KELA logo

Beware. Ransomware. Top Trends of 2021

Executive Summary

In 2021, ransomware attacks continued to be one of the most prominent threats targeting businesses and organizations worldwide. High-profile attacks disrupted operations of companies in various sectors, including critical infrastructure (Colonial Pipeline), food processing (JBS Foods), insurance (CNA) and many more. Following the attacks, pressure of law enforcement on ransomware gangs intensified, though simultaneously these threat actors continue to evolve. They not only become more technologically sophisticated but also extensively leverage the growing cybercrime ecosystem aiming to find new partners, services and tools for their operations.

In this report, KELA provides insights into ransomware victims, recaps activity of ransomware groups in 2021 — both in terms of their attacks and presence on cybercrime forums — and shares exclusive findings about collaboration of ransomware actors with other cybercriminals.

KELA logo

Analysis of leaked Conti’s internal data

On February 27, 2022, as a response to the Conti ransomware gang’s support of the Russian invasion of Ukraine, a suspected Ukrainian researcher leaked internal conversations of its members. KELA analyzed the leaks to understand the group’s evolution and TTPs, as well as organizational structure.

Main findings:

  • Internal conversations show an evolution of a gang of ransomware attackers who at first were not a part of a specific ransomware group. They discussed Ryuk, Conti, and Maze as separate projects. Their activity eventually led to the formation of the modern Conti operation.
  • The group used various malware and tools. KELA found proof of Conti’s strong connection to Trickbot and Emotet, as well as BazarBackdoor, used for gaining initial access. The Diavol ransomware appears to be Conti’s side project. As for legitimate tools, Conti attempted to test products of VMware CarbonBlack and Sophos.
  • Conti used services of Initial Access Brokers to gain initial access.
  • Conversations regarding almost 100 victims – about a half of which were not publicly disclosed on Conti’s blog – shed light on the attacks’ process, including multiple steps before and after the ransomware deployment.
  • The gang’s members expressed interest in attacking the US public sector.
  • Conti’s team is highly organized and includes the following teams: hackers, coders, testers, reverse specialists, crypters, OSINT specialists, negotiators, IT support, HR.
  • KELA prepared descriptions of the top-15 actors based on the amount of their messages, as well as their connection maps.

From Initial Access to Ransomware Attack – 5 Real Cases Showing the Path from Start to End

KELA Cyber Intelligence Center

Successful ransomware attacks are all alike: they start from unnoticed access to a company’s network. While some attackers get their access in a stealthy way, some use publicly available offerings on cybercrime forums and markets.
Part of these offerings is made by Initial Access Brokers who play a crucial role in the ransomware-as-a-service (RaaS) economy. These actors significantly facilitate network intrusions by selling remote access to a computer in a compromised organization (Initial Network Access) and linking opportunistic campaigns with targeted attackers. Ransomware actors are actively looking for network access listings on cybercrime forums to match their ideal ransomware victim.

In this blog, KELA reveals several ransomware attacks that started with network access on sale and led to an attack within a month from the sale offer.

Season’s Stealings – The Dark Side of Holiday Shopping

Elena Koldobsky, Threat Intelligence Analyst

Offering holiday discounts to potential customers is a known marketing strategy – selling products, be it chocolate, clothes, or perfumes, for a decreased price, to increase sales during the holiday season. Unsurprisingly, the unwritten marketing laws have not skipped cybercrime communities. During this time of the year, threat actors get “cheerful” and post creative promotion ideas, offering malware, botnets, and encryptors for a decreased price as a holiday sale. 

For instance, on December 11, 2021, the threat actor “Grimxploit” posted a Christmas offer on the cybercrime forum RaidForums – an English-speaking forum focusing mostly on data breaches – promising to sell his products for a 20% discount to all those who use the coupon code “CHRISTMASS20”. Among the products sold were his Grimxploit branded crypter, worm, keylogger, and others, as well as a “remoded” version of Anubis botnet.

2easy: Logs Marketplace on the Rise

KELA Cyber Intelligence Center

As part of KELA’s continuous monitoring of communities and markets in the cybercrime underground, KELA identified a rise in the activity of a relatively new market of stolen user information, called “2easy”. The market is an automated platform where different actors sell “logs” – data and browser-saved information harvested from machines (bots) all over the world infected with information-stealing malware. Currently, the market offers information stolen from almost 600,000 bots.

