Alliances between threat actors have led to the rise of the ransomware empire

Conti is the most aggressive ransomware group at the moment, and the US - the most popular cybercriminal's target. With initial access brokers and ransomware gangs forming alliances, the problem is only about to get worse.

Ransomware is a threat number one to organizations worldwide. It became toxic even to the black hat community, leading to a ransomware ban on dark web forums. However, that didn't stop ransomware gangs - the number of victims continues growing, and threat actors form alliances attack their targets more effectively.

Dmitry Volkov, the CEO of cybersecurity company Group-IB, presented the company's research into global cyberthreats during its annual CyberCrimeCon'21.

"Ransomware is the number one threat. It affects every region and many different industries all over the world. The number of new public ransomware affiliate programs grew, but the speed of growth decreased. Because of successful law enforcement operations, ransomware programs became toxic for the rest of the hacker community," he said.

Initial access brokers and ransomware operators collaborate under the ransomware-as-a-service (RaaS) model, which results in an unprecedented number of victims named to the data leak sites (DLS).

Alliances between threat actors, Group-IB argues, have led to the rise of the ransomware empire. This year, threat actors published data related to 2,371 companies of DLSs already. That's a 935% increase from last year when data of 239 victims was made public.

"According to our estimation, this year, only 13% of victims' data were named to the DLSs, which means that other companies paid the ransom," Volkov said.

Having analyzed ransomware DLSs in 2021, Group-IB analysts concluded that Conti was the most aggressive ransomware group: it disclosed information about 361 victims (16.5% of all victim-companies whose data was released on DLSs), followed by Lockbit (251), Avaddon (164), REvil (155), and Pysa (118). The last year's top 5 were as follows: Maze (259), Egregor (204), Conti (173), REvil (141), and Pysa (123).

The number of new DLSs more than doubled during the review period and reached 28, compared to 13 in H2 2019—H1 2020. Cybercriminals leverage DLSs to add pressure on victims to pay, threatening the release of sensitive company's data.

Volkov believes that affiliate programs will manage a few DLSs at the same time to throw law enforcement and security researchers off track. Cybercrime has been in the spotlight this year, with the US trying to crackdown ransomware. Criminals realize that and try to stay under the radar by constantly rebranding or choosing less high-profile victims.

Country-wise, most companies whose data was posted on DLSs by ransomware operators in 2021 were based in the United States (968), Canada (110), and France (103), while most organizations affected belonged to the manufacturing (9.6%), real estate (9.5%), and transportation industries (8.2%).

While some cyberattacks are aimed at particular targets, many ransomware gangs choose their victims from what the initial access brokers offer. Group-IB estimates that the market of initial corporate access grew by almost 16% in H2 2020—H1 2021, from $6,189,388 to $7,165,387. The number of offers to sell access to companies nearly tripled over the review period: from 362 to 1,099.

In H2 2019—H12020, the Group-IB Threat Intelligence team detected only 86 active brokers. However, in H2 2020—H1 2021, this number skyrocketed to 262.

"One of the main driving forces for initial access market growth is the steep increase in the number of ransomware attacks. Initial access brokers remove the need for ransomware operators to break into corporate networks on their own," Group-IB concluded.

More from CyberNews

70 countries have restricted social media in the last six years

Here’s why ransomware gangs are now rebranding themselves as ‘white hat’

Hackers could use OneDrive permissions to read company documents

Got a job without an interview? It’s probably a scam

IKEA hit by ongoing email cyberattack campaign

Subscribe to our newsletter