Syhunt 2022 Ransomware Threat Report

Paper by Felipe Daragon, Roberto Marc and Syhunt Icy Team. February 8. 2022

After the first mega data leaks in the beginning of 2021 that affected millions of companies and individuals, we started the Syhunt Icy division for monitoring the surface, deep and dark web for new data leaks and cyber threats. Since then, we work together with media partners to inform about critical data leaks and the need to harden our cybersecurity posture. Now, a year later, we publish this first report based on the research conducted by Syhunt Icy about the ransomware threat.


Ransomware is today's most common type of malicious software - it steals, deletes or encrypts files on compromised machines, subsequently asking for payments to recover such files or not having them exposed on the dark web. Over 100 variants of ransomware exist today and are being investigated by researchers and the authorities, including Europol and the FBI, which now considers ransomware attacks as cyberterrorism.

The phases of a ransomware attack: The first phase of a ransomware attack is infection, the group seeks to infect a device with its ransomware. Statistics show that around 75% of the victims had up-to-date endpoint protection, which means that while an up-to-date antivirus is essential to block known ransomware variants, due to its reactive nature, the antivirus software is mostly defenseless against the new ransomware variants created by the groups [1]. The second phase of the ransomware attack is known as lateral movement. After infecting the first device, the group seeks to steal has much information possible and take control of other devices on the network - this can take hours or months. Finally, the group performs mass data encryption, or mass deletion, of the files they accessed to demand ransom payment. The group may resort to double-extortion, requesting additional payment not to publish the information on their "wall of shame" on the dark web. In such cases, the group may publish part of the information as a proof of exfiltration or a list of the files that will be published if the payment is not made. In the recent past, the REvil group created an eBay-like auction site for selling the stolen data of its victims [2].Sometimes groups prefer to sell access to the compromised servers instead of directly selling the information contained in the servers.

Cybercriminals becoming rich: The European Union Agency for Cybersecurity (ENISA) recently said there was a 150% rise in ransomware attacks between April 2020 and July 2021. According to the agency, this is the "golden era of ransomware" due to the plethora of monetization options available to cybercriminals [3]. The ransomware groups are now rich enough to even buy zero-day exploits that they can use to make more victims[4]. 23% of today's world high risk severity incidents are related to ransomware[5]. It is not difficult to understand why: it's a very profitable cybercrime. Behind each ransomware is a group (or gang), which is usually illicitly becoming rich - it's known that about 40% of the victims pay the ransom, and that about 25% of business executives would be willing to pay between $20,000 and $50,000 to regain access to encrypted data[6].

Our Analysis & Discoveries

Over 150 TB 2.843 31+
Total of Data Stolen by Ransomware GroupsTotal of Victim OrganizationsTotal of Ransomware Groups

Over the course of 2021, we've mapped and investigated over 30 ransomware groups on the dark web. Since 2019, these groups created over 100 types of ransomware. We've also mapped and investigated sources of data leaks on the surface and deep web. We mapped how much data each ransomware group has stolen and the number of leaked victim organizations by each group and country, as well as the distribution of leaks per layer of the web.

Distribution of Data Leaks Per Web Layer

  • The Surface web: hosts thousands of forum threads about data leaks that evolve daily. Such pages are indexed by Google and other search engines.
  • The Deep web: out of reach of search engines, the deep web hosts private hacker forum threads that evolve daily. With plenty hidden content, the Deep web hosts millions of data leaks, including around 16 billion of leaked passwords and some data markets. We've identified leaks related to 58 millions of Internet domains on the Deep web. The deep web, together with torrent, is the preferable way by hackers to leak and share compromised passwords and databases.
  • The Dark web: out of reach of search engines and regular browsers, the dark web hosts key data markets and web pages of ransomware groups. We've mapped a total of 2.843 ransomware victim organizations on the Dark web. Syhunt estimates that 150 terabytes of data has been stolen from these victims by the groups, most of which has been published on their "wall of shame" web pages on the Dark Web. This number relates to both 7Zip compressed and uncompressed files, which means the actual number of bytes stolen could be significantly higher.

Numbers by Ransomware Group

Syhunt estimates that over 150 terabytes of data has been stolen from victim organizations by ransomware groups from January 2019 up to January 2022. We concluded that some of the groups, such as dopple_leaks and grief, prefer to make a large number of victims, stealing small quantities of data from each target and moving quickly from a target to another, while other groups, such as ragnar_locker and pay2key, prefer to make a smaller number of victims, stealing larger quantities of data from each target.

