Syhunt 2022 Ransomware Threat Report
Paper by Felipe Daragon, Roberto Marc and Syhunt Icy Team. February 8. 2022
After the first mega data leaks in the beginning of 2021 that affected millions of companies and individuals, we started the Syhunt Icy division for monitoring the surface, deep and dark web for new data leaks and cyber threats. Since then, we work together with media partners to inform about critical data leaks and the need to harden our cybersecurity posture. Now, a year later, we publish this first report based on the research conducted by Syhunt Icy about the ransomware threat.
Introduction
Ransomware is today's most common type of malicious software - it steals, deletes or encrypts files on compromised machines, subsequently asking for payments to recover such files or not having them exposed on the dark web. Over 100 variants of ransomware exist today and are being investigated by researchers and the authorities, including Europol and the FBI, which now considers ransomware attacks as cyberterrorism.
The phases of a ransomware attack: The first phase of a ransomware attack is infection, the group seeks to infect a device with its ransomware. Statistics show that around 75% of the victims had up-to-date endpoint protection, which means that while an up-to-date antivirus is essential to block known ransomware variants, due to its reactive nature, the antivirus software is mostly defenseless against the new ransomware variants created by the groups [1]. The second phase of the ransomware attack is known as lateral movement. After infecting the first device, the group seeks to steal has much information possible and take control of other devices on the network - this can take hours or months. Finally, the group performs mass data encryption, or mass deletion, of the files they accessed to demand ransom payment. The group may resort to double-extortion, requesting additional payment not to publish the information on their "wall of shame" on the dark web. In such cases, the group may publish part of the information as a proof of exfiltration or a list of the files that will be published if the payment is not made. In the recent past, the REvil group created an eBay-like auction site for selling the stolen data of its victims [2].Sometimes groups prefer to sell access to the compromised servers instead of directly selling the information contained in the servers.
Cybercriminals becoming rich: The European Union Agency for Cybersecurity (ENISA) recently said there was a 150% rise in ransomware attacks between April 2020 and July 2021. According to the agency, this is the "golden era of ransomware" due to the plethora of monetization options available to cybercriminals [3]. The ransomware groups are now rich enough to even buy zero-day exploits that they can use to make more victims[4]. 23% of today's world high risk severity incidents are related to ransomware[5]. It is not difficult to understand why: it's a very profitable cybercrime. Behind each ransomware is a group (or gang), which is usually illicitly becoming rich - it's known that about 40% of the victims pay the ransom, and that about 25% of business executives would be willing to pay between $20,000 and $50,000 to regain access to encrypted data[6].
Our Analysis & Discoveries
Over 150 TB | 2.843 | 31+ |
Total of Data Stolen by Ransomware Groups | Total of Victim Organizations | Total of Ransomware Groups |
Over the course of 2021, we've mapped and investigated over 30 ransomware groups on the dark web. Since 2019, these groups created over 100 types of ransomware. We've also mapped and investigated sources of data leaks on the surface and deep web. We mapped how much data each ransomware group has stolen and the number of leaked victim organizations by each group and country, as well as the distribution of leaks per layer of the web.
Distribution of Data Leaks Per Web Layer
- The Surface web: hosts thousands of forum threads about data leaks that evolve daily. Such pages are indexed by Google and other search engines.
- The Deep web: out of reach of search engines, the deep web hosts private hacker forum threads that evolve daily. With plenty hidden content, the Deep web hosts millions of data leaks, including around 16 billion of leaked passwords and some data markets. We've identified leaks related to 58 millions of Internet domains on the Deep web. The deep web, together with torrent, is the preferable way by hackers to leak and share compromised passwords and databases.
- The Dark web: out of reach of search engines and regular browsers, the dark web hosts key data markets and web pages of ransomware groups. We've mapped a total of 2.843 ransomware victim organizations on the Dark web. Syhunt estimates that 150 terabytes of data has been stolen from these victims by the groups, most of which has been published on their "wall of shame" web pages on the Dark Web. This number relates to both 7Zip compressed and uncompressed files, which means the actual number of bytes stolen could be significantly higher.
Numbers by Ransomware Group
Syhunt estimates that over 150 terabytes of data has been stolen from victim organizations by ransomware groups from January 2019 up to January 2022. We concluded that some of the groups, such as dopple_leaks and grief, prefer to make a large number of victims, stealing small quantities of data from each target and moving quickly from a target to another, while other groups, such as ragnar_locker and pay2key, prefer to make a smaller number of victims, stealing larger quantities of data from each target.
