing to Q2 2021. Despite industrial goods & services being most targeted, the sector saw a significant decrease in the number of attacks (42%), likely because ransomware operators targeted a more diverse range of sectors in Q3 2021. Attacks against healthcare organizations also had a notable decrease (31.8%). One exception was the technology sector, which saw a 29.8% increase in the number of attacks by ransomware groups.
The United States has continued to be the most targeted sector for ransomware operations, which was followed by Canada. North America is a common target for ransomware activity, likely because threat actors have been successful in receiving large ransom payments from the region in previous campaigns.
Of all the victims of ransomware that were named to data leak sites in Q3 2021, 47% of those were organizations based in the US or Canada.
Every other geography showed a slight decrease or stayed relatively consistent since Q2 2021. After the US and Canada, Germany (24), the United Kingdom (23), and France (21) were top targeted geographies by ransomware groups.
In this last section, we like to look into the future to identify what upcoming threats may look like in the ransomware threat landscape. The last quarter of 2021 is likely to continue many of the trends observed in Q3 2021, with North America being the most targeted region, and the industrial goods & services sector remaining the preferred sector for attacks.
One interesting point of discussion for the next quarter are the issues related to data-leak sites that we observed in over the past few months. Many ransomware groups have experienced difficulties managing data-leak sites and hosting data on the dark web for download. This has resulted in some ransomware groups exposing data using public file-sharing websites, such as Mega[.]nz or PrivatLab[.]com. As these services are hosted on the clear web, they can often be taken down, and most download links are removed within a day or two.
Another issue with data-leak sites relates to the inherently slow download speeds of the dark web. Regardless of how fast a user’s internet speed may be, the download speeds in the dark web are capped to significantly slower speeds (typically 10-200 KBPS), which depend on multiple factors related to Tor relays and circuits. Downloading a 5-10GB file on the dark web may take several days, depending on where it is being hosted. The slow download speeds combined with frequent failed downloads can make downloading large datasets from the dark web a very difficult task.
These difficulties were highlighted when the Clop ransomware group leaked data for the IT company Qualys in March 2021. The initial phase of the data leak had three files that were approximately 4GB. Many threat actors attempted to download this data, but ended up taking their frustrations to criminal forums after encountering difficulties with their downloads. The download speeds were so slow that some users claimed it took them nearly one week to download the first dataset, while other users reportedly gave up.
Data-leak sites also can leave ransomware gangs vulnerable to attacks. Most recently, on 17 Oct 2021, a representative of the REvil ransomware gang took it to a Russian-speaking criminal forum to reveal that their data-leak sites had been “hijacked”. The REvil member explained that an unknown individual accessed the hidden services of REvil’s website’s landing page and blog using the same key owned by the developers. The user believed that the ransomware gang’s servers had been compromised and the individual responsible for the compromise was “looking for” him. The representative stated that REvil planned to go offline while they handle the issue.
As Q4 comes near, it will be interesting to see if issues relating to managing data leak sites will discourage new ransomware groups to continue to pursue the path of data-leak sites, or what creative solutions they will create to work around these issues. The Ryuk ransomware group has proven itself to remain effective and a top player in the ransomware threat landscape without the need for a data-leak site. In fact, Ryuk has thrived by not needing a data leak site and data exfiltration. A recent report by Mandiant revealed that FIN12, the group responsible for Ryuk and Conti, has managed to conduct ransomware attacks in less than 3 days, when compared to over 12 days for attacks involving data exfiltration.
Nevertheless, data-leakage websites are here to stay, and we can expect that many more will be opened up over the next quarter. To see more information about Digital Shadows (now ReliaQuest)’ Q3 ransomware reporting, see our Ransomware Quarterly Threat Report.
You can get a comprehensive look at the data that we used to build this blog and our quarterly ransomware reporting with a free demo request of SearchLight here. You can additionally get a customized demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) to gain visibility of your organization’s threats and potential exposures, including access to a finished threat intelligence library with MITRE associations and mitigations from Photon Research.
For further info—our blog article Tracking Ransomware Within SearchLight shows you how SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) tracks emerging variants, enables you to export and block associated malicious indicators in various formats, instantly analyze popular targets, and map to your security controls with ease.