Group NameTotal of Data Exfiltrated (150TB)Total of Victim Organizations
REvil44.1 TB282
conti22.9 TB600
ragnar_locker19.6 TB29
pay2key14.3 TB6
lv_blog9.3 TB42
blackmatter8.3 TB33
snatch6 TB29
alphavm4.8 TB20
lockdata4 TB7
midas3.4 TB22
bonaci_group3.3 TB3
xing_team3.1 TB19
quantum2.9 TB9
everest2 TB49
ransomexx1.7 TB35
payload_bin1.4 TB7
babuk1 TB5
suncrypt778.0 GB8
arvinclub426 GB5
dopple_leaks399.3 GB198
grief259.1 GB79

REvil: Numbers and Profit of a Single Ransomware Group

Over 44 TB 282 14
Total of Data Stolen by the Group in 2020 and 2021Total of Victim OrganizationsTotal of Suspected Members Arrested in 2022

When REvil was arrested in January 2022, many articles said the group has stolen a total of 21.6 TB from its victims - this number is an estimate published as part of a 2021 IBM paper[7] and related to the 2020 period alone. Syhunt's number is much higher (44.1 TB) because it takes into account the REvil performance in both 2020 (138 victims) and 2021 (144 additional victims).

On January 15, 2022, the Russian Federal Security Service arrested 14 suspected members of the REvil ransomware group at the request of the United States. With the group were seized 426 million rubles and 500,000 (about $6 million), as well as $600,000 in cash, and cryptocurrency wallets, computers and 20 high-end cars[8]. Over the course of a year, nearly 35% of the victim organizations paid the ransom demanded by REvil and 43% of the victims had their data leaked by the group.

The seized money is also considered to be the tip of the iceberg of REvil's profit. In November 2021, The US Department of Justice seized US$ 6,1 million in funds traceable to alleged ransom payments received by a REvil member[9] - the group claimed a profit of over $100 million [10] and researchers estimated it at around $123 million in 2020 alone [11].

The Lapsus$ Group : a Newcomer With Unrealistic Claims

In December 12, 2021, the newcomer Lapsus$ group claimed it stole 50 TB of data from Brazil's Ministry of Health. [12]. Considering that the experienced REvil group has stolen 44.1 TB from 280 victims in two years of operation, it is not easy to believe that a newcomer has actually stolen 50 TB of data from a single victim - the group has not yet provided proofs of the 50 TB exfiltration. Until now, the group published 580MB of source code allegedly stolen from the victim.

After hitting the Brazil's Ministry of Health last year, the group has made new victims in Portugal this year and, as part of another recent attack, claimed it stole 10 PB (petabytes) of data from Telecom operator Claro Brasil [13], a number that is much more unrealistic than the 50 TB previously alleged. We're not saying that Lapsus$ must not be taken as a serious threat - they took down systems of the Brazil's Ministry of Health for weeks, just that the numbers that the group claims are not credible, likely unrealistically inflated.

While the dark web is the preferred layer used by ransomware groups to leak information, the Lapsus$ group is using a public Telegram channel to make announcement of new victims.

Find below additional numbers mapped by Syhunt.

Top 5 Top-Level Domain Extensions Attacked

ExtensionTotal of Victim Organizations
1. Companies (.com)1895
2. Non-profit Organizations (.org)117
3. Companies (.net)46
4. Educational (.edu)29
5. Government (.gov)17

Top Attacked Continents

RegionTotal of Victim Organizations
1. North America788+ (Including USA), 80 (Without USA)
2. Europe379
3. Asia104
4. Oceania60
5. South America59
6. Africa16

Considering our data related to ransomware victims from January 2019 up to January 2022:

  • The United States of America is the most-attacked North American country by ransomware groups, followed by Canada and Mexico.
  • The United Kingdom is the most-attacked countries in Europe, followed by France, Italy and Germany.
  • Brazil is the top attacked country in South America, followed by Chile.
  • Japan is the top attacked country in Asia, followed by India.
  • Australia is the top attacked country in Oceania, followed by New Zealand.
  • South Africa is the top attacked country in Africa.

Top 10 Attacked Countries

CountryTotal of Victim Organizations
1. United States of America708+
2. United Kingdom97
3. France56
4. Canada55
5. Italy55
6. Germany51
7. Australia50
8. Brazil36
9. Japan22
10. Netherlands14

Top 10 Attacked Countries in Europe

CountryTotal of Victim Organizations
1. United Kingdom97
2. France56
3. Italy55
4. Germany51
5. Netherlands14
6. Austria13
7. Spain13
8. Belgium12
9. Switzerland12
10. Poland8

Top 5 Attacked Countries in Asia

CountryTotal of Victim Organizations
1. Japan22
2. India12
3. Saudi Arabia9
4. Singapore6
5. UAE5