Group Name | Total of Data Exfiltrated (150TB) | Total of Victim Organizations |
REvil | 44.1 TB | 282 |
conti | 22.9 TB | 600 |
ragnar_locker | 19.6 TB | 29 |
pay2key | 14.3 TB | 6 |
lv_blog | 9.3 TB | 42 |
blackmatter | 8.3 TB | 33 |
snatch | 6 TB | 29 |
alphavm | 4.8 TB | 20 |
lockdata | 4 TB | 7 |
midas | 3.4 TB | 22 |
bonaci_group | 3.3 TB | 3 |
xing_team | 3.1 TB | 19 |
quantum | 2.9 TB | 9 |
everest | 2 TB | 49 |
ransomexx | 1.7 TB | 35 |
payload_bin | 1.4 TB | 7 |
babuk | 1 TB | 5 |
suncrypt | 778.0 GB | 8 |
arvinclub | 426 GB | 5 |
dopple_leaks | 399.3 GB | 198 |
grief | 259.1 GB | 79 |
REvil: Numbers and Profit of a Single Ransomware Group
Over 44 TB | 282 | 14 |
Total of Data Stolen by the Group in 2020 and 2021 | Total of Victim Organizations | Total of Suspected Members Arrested in 2022 |
When REvil was arrested in January 2022, many articles said the group has stolen a total of 21.6 TB from its victims - this number is an estimate published as part of a 2021 IBM paper[7] and related to the 2020 period alone. Syhunt's number is much higher (44.1 TB) because it takes into account the REvil performance in both 2020 (138 victims) and 2021 (144 additional victims).
On January 15, 2022, the Russian Federal Security Service arrested 14 suspected members of the REvil ransomware group at the request of the United States. With the group were seized 426 million rubles and €500,000 (about $6 million), as well as $600,000 in cash, and cryptocurrency wallets, computers and 20 high-end cars[8]. Over the course of a year, nearly 35% of the victim organizations paid the ransom demanded by REvil and 43% of the victims had their data leaked by the group.
The seized money is also considered to be the tip of the iceberg of REvil's profit. In November 2021, The US Department of Justice seized US$ 6,1 million in funds traceable to alleged ransom payments received by a REvil member[9] - the group claimed a profit of over $100 million [10] and researchers estimated it at around $123 million in 2020 alone [11].
The Lapsus$ Group : a Newcomer With Unrealistic Claims
In December 12, 2021, the newcomer Lapsus$ group claimed it stole 50 TB of data from Brazil's Ministry of Health. [12]. Considering that the experienced REvil group has stolen 44.1 TB from 280 victims in two years of operation, it is not easy to believe that a newcomer has actually stolen 50 TB of data from a single victim - the group has not yet provided proofs of the 50 TB exfiltration. Until now, the group published 580MB of source code allegedly stolen from the victim.
After hitting the Brazil's Ministry of Health last year, the group has made new victims in Portugal this year and, as part of another recent attack, claimed it stole 10 PB (petabytes) of data from Telecom operator Claro Brasil [13], a number that is much more unrealistic than the 50 TB previously alleged. We're not saying that Lapsus$ must not be taken as a serious threat - they took down systems of the Brazil's Ministry of Health for weeks, just that the numbers that the group claims are not credible, likely unrealistically inflated.
While the dark web is the preferred layer used by ransomware groups to leak information, the Lapsus$ group is using a public Telegram channel to make announcement of new victims.
Find below additional numbers mapped by Syhunt.
Top 5 Top-Level Domain Extensions Attacked
Extension | Total of Victim Organizations |
1. Companies (.com) | 1895 |
2. Non-profit Organizations (.org) | 117 |
3. Companies (.net) | 46 |
4. Educational (.edu) | 29 |
5. Government (.gov) | 17 |
Top Attacked Continents
Region | Total of Victim Organizations |
1. North America | 788+ (Including USA), 80 (Without USA) |
2. Europe | 379 |
3. Asia | 104 |
4. Oceania | 60 |
5. South America | 59 |
6. Africa | 16 |
Considering our data related to ransomware victims from January 2019 up to January 2022:
- The United States of America is the most-attacked North American country by ransomware groups, followed by Canada and Mexico.
- The United Kingdom is the most-attacked countries in Europe, followed by France, Italy and Germany.
- Brazil is the top attacked country in South America, followed by Chile.
- Japan is the top attacked country in Asia, followed by India.
- Australia is the top attacked country in Oceania, followed by New Zealand.
- South Africa is the top attacked country in Africa.
