Paper by Felipe Daragon, Roberto Marc and Syhunt Icy Team. February 8. 2022
After the first mega data leaks in the beginning of 2021 that affected millions of companies and individuals, we started the Syhunt Icy division for monitoring the surface, deep and dark web for new data leaks and cyber threats. Since then, we work together with media partners to inform about critical data leaks and the need to harden our cybersecurity posture. Now, a year later, we publish this first report based on the research conducted by Syhunt Icy about the ransomware threat.
Ransomware is today's most common type of malicious software - it steals, deletes or encrypts files on compromised machines, subsequently asking for payments to recover such files or not having them exposed on the dark web. Over 100 variants of ransomware exist today and are being investigated by researchers and the authorities, including Europol and the FBI, which now considers ransomware attacks as cyberterrorism.
The phases of a ransomware attack: The first phase of a ransomware attack is infection, the group seeks to infect a device with its ransomware. Statistics show that around 75% of the victims had up-to-date endpoint protection, which means that while an up-to-date antivirus is essential to block known ransomware variants, due to its reactive nature, the antivirus software is mostly defenseless against the new ransomware variants created by the groups [1]. The second phase of the ransomware attack is known as lateral movement. After infecting the first device, the group seeks to steal has much information possible and take control of other devices on the network - this can take hours or months. Finally, the group performs mass data encryption, or mass deletion, of the files they accessed to demand ransom payment. The group may resort to double-extortion, requesting additional payment not to publish the information on their "wall of shame" on the dark web. In such cases, the group may publish part of the information as a proof of exfiltration or a list of the files that will be published if the payment is not made. In the recent past, the REvil group created an eBay-like auction site for selling the stolen data of its victims [2].Sometimes groups prefer to sell access to the compromised servers instead of directly selling the information contained in the servers.
Cybercriminals becoming rich: The European Union Agency for Cybersecurity (ENISA) recently said there was a 150% rise in ransomware attacks between April 2020 and July 2021. According to the agency, this is the "golden era of ransomware" due to the plethora of monetization options available to cybercriminals [3]. The ransomware groups are now rich enough to even buy zero-day exploits that they can use to make more victims[4]. 23% of today's world high risk severity incidents are related to ransomware[5]. It is not difficult to understand why: it's a very profitable cybercrime. Behind each ransomware is a group (or gang), which is usually illicitly becoming rich - it's known that about 40% of the victims pay the ransom, and that about 25% of business executives would be willing to pay between $20,000 and $50,000 to regain access to encrypted data[6].
| Over 150 TB | 2.843 | 31+ |
| Total of Data Stolen by Ransomware Groups | Total of Victim Organizations | Total of Ransomware Groups |
Over the course of 2021, we've mapped and investigated over 30 ransomware groups on the dark web. Since 2019, these groups created over 100 types of ransomware. We've also mapped and investigated sources of data leaks on the surface and deep web. We mapped how much data each ransomware group has stolen and the number of leaked victim organizations by each group and country, as well as the distribution of leaks per layer of the web.
Syhunt estimates that over 150 terabytes of data has been stolen from victim organizations by ransomware groups from January 2019 up to January 2022. We concluded that some of the groups, such as dopple_leaks and grief, prefer to make a large number of victims, stealing small quantities of data from each target and moving quickly from a target to another, while other groups, such as ragnar_locker and pay2key, prefer to make a smaller number of victims, stealing larger quantities of data from each target.
| Group Name | Total of Data Exfiltrated (150TB) | Total of Victim Organizations |
| REvil | 44.1 TB | 282 |
| conti | 22.9 TB | 600 |
| ragnar_locker | 19.6 TB | 29 |
| pay2key | 14.3 TB | 6 |
| lv_blog | 9.3 TB | 42 |
| blackmatter | 8.3 TB | 33 |
| snatch | 6 TB | 29 |
| alphavm | 4.8 TB | 20 |
| lockdata | 4 TB | 7 |
| midas | 3.4 TB | 22 |
| bonaci_group | 3.3 TB | 3 |
| xing_team | 3.1 TB | 19 |
| quantum | 2.9 TB | 9 |
| everest | 2 TB | 49 |
| ransomexx | 1.7 TB | 35 |
| payload_bin | 1.4 TB | 7 |
| babuk | 1 TB | 5 |
| suncrypt | 778.0 GB | 8 |
| arvinclub | 426 GB | 5 |
| dopple_leaks | 399.3 GB | 198 |
| grief | 259.1 GB | 79 |
| Over 44 TB | 282 | 14 |
| Total of Data Stolen by the Group in 2020 and 2021 | Total of Victim Organizations | Total of Suspected Members Arrested in 2022 |
When REvil was arrested in January 2022, many articles said the group has stolen a total of 21.6 TB from its victims - this number is an estimate published as part of a 2021 IBM paper[7] and related to the 2020 period alone. Syhunt's number is much higher (44.1 TB) because it takes into account the REvil performance in both 2020 (138 victims) and 2021 (144 additional victims).
On January 15, 2022, the Russian Federal Security Service arrested 14 suspected members of the REvil ransomware group at the request of the United States. With the group were seized 426 million rubles and €500,000 (about $6 million), as well as $600,000 in cash, and cryptocurrency wallets, computers and 20 high-end cars[8]. Over the course of a year, nearly 35% of the victim organizations paid the ransom demanded by REvil and 43% of the victims had their data leaked by the group.
The seized money is also considered to be the tip of the iceberg of REvil's profit. In November 2021, The US Department of Justice seized US$ 6,1 million in funds traceable to alleged ransom payments received by a REvil member[9] - the group claimed a profit of over $100 million [10] and researchers estimated it at around $123 million in 2020 alone [11].