Based on analysis of the data collected by KELA’s systems from this market, as of December 2021, the market hosts 18 sellers offering their infostealer logs for sale. Investigation of these sellers’ activities in the cybercrime underground, as well as feedback about the market posted to dark web sources, indicates that the market has a certain recognition among cybercriminals that deal with stolen credentials; they provide mostly positive feedback. As such, KELA assesses that credentials sold in 2easy are generally valid and may present a direct threat to organizations. KELA’s analysis of the market finds that RedLine information stealing malware is the most popular choice for the market’s vendors – with over 50% of the machines offered for sale on the market being infected with RedLine.

Ain’t No Actor Trustworthy Enough: The importance of validating sources

KELA Cyber Intelligence Center

The list of ransomware victims has risen dramatically over the last few years. Due to the adoption of the “double extortion” tactic, companies now pay for data not being released and not only for the sole unlocking of computers. KELA is regularly monitoring ransomware gangs’ blogs where attackers announce their victims and leak data. Some actors are operating similar data leak sites though they do not necessarily use ransomware; they steal data through other means of infiltration and then threaten to release it or sell it to third parties or resell data stolen by other actors. In addition to that, some actors offer old or non-existing leaks and make fake and intimidating claims. 

These offers have a direct impact on the cybersecurity landscape, generating extensive noise and preventing cyber threat researchers from focusing on real threats. Therefore, it becomes more important to validate sources before starting to follow them closely and accepting everything at face value. In this blog, KELA will share our process of reviewing new sources and assigning a level of threat, addressing sites such as:

  • Amigos
  • Coomingproject
  • Dark Leaks Market
  • Quantum 
  • Groove

Will the REvil Story Finally be Over?

Victoria Kivilevich, Director of Threat Research

According to recent reports, the operations of REvil ransomware were recently disrupted by a coordinated law enforcement operation (although not formally confirmed), taking their websites offline. Earlier that week, the most recently self-proclaimed representative of the RaaS bid farewells claiming that the servers were compromised – making it effectively the second time this year whereby the REvil (Sodinokibi) ransomware group has disappeared from radars. 

Does it mean the gang’s story will end? And how will this affect other RaaS programs? KELA summarizes the group’s activities after the notorious Kaseya attack and assesses the possible consequences of its disappearance, considering the fact that ransomware affiliates became a driving power of RaaS (ransomware-as-a-service) operations.

The Ideal Ransomware Victim: What Attackers Are Looking For

Victoria Kivilevich, Threat Intelligence Analyst

In July 2021, KELA observed threat actors creating multiple threads where they claimed they are ready to buy accesses and described their conditions. Some of them appear to use access for deploying info-stealing malware and carrying out other malicious activities. Others aim to plant ransomware and steal data. KELA explored what is valuable for threat actors buying accesses, especially ransomware attackers, and built a profile of an ideal ransomware victim.

Bottom line up front:

  • In July 2021, KELA found 48 active threads where actors claimed they are looking to buy different kinds of accesses. 46% of them were created in that month, illustrating the demand for access listings.
  • 40% of the actors who were looking to buy accesses were identified as active participants in the ransomware-as-a-service (RaaS) supply chain – operators, or affiliates, or middlemen.
  • Ransomware attackers appear to form “industry standards” defining an ideal victim based on its revenue and geography and excluding certain sectors and countries from the targets list. On average, the actors active in July 2021 aimed to buy access to US companies with revenue of more than 100 million USD. Almost half of them refused to buy access to companies from the healthcare and education industries.
  • Ransomware attackers are ready to buy all kinds of network accesses, with RDP and VPN being the most basic requirement. The most common products (enabling network access) mentioned were Citrix, Palo Alto Networks, VMware, Fortinet, and Cisco.
  • Ransomware attackers are ready to pay for access up to 100,000 USD, with most actors setting the boundaries at half of that price – 56,250 USD.
  • The similarities between ransomware-related actors’ requirements for victims and access listings and conditions for IABs illustrate that RaaS operations act just like corporate enterprises.

All Access Pass: Five Trends with Initial Access Brokers

Victoria Kivilevich, Threat Intelligence Analyst

For more than a year, KELA has been tracking Initial Access Brokers and the initial network access listings that they publish for sale on various cybercrime underground forums. Initial Network Access refers to remote access to a computer in a compromised organization. Threat actors selling these accesses are referred to as Initial Access Brokers. Initial Access Brokers play a crucial role in the ransomware-as-a-service (RaaS) economy, as they significantly facilitate network intrusions by selling remote access to a computer in a compromised organization and linking opportunistic campaigns with targeted attackers, often ransomware operators.
This research includes an in-depth analysis of Initial Access Brokers and their activity for a full year from July 1, 2020 to June, 30 2021. KELA analyzed IABs’ activities over the last year (when their role became increasingly more popular in the cybercrime underground) and summarized 5 major trends that were observed throughout our analysis.