Ransomware gangs have become greedier. Hive requested a whopping $240 million from MediaMarkt, and the average ransom demand grew to $247,000 in 2021.

Ransomware’s sophistication is clearly visible from the victim’s downtime, which increased from 18 days in 2020 to 22 days in 2021, Group-IB said after analyzing more than 700 ransomware attacks.

The rise of initial access brokers and expansion of ransomware-as-a-service (RaaS) programs fueled the growth of ransomware operations.

IB-Group noted that RaaS programs “started offering their affiliates not only ransomware builds, but also custom tools for data exfiltration to simplify and streamline operations.” As a result, the double extortion technique became even more widespread – in 63% of the analyzed cases, cybercriminals exfiltrated victims’ data.

Between Q1 2021 and Q1 2022, more than 3500 victims were listed on the data leak sites, with the United States (1655), Canada (176), and the UK (168) taking the biggest hit.

The most aggressive ransomware gangs turned out to be Lockbit, Conti, and Pysa, with 670, 640, and 186 victims on their list respectively.

The most common way to gain an initial foothold in the target network is exploitation of public-facing remote desktop protocol (RDP) servers – 47% of the attacks started with compromising an external remote service.

In 26% of the cases, the attack started with spear-phishing emails carrying commodity malware on board.

“In 2021, the attribution of ransomware attacks became increasingly complicated since many bots such as Emotet, Qakbot, and IcedID were being used by various threat actors, unlike in 2020, when certain commodity malware families had strong affiliation with specific ransomware gangs,” Group-IB said.

It noted some ransomware gangs were seen trying very unconventional approaches.

“REvil affiliates leveraged zero-day vulnerabilities to attack Kaseya’s clients. BazarLoader, used in Ryuk operations, was distributed via vishing (voice phishing). Phishing emails contained information about “paid subscriptions”, which could allegedly be canceled by phone. During the call, the threat actors lured the victim to a fake website and gave instructions to download and open a weaponized document, which downloaded and ran BazarLoader.”


More from Cybernews:

‘Space pirates’ penetrate deep into Russia’s aerospace industry

Millions of Brits exposed as traffic camera data left open to public

Deepfakes are scary good at bypassing remote identification

Hackers can remotely unlock Tesla by exploiting a Bluetooth vulnerability

Starlink: fighting for Ukraine on the cyber front

Spiteful employees cause over a quarter of data loss incidents

Subscribe to our newsletter