Abstract Seafoam Corner

A Deep Dive into Active Ransomware Groups

Here’s an in-depth analysis of the 62 most prominent ransomware groups and their activities since January 2020.

May 27, 2022

Earlier this year, our threat intelligence team at Abnormal published a report on the evolution of ransomware. The report explored the growing threat of ransomware, including the primary factors influencing the ransomware landscape, with insight into who is being targeted across various industries and locations.

The report also included a deep dive into the threat actors themselves, their activities, and a few reasons why we’ve seen a 600% increase in the number of active groups since January 2020.

Pros and Cons of the Centralized Ransomware Ecosystem

Similar to what we saw in 2016 when ransomware saw its initial global explosion, a growing number of minor threat groups have entered the scene—piggybacking on the success of the more established groups.

We tracked 62 different ransomware groups and their activities starting in January 2020. While some of these were merely rebranded variations of previous ransomware strains (such as Maze rebranding to Egregor or DarkSide renaming itself BlackMatter), most of these groups are unique threats that have emerged for a few months at a time in smaller volumes.

The number of active ransomware groups each month has increased dramatically, growing from just three in February 2020 to a peak of 28 in November 2021.

Monthly Active Ransomware Groups

Five groups—Conti, LockBit, Pysa, REvil, and Maze/Egregor—were responsible for more than half of all ransomware attacks over the past two years. Two of those groups (Conti and LockBit) are still active today, and, as of Q1 2022, they make up almost 50% of the present ransomware attack volume.

This demonstrates the centralized nature of the ransomware landscape, where a very small number of threat groups drive most of the malicious activity.

The silver lining to this top-heavy ecosystem is that disruptive actions against one of these primary groups, such as law enforcement takedowns, can have a significant impact on the overall landscape. This is different from a threat like business email compromise, where targeted disruptive actions are generally less impactful to overall attack volume due to the decentralized structure of the threat landscape.

Number of Victims for Top 15 Ransomware Groups

Number of victims in all of 2020 and 2021

One of the biggest challenges to disrupting the ransomware landscape in the past few years has been the hydra-like nature of how it has grown. Whenever a primary group has exited the scene, one or more new big groups enter, along with additional smaller groups.

For example, when Maze shut down in December 2020, Conti and REvil had both just emerged to fill the void. Similarly, when REvil went offline and Avaddon shut down in the early summer of 2021, LockBit resurfaced with a new version of their malware and became the most prolific ransomware group over the remainder of the year.

So while we’ve actually seen a fair amount of turnover among the top ransomware groups, the total volume of attacks has remained consistently high. This is because exiting groups are being replaced by new ones, leading to the overall number of active groups increasing by seven times since January 2020.

Indications of Preferred Target Profiles

Ransomware actors are collectively opportunistic when selecting their targets, preferring to settle for easy victims rather than consciously singling out specific companies to attack. Individually, however, some groups have solicited access to companies that meet certain criteria on underground forums.

For example, in July 2021, an actor associated with the BlackMatter ransomware group (the successor to DarkSide) posted on the Exploit forum that the group was looking for access to corporate networks of companies meeting specific location, revenue, and industry specifications.

Black Matter Forum Post

We can also see evidence of this preferred targeting in our data. Some groups significantly deviate from the overall baseline characteristics of ransomware victims, indicating that while these groups may not be targeting specific companies, they seem to have a preferred target profile.

Threat Groups by Target Revenue

While the median annual revenue for a ransomware victim is $27 million, our data shows that a few ransomware groups aim for bigger targets than others. The group that is most prevalently involved in big game hunting is CL0P, whose victims had a median annual revenue of $111 million—more than four times higher than the average. Although not as drastic, the median revenue for victims of Conti ransomware attacks was almost two times higher than average at $48 million.

On the other end of the spectrum, a few groups seem to prefer smaller prey. Avaddon’s victims had a median annual revenue of $10 million, while the revenue for LockBit victims was even lower at only $8 million.

Threat Groups by Target Location

While most ransomware victims over the last two years have been located in North America or Western Europe, some groups have made these two regions their almost exclusive hunting grounds.

Nearly all of Conti’s almost 700 targets (94%) were located in one of these two regions. Similarly, Grief ransomware and its predecessor DoppelPaymer both almost exclusively targeted North American and Western European companies, with 92% of their victims in those areas.

Other groups have focused their efforts on other parts of the world. Ragnarok, which was active between December 2020 and August 2021, was the only group we observed where a majority (61%) of their targets were based in Europe. In fact, none of Ragnarok’s corporate victims in 2021 were located in North America—a definite outlier in the ransomware world.

Prometheus, which was active between March 2021 and July 2021 before rebranding as Spook, was the only group where a plurality (37%) of its targets were located in South America. And while companies in the Asia-Pacific region are generally lower down on a ransomware group’s list of targets, two groups—LV and LockBit—targeted organizations in the region at a significantly higher rate.

Protecting Your Organization From Ransomware

Ransomware continues to be a significant threat vector across all industries, all company sizes, and all countries. Ransomware actors have proven that they are focused on one thing: making money in whatever way possible.

Malware delivered via email continues to be the initial foothold for ransomware. Once this first payload has been delivered, threat actors can deploy additional malware to gain access to the company network and hold your information for ransom. Now is the time to secure your environment and protect your end users from these malicious emails—before the next ransomware attack impacts you.

Download the full report for a comprehensive look at the ransomware landscape.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 1500x1500 Modern Email Attacks Webinar Series L4 R2
Our Modern Email Attacks series has wrapped! Here are some of the biggest takeaways from Chris Krebs, Troy Hunt, and Theresa Payton.
Read More
B 1500x1500 Gartner Insights L1 R1
See our commitment to providing our customers with the best possible solution and support with these reviews from Gartner® Peer Insights™.
Read More
B 11 14 22 SPM Launch Blog Graphics
Security Posture Management gives organizations insight into cloud configuration risks and gaps across user and app privileges.
Read More
B 11 14 22 SPM Launch Blog 2
Cloud email platforms enable better collaboration, but they also create new entry points, making sensitive data more accessible to attackers.
Read More
B 1500x1500 Q3 Ransomeware L1 R2
This post explores the continuation of the sharp decline in ransomware attacks as well as a few other notable data points from Q3 2022.
Read More
B 10 05 22 Cloud Email Security Platform Essentials
Learn the 7 key capabilities a cloud email security platform should have in order to address and resolve common email security challenges.
Read More
B 11 07 22 Valimail
Discover the benefits of a modern, best-of-breed solution to email security with Abnormal Security and Valimail’s New Partnership.
Read More
B 11 07 22 Vision 23 Blog
Discover the latest trends in cybersecurity as we look toward the email threats of the future in partnership with SecureWorld.
Read More
B 1500x1500 Crimson Kingsnake L2 R1
Uncovering how threat group Crimson Kingsnake uses third-party impersonation tactics to swindle organizations across the world.
Read More