Six Ransomware Gangs Already Claimed Hundreds of Victims in 2021

Not a week goes by without yet another company or organization falling victim to a ransomware attack. According to eSentire’s latest threat report, six ransomware gangs claimed 290+ new victims in 2021. Their crime spree turned out to be particularly rewarding. With over half of victims paying part, or all, of the ransom demands, they have already made millions. And the year is not even halfway through.

Just a Drop in the Ocean

Colonial Pipeline, Washington DC Metropolitan Police, hardware and electronics Giant Acer, home appliances manufacturer Whirlpool, the Belgian government’s computer network Belnet, an EU research institute, game developer CD Projekt… With so many victims reported in just the last couple of months, it’s tempting to think that we have a pretty clear picture of the severity of this threat.

“Think again”, said eSentire in their latest threat report. “The victims we hear about publicly are a mere drop in the bucket compared to the actual incidents.” As an example, eSentire names a small private US company that suffered a ransomware incident in April 2021. “The threat actors demanded $12 million and the company paid it, according to a high-ranking employee of the organization who asked not to be named.” The case has never been made public.

To get a better idea of the true scope of ransomware attacks, eSentire’s research team, the Threat Response Unit (TRU), teamed up with dark web researcher Mike Mayes. Together, they began tracking current activity of six notorious ransomware groups: Ryuk/Conti, Sodin/REvil, CLOP, and DoppelPaymer, as well as DarkSide and Avaddon, two emerging gangs.

292 New Ransomware Victims

The security researchers found that, in total, these six gangs not only racked up hundreds of victims in 2020. They have also collectively compromised 292 new victim organizations between January 1 and April 31 this year. Here are the numbers according to the gangs’ blog/leak sites:

• Ryuk/Conti: 352 victims in 2020, 63 new ones since 1 January 2021. Including manufacturers, construction firms, and transportation and logistics companies in North America, the UK and France.
• Sodin/REvil: 161 victims in 2020, 52 new ones since 1 January 2021. Primarily manufacturers, as well as a few healthcare organizations, transportation/logistic companies, and construction firms.
• DoppelPaymer: 186 victims in 2020, 59 new ones since 1 January 2021. Including a disproportionate number of government organizations.
• CLOP: 53 victims in 2020, 35 new ones since 1 January 2021. Including manufacturers, retailers, financial organizations, law firms, and educational institutions.
• DarkSide: 59 victims in 2020, 37 new ones since 1 January 2021. Including energy companies, retailers and travel firms in the US, South America, Middle East and the UK.
• Avaddon: 88 victims in 2020, 47 new ones since 1 January 2021. Including healthcare organizations, manufacturers and private-sector entities, mainly in South America, Canada, Italy and Romania.

What’s more, TRU and Mayes also found that these ransomware groups are not only continuing to target the usual suspects, like government organizations, educational institutions, law firms, hospitals and healthcare organizations. They have expanded their hit list to include manufacturers, construction firms, and transportation and logistics companies.

Apparently, they are also expanding their geographic horizon. This now spans from the US, Canada and South America over to the Middle East and the whole of Europe.

More than Half of Victims Pay

Worryingly, the number of victims paying up is on the rise again. In 2019, a CrowdStrike survey made headlines in the tech world stating that the total number of organizations that pay the ransom after falling victim to a supply-chain attack had more than doubled, from 14% the year prior to 39%. In a 2020 survey conducted by Veritas Technologies more than half of the victims admitted to paying part, or all, of the ransom. This despite the strong advice not to do so. “Simply” because:

• Paying ransoms fuels future ransomware attacks and encourages cybercriminals even further;
• There’s no guarantee that all the data can be decrypted. It could just partially be recovered or even not at all;
• There’s no way to know if all or part of the data had already been sold on the dark web.

Nevertheless, the average ransom paid by organizations is also increasing. From US$115,123 in 2019 to $312,493 in 2020, according to the 2021 ransomware report of Paloalto’s research team, Unit 42. This is a 171% year-over-year increase.

“Using the $312,493 ransom amount, and conservatively assuming only half of the purported victims paid the ransom, the total ransoms reaped by the six groups in the past four months is just over $45 million”, estimated eSentire in their report.

These six ransomware groups’ high-level of activity has certainly stunned the TRU team. “If these threat groups are to be believed, they are wreaking havoc against many more entities than the public realizes. Another sobering realization is that no single industry is immune from this ransomware scourge. These debilitating attacks are happening across all regions and all sectors.”

Steps to Reduce Ransomware Exposure

eSintere’s report also includes some basic security steps that every company, big or small, should take to protect themselves against ransomware attacks and mitigate the possible consequences, besides setting up a good system to ensure online security. These include:

• implementing network segmentation;
• creating ransomware resilient backups;
• requiring multi-factor authentication to access organizations’ virtual private networks (VPN) or remote desktop protocol (RDP) services;
• employing the principle of least privilege with staff members;
• only allowing administrators to access network appliances using a VPN service;
• organizing security awareness training for all employees; and
• regularly patching systems, prioritizing key IT systems.