All Change at the Top as New Ransomware Groups Emerge

The Ransomware as a Service (RaaS) landscape underwent another major shift in the third quarter as new variants emerged to become the dominant players in the ecosystem, according to Intel 471.

In a new update, the threat intelligence company explained that 60% of the attacks it tracked during the period were tied back to four variants: LockBit 2.0, Conti, BlackMatter and Hive.

Of these, LockBit 2.0 was the most prolific, accounting for a third (33%) of observed attacks, followed by Conti (15%), BlackMatter (7%) and Hive (6%).

“Be it due to law enforcement, infighting amongst groups or people abandoning variants altogether, the RaaS groups dominating the ecosystem at this point in time are completely different than just a few months ago,” said Intel 471.

“Yet, even with the shift in variants, ransomware incidents as a whole are still on the rise. From July to September 2021, Intel 471 observed 612 ransomware attacks that can be attributed to 35 different ransomware variants. Among those attacks, several lesser-known variants have supplanted prominent ones that rose in notoriety over the first half of 2021.”

LockBit 2.0’s rise has been particularly notable, as it was only discovered in June 2021 following the disappearance of LockBit late last year. Its most famous scalp so far has been Accenture, which it bombarded with a DDoS attack as well as leaking data in a bid to force a $50m ransom payment.

Conti has been beset by in-fighting which may have led to a 64% drop in the number of recorded attacks using the variant between Q2 and Q3 2021.

“In August, an actor leaked training documents and exposed some infrastructure that revealed two other actors’ roles in running the variant, allegedly due to the operators not paying network access brokers their cut of ransom payments,” said Intel 471.

“The initial actor and one of the doxxed actors were booted from the forum after being tied to ransomware operations.”

While the four mentioned variants are on the rise, Clop and REvil have fallen away after significant law enforcement disruption.

However, the message to defenders is that the threat will persist as long as victims continue to pay up and hostile nations shelter attackers. That makes proactive threat defense a must.

This week, news emerged that the new Log4j vulnerability is already being exploited in ransomware attacks, offering a dangerous new vector for threat actors.

What’s Hot on Infosecurity Magazine?