Top 5 Attacked Countries in South America

CountryTotal of Victim Organizations
1. Brazil36
2. Chile10
3. Colombia5
4. Peru4
5. Argentina1

Top 5 Attacked Countries in North America

CountryTotal of Victim Organizations
1. United States of America708+
2. Canada55
3. Mexico12
4. Honduras2
5. Nicaragua2

Top 5 Attacked Countries in Africa

CountryTotal of Victim Organizations
1. South Africa10
2. Morocco2
3. Angola1
4. Botswana1
5. Algeria1

How we got the numbers

The numbers are based on a database generated by our AI software Presta combined with extensive human intelligence work. Presta is an advanced bot created by Syhunt to automate and accelerate the analysis of surface, deep and dark web data leaks collected by Syhunt's Icy Division.


The ransomware groups were bold enough to steal massive quantities of data remotely from a large number of victims and monetize on top of it, sending a strong signal to the cybercrime world about how valuable stolen private corporate information can be nowadays - it does not matter how the data has been obtained, just that cybercriminals can always monetize on top of fresh data. Working as catalyzer of the expansion of data leaks, the growing ransomware activity accelerated the creation of an interlinked and highly profitable underground cybercriminal world.

Our research indicates that cybercriminals and malicious actors now have plenty data markets at their disposal on the surface, deep and dark web, to sell and share information that has been obtained not only through ransomware attack, but through additional means, such as through direct SQL Injection attacks, zero-day attacks, web scraping or the use of malicious insiders.

While an up-to-date antivirus is essential to block known ransomware variants, antivirus software is mostly defenseless against the new ransomware variants created by the groups. For this reason, defense against ransomware and data leaks in general must use a multifaceted approach which must include, among other things:

  • Up-to-date antivirus software, operational system and applications
  • Regular backup operations, with the backups kept offline
  • Increased use of cryptography of sensitive files and data which must be combined with compartmentalization and containerization
  • Use of BCrypt with factor 12 or up when hashing passwords
  • Use of multifactor authentication
  • Hardened web application security
  • Active monitoring for leaks through internal or external means
  • Monitoring the evolution of security and privacy scores related to the organization
  • Heightened awareness of social engineering and phishing attacks
  • Validate the sender of USB devices sent through postal. On January 10, 2022, the FBI warned that the FIN7 group is sending malware-laden USB sticks to companies, disguised as legitimate means such as Amazon or government departments.

About Syhunt Security

With next-generation assessment technology, Syhunt established itself as a leading player in the web application security field, delivering its assessment tools to a range of organizations across the globe, from the SMB to the enterprise. Syhunt products help organizations defend against the wide range of sophisticated cyberattacks currently taking place at the Web application layer.

Syhunt proactively detects vulnerabilities and weaknesses that lead to data leak or breach - Syhunt tools focus on the many angles and views that can be used for evaluating the security state of a web application, such as its live version (through dynamic analysis / DAST), source code (SAST), server log (proactive forensics) and configuration (hardening).

Syhunt's founder Felipe Daragon started his career working as a security consultant for government organizations and corporations in the 90s. In the beginning of his career he worked for leading information security firms in Brazil. Daragon's last 22 years in the information security industry were dedicated to proactively defend companies and government agencies from attacks, and raising awareness about pressing security issues and new cyber attack trends.

Roberto Marc studied and learned programming together with Daragon nearly 20 years ago and is driven by a passion for technology, software, hardware and mathematics. Experienced in both Linux and Windows environments, Marc joined Syhunt both as a software researcher and later became Syhunt's leading Dark & Deep Web Analyst.

Presta AI is an advanced bot created by Syhunt to automate and accelerate the analysis of surface, deep and dark web data leaks collected by Syhunt's Icy Division.


  1. Russia's FSB 'shuts down' notorious REvil ransomware gang (TechCrunch, Jan 14, 2022)
  2. Newly Discovered Lapsus$ Ransomware Targets Several Organizations in a Month (Cyware Social, Jan 04, 2022)
  3. FBI Investigating 100 Ransomware Variants (Wall Street Journal, Jun 10, 2021)
  4. 2021 Ransomware Statistics, Data & Trends (PurpleSec, 2022)
  5. Justice Department Seizes $6.1 million Related to Alleged Ransomware Extortionists (, Nov 8, 2021)
  6. Inside Genesis: The market created by cybercriminals to make millions selling your digital identity (CBS News, September 2021)
  7. One in 10 cybersecurity incidents investigated by Kaspersky in organizations are considered severe (Kaspersky, July 2021)
  8. X-Force Threat Intelligence Index (IBM, 2021)
  9. REvil ransomware gang claims over $100 million profit in a year (Bleeping Computer, Oct 29, 2020)