More than 700 organizations were attacked with ransomware and had their data posted to data leak sites in Q2 of 2021, according to a new research report from cybersecurity firm Digital Shadows.
Out of the almost 2,600 victims listed on ransomware data leak sites, 740 of them were named in Q2 2021, representing a 47% increase compared to Q1.
The report chronicles the quarter’s major events, which included the DarkSide attack on Colonial Pipeline, the attack on global meat processor JBS, and increased law enforcement action from US and European agencies.
But Digital Shadows’ Photon Research Team found that under the surface, other ransomware trends were emerging. Since the Maze ransomware group helped popularize the data leak site concept, double extortion tactics have become en vogue among groups looking to inflict maximum damage after attacks.
Digital Shadows tracks the information posted to 31 Dark Web leak sites, giving them access to just how many groups are now stealing data during ransomware attacks and posting it online.
Data from companies in the industrial goods and services sector were prevalent on Dark Web leak sites, according to the report. Construction and materials, retail, technology, and healthcare organizations also dominated the list of attacked organizations.
The retail sector saw the biggest increase in ransomware attacks, with Digital Shadows researchers finding a 183% increase between Q1 and Q2.
In terms of activity, the Conti group led the way followed by Avaddon, PYSA, and REvil.
“This is the second consecutive quarter that we have seen Conti as the most active in terms of victims named to their DLS. Conti, believed to be related to the Ryuk ransomware, has consistently and ruthlessly targeted organizations in critical sectors, including emergency services,” the report said, noting the group’s devastating attack on Ireland’s healthcare system.
But the report notes that on the wider ransomware market, a number of groups disappeared or emerged out of nowhere. In Q2, Avaddon, Babuk Locker, DarkSide, and Astro Locker ransomware groups all closed operations while groups like Vice Society, Hive, Prometheus, LV Ransomware, Xing, and Grief ransomware operations emerged with their own Dark Web leak sites, according to Digital Shadows.
The report also notes that 60% of the victim organizations are based in the US, with only Canada seeing a reduction in ransomware attacks from Q1 to Q2.
More than 350 US organizations were hit by ransomware in Q2 compared to 46 from France, 39 from the UK, and 35 from Italy.
The researchers behind the report questioned whether Q3 would see more attacks resembling the Kaseya ransomware attack, where REvil operators used a zero-day vulnerability to compromise more than 40 Managed Service Providers.
“Ransomware operations will likely continue to operate brazenly into the third quarter of 2021, giving limited thought to who they are targeting and more to how much money they might make,” the researchers wrote.