Latest in ransomware: new safe haven, old attack leaders

Ransomware affiliates marked the end of the year by finding themselves a safe haven to discuss business.

Ransomware-as-a-service (RaaS) depends on an ecosystem of services to be successful. Affiliates rarely gain initial access or develop the malware themselves.

After the Colonial Pipeline, JBS, and Kaseya cyberattacks, ransomware groups were banned from cybercriminal forums, making it harder to find partners to do crime with.

However, a recent report from Digital Shadows detailing ransomware developments in the last quarter of 2021 claims that a new player, RAMP, has managed to get interested from the hacking underworld.

Even though the forum suffered from distributed denial-of-service (DDoS) attacks and admins had to move servers several times, researchers think the forum has accomplished the task of becoming a safe haven for ransomware affiliate programs and cybercriminals interested in ransomware.

"RAMP has gathered the attention of cybercriminals in the international community, and there is now a diverse set of users operating in multiple languages to include English, Russian, and Mandarin," claim report's authors.

Fast ransomware attacks

According to the report, Q4 2021 was marked by the success of the FIN12 ransomware group. Unlike many popular RaaS groups, FIN12 focuses on single-extortion attacks.

A single-extortion attack skips the part of the attack where threat actors upload stolen data to a data-leak site. That way, hackers minimize the time spent on single targets, having more time to attack others.

"Focusing on one factor can bring many benefits to groups, such as quicker attacks and less attention from law enforcement," reads the report.

Lockbit 2.0 remains in the lead

After analyzing close to 4,000 victims on data leak sites (DLS), researchers found that LockBit 2.0 remained the most active ransomware group in Q4 2021, accounting for 28.2% of all attacks recorded during the quarter.

Even though LockBit 2.0 appeared in July 2021, the number of the group's victims has remained several times higher than that of any other group.

Report's authors claim that Conti came in second, doubling the number of its victims compared to Q3 2021. PYSA and Grief remained in the top 5, and AvosLocker broke into the top 5 for the first time since its release. Hive leaks and Clop were close behind.

Come and go

Several ransomware groups shut down at the end of last year. Most notably, REvil and BlackMatter. REvil has even become a focal point for US-Russia relations due to the nature of groups' attacks.

Last week Russian secret services announced that dozens of groups' affiliates were arrested. At least one of the suspects is said to be behind the Colonial Pipeline attack.

The power vacuum was quickly filled in by newcomers such as ROOK, Entropy, Alphv (BlackCat), Macaw, 54bb47h (Sabbath), Spook, and BlackByte.

"As we can see, both Spook and BlackByte created and shut down their data-leakage websites within the same quarter. This highlights the high volatility of the ransomware threat landscape," claim the report's authors.

Target analysis

The United States continued to reign as the most targeted country, with 46.2% of all victims coming from the States. The US is so popular among criminals because ransomware operators had relative success in receiving large ransom payments.

Another reason is that the US does not have extradition treaties with Russia and China, where a substantial portion of RaaS groups are based.

"Therefore, the threat of prosecution for cybercrimes against the United States may not be high for these threat actors," reads the report.

The United Kingdom came in second, followed by Germany, France, Canada, and Italy.

What's to come

Ransomware became mainstream news in 2021, and that is unlikely to change. With the launch of RAMP, ransomware affiliates can collaborate with ease yet again.

"This collaboration was highlighted when a user on RAMP shared an exploit and proof-of-concept (PoC) for CVE-2021-44228 (Log4Shell) on 10 Dec 2021, a day after the vulnerability was disclosed," reports authors claim.

Open discussion on future projects includes plans to develop advanced versions of LockBit, REvil, and Conti variants.

Digital Shadows also forecast that there might be more cases where ransomware affiliates try to bribe insiders to deploy ransomware.

More from CyberNews: CEO confirms hundreds of accounts were hacked

Cyberattack on Red Cross exposes data of 515,000 vulnerable people

Log4j used to deploy WhisperGate malware in Ukraine cyberattack

GDPR fines topped €1 billion last year

Earth Lusca: cyber espionage with crypto theft on the side

Subscribe to our newsletter