Ransomware Empire: Who might blackmail your company?

The history of ransomware attacks covers slightly over 30 years. Over this modest period, cybercriminals have been relentlessly building ransomware capacities and improving logistics to facilitate the infections of their victims and reach the most high-profile targets. This helped ransomware operators climb to the top of the cybercriminal hierarchy and earn the name of the number one cyber threat. In the first 11 months of 2021, more than 60% of all the incidents investigated by Group-IB concerned ransomware.

Few know that the first prototype of what we today know as ransomware appeared as early as in 1989. Although it didn’t know how to encrypt files, the ransomware history starts with that sample. Many concepts that we today perceive as indispensable attributes of ransomware, namely exorbitant ransoms, Ransomware-as-a-Service (RaaS) programs, and data leak sites (DLS) were yet to come.

In our report “Hi-Tech Crime Trends 2021/2022. Part II. Corporansom: threat number one,” Group-IB attempted to figure out how the focus of the ransomware industry shifted from advanced targeted attacks to non-targeted affiliate malware distribution programs by looking into the history of how these services developed. Using the capabilities of our Threat Intelligence & Attribution system, we looked in detail into major malware samples, tactics, techniques, and tools used by threat actors, as well as into events in the dark web that led to the emergence of today’s Ransomware Empire.

Early years

The first ancestor of the modern ransomware that cybersecurity analysts know was spread using floppy disks and compact disks (CDs) in 1989 to extort money from users using social engineering techniques. The Trojan, however, could not encrypt data and its creators were unaware of monetization methods other than deception.

Extortion also used to be a common technique for threat actors who carried out DDoS attacks to make money off their victims, who were extremely vulnerable to DDoS attacks back then due to the absence of content delivery networks. By adding data encryption to their arsenal in 2004, when PGPcoder emerged, cybercriminals got nearer to the concept of ransomware as we know it today. The PGPcoder operators asked their victims a ransom of about $13 — a negligible sum compared to today’s standards, when ransom demands climb to over $200 million. This malware, however, failed to obtain massive popularity as it only targeted individuals and significantly strained their then low-performance machines, which made it easy to detect.

The late 2000s saw a new trend: threat actors started blocking certain operating system functionalities to demand a ransom. This marked the WinLock era, which brought forth a phenomenon known today as Ransomware-as-a-Service (RaaS). The popularity of lockers continued to grow and peaked in 2012, after which it began to decline. They were replaced by the infamous Cryptolocker ransomware, which provoked the surge in the number of offers to sale ransomware and RaaS ads on underground forums. The main target of ransomware operators back then were individuals.

Go big or go home

The tipping point in the modern history of ransomware happened in 2015, when the attackers’ focus shifted to corporate targets, after they had realized that organizations were a far more valuable prey from a business perspective. The year of 2018 gave birth to one of the most notorious affiliate programs — GandCrab; according to some sources, the source code of this malware formed the basis of REvil’s Trojan.

GandGrab became the precursor to the Big Game Hunting phenomenon: it created dedicated teams for different activities, one of which was attacking major enterprises. Yet another tectonic shift in the ransomware industry was triggered by the gangs Snatch and Maze, which, in addition to encrypting companies’ data, started downloading it from their victims’ networks and publishing it on their own resources. These websites, intended for releasing data on the compromised organizations that refused to pay data in the so-called double extortion technique, were dubbed data leak sites (DLSs). Data leak sites were widely adopted as this technique has significantly increased the conversion rate, i.e., the share of companies that opted for paying the ransom.

The use of the double extortion technique based on DLSs, the active development of the RaaS program market, as well as the increasing popularity of ransomware programs among cybercriminals who used to have a more difficult way to make money have all contributed to the emergence of the Ransomware Empire on the cybercriminal stage.

Ruling dynasties

The past three years evidenced the emergence of 51 RaaS affiliate programs. Some of them rose like LockBit, Hive, SunCrypt or Avaddon, while others — realOnline Locker, Keystore Locker, and Jingo Locker fell. During the period from H2 2020 – H1 2021, at least 21 new RaaS affiliate programs appeared on underground forums, which is an increase of 19 percent compared to the corresponding period a year earlier. The ads promoting these programs appeared on at least 15 darknet forums between H1 2019 and H2 2021, managed by Russian-speaking admins. Darknet forum exploit[.]in was the most popular out of them, with RAMP and xss.is also having made it to the top 3.