Top 10 Attacked Countries
Country | Total of Victim Organizations |
1. United States of America | 708+ |
2. United Kingdom | 97 |
3. France | 56 |
4. Canada | 55 |
5. Italy | 55 |
6. Germany | 51 |
7. Australia | 50 |
8. Brazil | 36 |
9. Japan | 22 |
10. Netherlands | 14 |
Top 10 Attacked Countries in Europe
Country | Total of Victim Organizations |
1. United Kingdom | 97 |
2. France | 56 |
3. Italy | 55 |
4. Germany | 51 |
5. Netherlands | 14 |
6. Austria | 13 |
7. Spain | 13 |
8. Belgium | 12 |
9. Switzerland | 12 |
10. Poland | 8 |
Top 5 Attacked Countries in Asia
Country | Total of Victim Organizations |
1. Japan | 22 |
2. India | 12 |
3. Saudi Arabia | 9 |
4. Singapore | 6 |
5. UAE | 5 |
Top 5 Attacked Countries in South America
Country | Total of Victim Organizations |
1. Brazil | 36 |
2. Chile | 10 |
3. Colombia | 5 |
4. Peru | 4 |
5. Argentina | 1 |
Top 5 Attacked Countries in North America
Country | Total of Victim Organizations |
1. United States of America | 708+ |
2. Canada | 55 |
3. Mexico | 12 |
4. Honduras | 2 |
5. Nicaragua | 2 |
Top 5 Attacked Countries in Africa
Country | Total of Victim Organizations |
1. South Africa | 10 |
2. Morocco | 2 |
3. Angola | 1 |
4. Botswana | 1 |
5. Algeria | 1 |
How we got the numbers
The numbers are based on a database generated by our AI software Presta combined with extensive human intelligence work. Presta is an advanced bot created by Syhunt to automate and accelerate the analysis of surface, deep and dark web data leaks collected by Syhunt's Icy Division.
Conclusion
The ransomware groups were bold enough to steal massive quantities of data remotely from a large number of victims and monetize on top of it, sending a strong signal to the cybercrime world about how valuable stolen private corporate information can be nowadays - it does not matter how the data has been obtained, just that cybercriminals can always monetize on top of fresh data. Working as catalyzer of the expansion of data leaks, the growing ransomware activity accelerated the creation of an interlinked and highly profitable underground cybercriminal world.
Our research indicates that cybercriminals and malicious actors now have plenty data markets at their disposal on the surface, deep and dark web, to sell and share information that has been obtained not only through ransomware attack, but through additional means, such as through direct SQL Injection attacks, zero-day attacks, web scraping or the use of malicious insiders.
While an up-to-date antivirus is essential to block known ransomware variants, antivirus software is mostly defenseless against the new ransomware variants created by the groups. For this reason, defense against ransomware and data leaks in general must use a multifaceted approach which must include, among other things:
- Up-to-date antivirus software, operational system and applications
- Regular backup operations, with the backups kept offline
- Increased use of cryptography of sensitive files and data which must be combined with compartmentalization and containerization
- Use of BCrypt with factor 12 or up when hashing passwords
- Use of multifactor authentication
- Hardened web application security
- Active monitoring for leaks through internal or external means
- Monitoring the evolution of security and privacy scores related to the organization
- Heightened awareness of social engineering and phishing attacks
- Validate the sender of USB devices sent through postal. On January 10, 2022, the FBI warned that the FIN7 group is sending malware-laden USB sticks to companies, disguised as legitimate means such as Amazon or government departments.
About Syhunt Security
With next-generation assessment technology, Syhunt established itself as a leading player in the web application security field, delivering its assessment tools to a range of organizations across the globe, from the SMB to the enterprise. Syhunt products help organizations defend against the wide range of sophisticated cyberattacks currently taking place at the Web application layer.
Syhunt proactively detects vulnerabilities and weaknesses that lead to data leak or breach - Syhunt tools focus on the many angles and views that can be used for evaluating the security state of a web application, such as its live version (through dynamic analysis / DAST), source code (SAST), server log (proactive forensics) and configuration (hardening).
Syhunt's founder Felipe Daragon started his career working as a security consultant for government organizations and corporations in the 90s. In the beginning of his career he worked for leading information security firms in Brazil. Daragon's last 22 years in the information security industry were dedicated to proactively defend companies and government agencies from attacks, and raising awareness about pressing security issues and new cyber attack trends.
Roberto Marc studied and learned programming together with Daragon nearly 20 years ago and is driven by a passion for technology, software, hardware and mathematics. Experienced in both Linux and Windows environments, Marc joined Syhunt both as a software researcher and later became Syhunt's leading Dark & Deep Web Analyst.
Presta AI is an advanced bot created by Syhunt to automate and accelerate the analysis of surface, deep and dark web data leaks collected by Syhunt's Icy Division.
References
- Russia's FSB 'shuts down' notorious REvil ransomware gang (TechCrunch, Jan 14, 2022)
- Newly Discovered Lapsus$ Ransomware Targets Several Organizations in a Month (Cyware Social, Jan 04, 2022)
- FBI Investigating 100 Ransomware Variants (Wall Street Journal, Jun 10, 2021)
- 2021 Ransomware Statistics, Data & Trends (PurpleSec, 2022)
- Justice Department Seizes $6.1 million Related to Alleged Ransomware Extortionists (Justice.gov, Nov 8, 2021)
- Inside Genesis: The market created by cybercriminals to make millions selling your digital identity (CBS News, September 2021)
- One in 10 cybersecurity incidents investigated by Kaspersky in organizations are considered severe (Kaspersky, July 2021)
- X-Force Threat Intelligence Index (IBM, 2021)
- REvil ransomware gang claims over $100 million profit in a year (Bleeping Computer, Oct 29, 2020)