Nearly one in three victims succumb to extortion, estimates Group-IB

Alliances between threat actors are leading to a growing and diversified market for ransomware, reports Group-IB

The volume of information leaked by ransomware-abusing cybercriminals through data leak sites has grown by a factor of 10 in only 12 months, according to threat intelligence firm Group-IB.

Data on 2,371 companies were released on ransomware data leak sites over the second half of 2020 and first half of 2021 (a 935% increase).

The increased use by cybercriminals of data leak sites is symptomatic of an evolution in the overall ransomware marketplace.

For some years cybercrooks have used a combination of phishing and network vulnerabilities to infiltrate corporate networks and encrypt data before demanding payment in return for decryption keys.

More recently, ransomware peddlers have threatened to leak sensitive information if ransom demands are not met – a so-called ‘double extortion’ threat that relies on data leak sites.

Conti crowned most prolific

Conti became the most aggressive ransomware strain, which accounted for public information about 361 victims being available through data leak sites. Lockbit (251), Avaddon (164), REvil (155), and Pysa (118) gangs were also in the habit of leaking the data of victims who failed to cave into extortion.

Companies whose data was posted on data leak domains by ransomware operators in 2021 were based in the US (968 companies), Canada (110), and France (103), while most organizations affected belonged to the manufacturing (9.6%), real estate (9.5%), and transportation industries (8.2%).

YOU MIGHT ALSO LIKE Insider threat: Tech firm was hacked and extorted by its own employee, says FBI

Victims can still find their data on data leak sites even if the ransom is paid, according to Group-IB, which estimates that a little less than a third of ransomware demands result in payments.

It is noteworthy that in the first three quarters of 2021, ransomware operators released 47% more data on attacked companies than in the whole of 2020. Taking into account that cybercriminals release data relating to only about 10% of their victims, the actual number of ransomware attack victims is likely to be dozens more. The share of companies that pay the ransom is estimated at 30%.

Group-IB released the figures today (December 2) in its Hi-Tech Crime Trends 2021/2022 report during its annual CyberCrimeCon conference.

Ransomware boom

The ransomware market in general has diversified and expanded.

For example, many of the developers of the malware and those who mastermind operations have launched affiliate schemes that offer less skilled but persistent cybercriminals the chance to earn an income from successful phishing attacks and the like.

A total of 21 new Ransomware-as-a-Service (RaaS) affiliate programs appeared in the year up until the end of June 2021, according to Group-IB.

Another flourishing subset of criminals sell compromised access to corporate networks to ransomware gangs and other cybercriminals. The number of these so-called initial access brokers (IABs) tracked by Group-IB trebled to reach 262 – up from just 86 active brokers logged between H1 2019-H1 2020.

Catch up on the latest ransomware news and analysis

Meanwhile the number of offers to sell access to companies almost tripled to reach 1,099.

Other threat intel firms, including Digital Shadows, also link the activity of IABs to the surge of ransomware attacks.

‘Far faster rate’

Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, told The Daily Swig: “The popularity of initial access brokers (IABs) has risen as the barrier to entry for cybercriminals has lowered. Using IABs allows ransomware operators and other cybercriminals to expedite their time on task.

“By using IABs, cybercriminals can complete the reconnaissance and weaponization stages of the cyber kill chain at a far faster rate, allowing them to gain access to targeted networks for subsequent exploitation quickly,” Morgan added.

Morgan explained that vulnerable virtual private network (VPN) systems were among the main ways that cybercriminals gain a foothold into targeted environments.

“The use of IABs will likely continue at similar rates in 2022 given the abundance of susceptible networks and low prices for accesses; the most popular access types observed by Digital Shadows in 2021 were remote desktop protocol (RDP) and virtual private network (VPN),” Morgan said.

“The increase in IABs use has likely been influenced by the rise of remote services. Threat actors typically identify exposed services on common ports, which often have weak credentials that can be brute-forced, through which VPN and RDP accesses are commonly permitted.”

Cybercrime bazaars

Much of this trade is being conducted through online cybercrime marketplaces.

During a session at CyberCrimeCon an analyst from banking group Santander explained how they were using social network analysis to understand the ransomware business and identify key player, intelligence it passed on to law enforcement and which has led to a number of arrests, including a recent bust in Ukraine.

As partnerships between ransomware operators and IABs under the RaaS model have grown from strength to strength other long-running scams such as carding (the trade in stolen credit and debit cards) have gone into something of a decline.

The carding market dropped by 26%, from $1.9 billion to $1.4 billion when compared to the previous period.

“The decrease can be explained by the lower number of dumps (data stored on the magnetic stripe on bank cards) offered for sale: the number of offers shrank by 17%, from 70 million records to 58 million, due to the infamous card shop Joker’s Stash shutting down.,” according to Group-IB.

Conversely, sale volumes of bank card text data (bank card numbers, expiration dates, names of owners, addresses, CVVs) offered for sale increased 36% from 28 million records to 38 million records. Group-IB also noted an increase in the number of phishing web resources mimicking famous brands during the pandemic.

The average price for text data climbed from $12.78 to $15.20, according to the threat intel firm.


Another cohort of cybercriminals actively forging partnerships over the review period were scammers. Group-IB reckons there are more than 70 phishing and scam affiliate programs.

“Affiliate programs involve large numbers of participants, have a strict hierarchy, and use complex technical infrastructures to automate fraudulent activities. Phishing and scam affiliate programs actively use Telegram bots that provide participants with ready-to-use scam and phishing pages. This helps scale phishing campaigns and tailor them to banks, popular email services, and other organizations,” said Group-IB.

Phishing and scam affiliate programs, initially focused on Russia and other CIS countries, recently started their online migration to Europe, America, Asia, and the Middle East, according to Group-IB. Examples of these scams include Classiscam, an automated scam-as-a-service designed to steal money and payment data.

Group-IB has logged 71 brands in 36 countries targeted by these scams. Phishing and scam websites created by affiliate program members most often mimic marketplaces (69.5%), delivery services (17.2%), and carpooling services (12.8%).

RELATED: Exploit-as-a-service: Cybercriminals exploring potential of leasing out zero-day vulnerabilities