A decrease in attacks? Or the “calm before the storm.” Cyberint Q2 Ransomware Report issued.
The Ransomware Landscape for Q2 published by security firm Cyberint presents a compelling and well written report on the current state of ransomware.
It has some great statistical reporting. Ransomware attacks had 10 per cent fewer victims in Q2. The US leads in infection rates by a “landslide”; it accounted for 208 of 709 reported victims worldwide. Lockbit is leading in terms of infection rates with 204, versus their nearest competitor AlphaV with 58.
In addition, this report has a compelling and well written description of the major players and how they stack up competitively. It’s a lot like reading the rundown on mafia crime families.
The Death of Conti?
The report details the demise of Conti, which the report says was once “the most popular ransomware group of our era.” Conti is reported to have had over 600 campaigns and a total revenue of around US$2.7 billion in cryptocurrency.
Conti was well organized and run like a corporation, with human resources, product development, and it cultivated a brand image of criminal professionalism. Followers of ransomware will remember that a Ukrainian security researcher infiltrated the group infrastructure and leaked everything about the group – from structure to source code.
According to the Cyberint report, the group is now just a shadow of its former self and no longer the “ones we knew and feared.”
They report that it appears as if the founders have moved on, leaving a remnant group which the report notes are far less “socially responsible and sophisticated” and perhaps even “significantly less experienced.”
What remains is, according to the report, “nothing but the name of a group that used to be great.”
The rise of Lockbit and a host of competitors
The report also details the rise of the new leader, Lockbit, which leads all other groups in terms of the number and scope of attacks. Lockbit caused a stir a few weeks back when it claimed that it had hacked security firm Mandiant. This was denied by Mandiant and even Lockbit admitted the announcement was fake. But the fact that it was believable gives credit to the gang’s emerging reputation.
Although Lockbit is the new giant on the ransomware scene, the report also describes some up and coming competitors.
- The karakurt group has returned after a long silence. Karakurt focuses on data theft and destruction, leveraging vulnerabilities in existing software. Karakurt’s “leaking platform” has 34 companies listed as of June 30th, making them a “rising threat.”
- BlackCatALPHV is a rebrand of the Darkside group which rose to infamy with the attack on Colonial Pipelines. Its theft of data and pressure campaign on the guests and employees of a major hotel shows just aggressively they will pursue their extortion strategy.
- BLACKBASTA was first assumed to be a new incarnation of the Conti gang, but the report’s authors are not convinced there are enough similarities. It may simply be that some individuals move between the various gangs. They are what has come to be a fairly standard “steal and encrypt” ransomware gang, but are growing at a rapid pace.
- INDUSTRIAL SPY seems to be attempting to create a platform for revealing data stolen in ransomware attacks. Their goal, according to the report, is to be the “ultimate repository” of victim data. Their structure includes different product lines with premium, general, and free sections.
The calm before the storm
The overall conclusion of the report is that although ransomware attacks have declined, it may be what they called “the calm before the storm.” While some of the initial leaders have gone dark or even totter on the edge of potential failure, there is a new group of emerging leaders ready to take their place. What happens at that point is anyone’s guess.
As of time of publication we do not have a link to download the full report but we will post one as soon as it becomes available.