In December 12, 2021, the newcomer Lapsus$ group claimed it stole 50 TB of data from Brazil's Ministry of Health. [12]. Considering that the experienced REvil group has stolen 44.1 TB from 280 victims in two years of operation, it is not easy to believe that a newcomer has actually stolen 50 TB of data from a single victim - the group has not yet provided proofs of the 50 TB exfiltration. Until now, the group published 580MB of source code allegedly stolen from the victim.
After hitting the Brazil's Ministry of Health last year, the group has made new victims in Portugal this year and, as part of another recent attack, claimed it stole 10 PB (petabytes) of data from Telecom operator Claro Brasil [13], a number that is much more unrealistic than the 50 TB previously alleged. We're not saying that Lapsus$ must not be taken as a serious threat - they took down systems of the Brazil's Ministry of Health for weeks, just that the numbers that the group claims are not credible, likely unrealistically inflated.
While the dark web is the preferred layer used by ransomware groups to leak information, the Lapsus$ group is using a public Telegram channel to make announcement of new victims.
Find below additional numbers mapped by Syhunt.
| Extension | Total of Victim Organizations |
| 1. Companies (.com) | 1895 |
| 2. Non-profit Organizations (.org) | 117 |
| 3. Companies (.net) | 46 |
| 4. Educational (.edu) | 29 |
| 5. Government (.gov) | 17 |
| Region | Total of Victim Organizations |
| 1. North America | 788+ (Including USA), 80 (Without USA) |
| 2. Europe | 379 |
| 3. Asia | 104 |
| 4. Oceania | 60 |
| 5. South America | 59 |
| 6. Africa | 16 |
Considering our data related to ransomware victims from January 2019 up to January 2022:
| Country | Total of Victim Organizations |
| 1. United States of America | 708+ |
| 2. United Kingdom | 97 |
| 3. France | 56 |
| 4. Canada | 55 |
| 5. Italy | 55 |
| 6. Germany | 51 |
| 7. Australia | 50 |
| 8. Brazil | 36 |
| 9. Japan | 22 |
| 10. Netherlands | 14 |
| Country | Total of Victim Organizations |
| 1. United Kingdom | 97 |
| 2. France | 56 |
| 3. Italy | 55 |
| 4. Germany | 51 |
| 5. Netherlands | 14 |
| 6. Austria | 13 |
| 7. Spain | 13 |
| 8. Belgium | 12 |
| 9. Switzerland | 12 |
| 10. Poland | 8 |
| Country | Total of Victim Organizations |
| 1. Japan | 22 |
| 2. India | 12 |
| 3. Saudi Arabia | 9 |
| 4. Singapore | 6 |
| 5. UAE | 5 |
| Country | Total of Victim Organizations |
| 1. Brazil | 36 |
| 2. Chile | 10 |
| 3. Colombia | 5 |
| 4. Peru | 4 |
| 5. Argentina | 1 |
| Country | Total of Victim Organizations |
| 1. United States of America | 708+ |
| 2. Canada | 55 |
| 3. Mexico | 12 |
| 4. Honduras | 2 |
| 5. Nicaragua | 2 |
| Country | Total of Victim Organizations |
| 1. South Africa | 10 |
| 2. Morocco | 2 |
| 3. Angola | 1 |
| 4. Botswana | 1 |
| 5. Algeria | 1 |
The numbers are based on a database generated by our AI software Presta combined with extensive human intelligence work. Presta is an advanced bot created by Syhunt to automate and accelerate the analysis of surface, deep and dark web data leaks collected by Syhunt's Icy Division.
The ransomware groups were bold enough to steal massive quantities of data remotely from a large number of victims and monetize on top of it, sending a strong signal to the cybercrime world about how valuable stolen private corporate information can be nowadays - it does not matter how the data has been obtained, just that cybercriminals can always monetize on top of fresh data. Working as catalyzer of the expansion of data leaks, the growing ransomware activity accelerated the creation of an interlinked and highly profitable underground cybercriminal world.
Our research indicates that cybercriminals and malicious actors now have plenty data markets at their disposal on the surface, deep and dark web, to sell and share information that has been obtained not only through ransomware attack, but through additional means, such as through direct SQL Injection attacks, zero-day attacks, web scraping or the use of malicious insiders.
While an up-to-date antivirus is essential to block known ransomware variants, antivirus software is mostly defenseless against the new ransomware variants created by the groups. For this reason, defense against ransomware and data leaks in general must use a multifaceted approach which must include, among other things:
With next-generation assessment technology, Syhunt established itself as a leading player in the web application security field, delivering its assessment tools to a range of organizations across the globe, from the SMB to the enterprise. Syhunt products help organizations defend against the wide range of sophisticated cyberattacks currently taking place at the Web application layer.
Syhunt proactively detects vulnerabilities and weaknesses that lead to data leak or breach - Syhunt tools focus on the many angles and views that can be used for evaluating the security state of a web application, such as its live version (through dynamic analysis / DAST), source code (SAST), server log (proactive forensics) and configuration (hardening).
Syhunt's founder Felipe Daragon started his career working as a security consultant for government organizations and corporations in the 90s. In the beginning of his career he worked for leading information security firms in Brazil. Daragon's last 22 years in the information security industry were dedicated to proactively defend companies and government agencies from attacks, and raising awareness about pressing security issues and new cyber attack trends.
Roberto Marc studied and learned programming together with Daragon nearly 20 years ago and is driven by a passion for technology, software, hardware and mathematics. Experienced in both Linux and Windows environments, Marc joined Syhunt both as a software researcher and later became Syhunt's leading Dark & Deep Web Analyst.
Presta AI is an advanced bot created by Syhunt to automate and accelerate the analysis of surface, deep and dark web data leaks collected by Syhunt's Icy Division.