LockBit 2.0 listed a whopping 203 victims on its data-leak site

Ransomware continues to be one of the most devastating threats to organizations, Digital Shadows claim. According to their report, LockBit 2.0 was the most active ransomware group in Q3, with a whopping list of 203 victims.

During Q3, ransomware remained one of the most popular attack methods targeting organizations across all sectors. While double-extortion tactics and data leak sites caused the most public impact, other ransomware variants remained successful, too.

Digital Shadows monitors data-leak sites and reports on victims across 35 data-leak sites daily. They have reported on more than 3,000 victims that have been named to a data leak site since the broader ransomware landscape adopted the tactic.

In Q3, this included 571 different victims as being named to the various active data leak sites. This is a 13% decrease when compared to the same activity identified in Q2. The decline is likely due to the closure of multiple highly active data-leak sites, such as Avaddon, Happy Blog, DarkSide, and Prometheus.

LockBit 2.0 made it to the top

According to Digital Shadows, LockBit 2.0 that emerged in July 2021 quickly took up the number one spot for the most active group in Q3, beating Conti, the leader of the past two quarters.

LockBit had a whopping 203 victims listed on its data-leak site, almost triple the amount of the rank two spot, Conti, who had 71 victims. LockBit 2.0 is an alleged continuation and improvement of “LockBit,” discovered in December 2019, that operates as ransomware-as-a-service (RaaS).

A significant attack by the group in Q3 was on the professional services company Accenture. LockBit allegedly demanded USD 50 million from Accenture following a ransomware attack. However, while the timer on LockBit’s data-leak site reached zero—indicating when data will be published—no data was leaked.

Despite industrial goods & services being the most targeted sector in Q3, the industry saw a significant decrease in the number of attacks (42%), likely because ransomware operators targeted a more diverse range of sectors in Q3. Attacks against healthcare organizations also had a significant decrease (31.8%). One exception was the technology sector, which saw a 29.8% increase in the number of attacks by ransomware groups.

Of all the victims of ransomware that were named to data leak sites in Q3 2021, 47% of those were organizations based in the US or Canada.

New ransomware forum

After the Colonial Pipeline attack, ransomware was banned from multiple cybercriminal forums. However, recently, a new forum aiming to become a hub for ransomware discussions was created.

RAMP was opened in mid-2021. This new Russian-language forum was hosted on the same URL as the Babuk ransomware data-leak site, despite administrators denying claims that the forum is related to Babuk.

RAMP aimed at becoming a ransomware-focused forum where groups could recruit new affiliates, promote ransomware-as-a-service (RaaS) offerings, and discuss anything ransomware-related.

The platform was launched in response to a ransomware ban announced on cybercriminal forums in May 2021, following the Colonial Pipeline attack by DarkSide. RAMP also launched its own data-leak site called “Groove,” which is the forum’s “blog,” where it posts victims of ransomware attacks and makes announcements.

Groups disappearing, returning, and rebranding

In Q3, many high-profile ransomware groups disappeared, reappeared, and some rebranded. Often when ransomware groups disappear, it is difficult to know the underlying circumstances.

However, a recent trend is that many ransomware groups have vanished or temporarily disappeared after launching significant cyberattacks, such as DarkSide (Colonial Pipeline) and REvil (Kaseya). Additional pressure by law enforcement agencies may likely have contributed to putting an end to their operations. In Q3, Digital Shadows saw the disappearance of the following ransomware groups REvil, Avaddon, Noname, and Prometheus.

Hack Revil

REvil eventually returned in early September and began posting new victims, later claiming that the group simply chose to take a “vacation.” However, the most noticeable return this quarter was LockBit, with the release of their new data-leak site and ransomware variant.

Some rebrandings took place this quarter. The SynAck ransomware group, which hosted a data-leak site called “File Leaks,” rebranded itself as “El_Cometa.” The DoppelPaymer ransomware was found to likely have rebranded as “Grief”, and it is believed that the Karma ransomware group is a rebrand of the Nemty ransomware gang.

More from CyberNews

Threat actors leak Bosch iSite platform source code

Government-led 'hunt' behind REvil's second shutdown

Scambaiters: vigilante cybercrime fighters who mean well but do more harm than good

Internet providers collect 'staggering' amounts of data - FTC chair

GIGABYTE fell victim to ransomware again

Subscribe to our newsletter