It is noteworthy, that in the review period, following a wave of large attacks by various groups, especially REvil, forum owners banned advertising affiliate programs on underground forums. They explained that spreading ransomware drew too much attention to other hacker activities. And RAMP was created in response to the so-called no-more-ransom movement.

The emergence of new RaaS affiliate programs peaked in the second half of 2020, when 14 new frameworks appeared, which is an increase of 75% compared to the first six months of 2020. The pace of new DLSs emergence, however, has been much higher: to compare, in 2021, Group-IB analysts detected 29 new DLSs, and only 12 new affiliate programs, which suggests that many ransomware gangs’ programs remain private.

The double extortion technique, however, is same popular among private and public RaaS affiliate programs, with the number of victims whose data was released on DLSs having skyrocketed in the review period. In H2 2020 – H1 2021, the number of ransomware victims that had their data leaked on DLSs reached 2,371, which is a surge of 935% compared to the previous review period. It is noteworthy that in the first three quarters of the ongoing year, ransomware operators published 47% percent more data (1,966 companies) than in the entire 2020, when 1,335 organizations were affected.

These statistics only partially reflect the rate at which the number of ransomware incidents in growing, while the actual numbers are about an order of magnitude higher. Evidence in favor of such an assumption was the analysis of the Hive RaaS affiliate program admin panel, which showed that the gang released info on only about 13% of their victims.

Based on the analysis of DLSs, in 2020, Maze, Egregor, Conti, and REvil were the most aggressive ransomware strains.

The most aggressive ransomware strains in 2021 vs. 2020

In the current year, the situation changed, and the share of certain ransomware gangs decreased, as the number of small ransomware groups went up. Despite this, Conti has managed to cement its leadership, with the largest number of victims posted on DLS — 361.

Sailing around the world

According to the data of DLSs analyzed by Group-IB’s Threat Intelligence analysts, the United States was the country attacked most often in 2020, followed by Canada and the United Kingdom. The top five attacked countries also included France and Germany. In 2020, the regions with the most victims were North America, Europe and the Asia-Pacific region.

This remained unchanged in 2021 as well. The situation did not change significantly in the current year for the countries with the largest number of ransomware victims. France appeared in the top 3, however, while Germany fell to sixth place.

The distribution of ransomware victims posted on DLSs in 2021 by country

Speaking about the industries that are ransomware operators’ main targets, these were manufacturing, real estate, and transportation. The situation in 2021 remained almost unchanged, which suggests that attackers mainly target the same types of companies that they believe to be the most profitable.

All’s fair on ransomware market

The market for ransomware as a service (RaaS) has rapidly expanded and many financially motivated groups have shifted their focus to ransomware attacks, two factors which both led to a spike in the number of investigated incidents of this kind. In Q1-Q3 2021, ransomware attacks accounted for over 60% of all incidents investigated by Group-IB. However, even though this type of attack has increased rapidly and that many different cybercriminal groups have been involved, there have been substantial overlaps in the tactics, techniques and procedures used by attackers. Furthermore, the typical set of ransomware techniques and tools has remained essentially the same.

Another factor that has significantly influenced the volume and success of ransomware attacks was the development of a market for initial access brokers, which allowed many attackers to gain easy access to networks. In general, similarly to the previous reporting period, the most commonly used initial access techniques were compromising remote access services, phishing, and exploiting publicly-facing applications. Regarding post-exploitation, Group-IB experts identified the attack techniques most frequently used in security incidents. These were command and scripting interpreter, remote services, and remote system discovery.

The current developments on the ransomware market can be perceived as a so-called demonopolization, with RaaS programs growing in numbers, but decreasing in scope. The total damage caused by RaaS operators, however, is likely to continue to increase, fueled by the emergence of new players and collaborations between RaaS programs and sellers of access to corporate networks.

In addition, to complicate the course of potential prosecutions, the same individuals are likely to launch numerous RaaS programs under various brands. More forecasts and recommendations on what measures should be taken to protect against ransomware attacks can be found in Group-IB’s “Hi-Tech Crime Trends 2021/2022. Part II. Corporansom: threat number one” report.