A Deep Dive into Active Ransomware Groups

Earlier this year, our threat intelligence team at Abnormal published a report on the evolution of ransomware. The report explored the growing threat of ransomware, including the primary factors influencing the ransomware landscape, with insight into who is being targeted across various industries and locations.

The report also included a deep dive into the threat actors themselves, their activities, and a few reasons why we’ve seen a 600% increase in the number of active groups since January 2020.

Similar to what we saw in 2016 when ransomware saw its initial global explosion, a growing number of minor threat groups have entered the scene—piggybacking on the success of the more established groups.

We tracked 62 different ransomware groups and their activities starting in January 2020. While some of these were merely rebranded variations of previous ransomware strains (such as Maze rebranding to Egregor or DarkSide renaming itself BlackMatter), most of these groups are unique threats that have emerged for a few months at a time in smaller volumes.

The number of active ransomware groups each month has increased dramatically, growing from just three in February 2020 to a peak of 28 in November 2021.

Five groups—Conti, LockBit, Pysa, REvil, and Maze/Egregor—were responsible for more than half of all ransomware attacks over the past two years. Two of those groups (Conti and LockBit) are still active today, and, as of Q1 2022, they make up almost 50% of the present ransomware attack volume.

This demonstrates the centralized nature of the ransomware landscape, where a very small number of threat groups drive most of the malicious activity.

The silver lining to this top-heavy ecosystem is that disruptive actions against one of these primary groups, such as law enforcement takedowns, can have a significant impact on the overall landscape. This is different from a threat like business email compromise, where targeted disruptive actions are generally less impactful to overall attack volume due to the decentralized structure of the threat landscape.

One of the biggest challenges to disrupting the ransomware landscape in the past few years has been the hydra-like nature of how it has grown. Whenever a primary group has exited the scene, one or more new big groups enter, along with additional smaller groups.

For example, when Maze shut down in December 2020, Conti and REvil had both just emerged to fill the void. Similarly, when REvil went offline and Avaddon shut down in the early summer of 2021, LockBit resurfaced with a new version of their malware and became the most prolific ransomware group over the remainder of the year.

So while we’ve actually seen a fair amount of turnover among the top ransomware groups, the total volume of attacks has remained consistently high. This is because exiting groups are being replaced by new ones, leading to the overall number of active groups increasing by seven times since January 2020.

Ransomware actors are collectively opportunistic when selecting their targets, preferring to settle for easy victims rather than consciously singling out specific companies to attack. Individually, however, some groups have solicited access to companies that meet certain criteria on underground forums.

For example, in July 2021, an actor associated with the BlackMatter ransomware group (the successor to DarkSide) posted on the Exploit forum that the group was looking for access to corporate networks of companies meeting specific location, revenue, and industry specifications.

We can also see evidence of this preferred targeting in our data. Some groups significantly deviate from the overall baseline characteristics of ransomware victims, indicating that while these groups may not be targeting specific companies, they seem to have a preferred target profile.

While the median annual revenue for a ransomware victim is $27 million, our data shows that a few ransomware groups aim for bigger targets than others. The group that is most prevalently involved in big game hunting is CL0P, whose victims had a median annual revenue of $111 million—more than four times higher than the average. Although not as drastic, the median revenue for victims of Conti ransomware attacks was almost two times higher than average at $48 million.

On the other end of the spectrum, a few groups seem to prefer smaller prey. Avaddon’s victims had a median annual revenue of $10 million, while the revenue for LockBit victims was even lower at only $8 million.

While most ransomware victims over the last two years have been located in North America or Western Europe, some groups have made these two regions their almost exclusive hunting grounds.

Nearly all of Conti’s almost 700 targets (94%) were located in one of these two regions. Similarly, Grief ransomware and its predecessor DoppelPaymer both almost exclusively targeted North American and Western European companies, with 92% of their victims in those areas.

Other groups have focused their efforts on other parts of the world. Ragnarok, which was active between December 2020 and August 2021, was the only group we observed where a majority (61%) of their targets were based in Europe. In fact, none of Ragnarok’s corporate victims in 2021 were located in North America—a definite outlier in the ransomware world.

Prometheus, which was active between March 2021 and July 2021 before rebranding as Spook, was the only group where a plurality (37%) of its targets were located in South America. And while companies in the Asia-Pacific region are generally lower down on a ransomware group’s list of targets, two groups—LV and LockBit—targeted organizations in the region at a significantly higher rate.

Ransomware continues to be a significant threat vector across all industries, all company sizes, and all countries. Ransomware actors have proven that they are focused on one thing: making money in whatever way possible.

Malware delivered via email continues to be the initial foothold for ransomware. Once this first payload has been delivered, threat actors can deploy additional malware to gain access to the company network and hold your information for ransom. Now is the time to secure your environment and protect your end users from these malicious emails—before the next ransomware attack impacts you.

Download the full report for a comprehensive look at the ransomware landscape.