Abstract Seafoam Corner

A Deep Dive into Active Ransomware Groups

Here’s an in-depth analysis of the 62 most prominent ransomware groups and their activities since January 2020.

May 27, 2022

Earlier this year, our threat intelligence team at Abnormal published a report on the evolution of ransomware. The report explored the growing threat of ransomware, including the primary factors influencing the ransomware landscape, with insight into who is being targeted across various industries and locations.

The report also included a deep dive into the threat actors themselves, their activities, and a few reasons why we’ve seen a 600% increase in the number of active groups since January 2020.

Pros and Cons of the Centralized Ransomware Ecosystem

Similar to what we saw in 2016 when ransomware saw its initial global explosion, a growing number of minor threat groups have entered the scene—piggybacking on the success of the more established groups.

We tracked 62 different ransomware groups and their activities starting in January 2020. While some of these were merely rebranded variations of previous ransomware strains (such as Maze rebranding to Egregor or DarkSide renaming itself BlackMatter), most of these groups are unique threats that have emerged for a few months at a time in smaller volumes.

The number of active ransomware groups each month has increased dramatically, growing from just three in February 2020 to a peak of 28 in November 2021.

Monthly Active Ransomware Groups

Five groups—Conti, LockBit, Pysa, REvil, and Maze/Egregor—were responsible for more than half of all ransomware attacks over the past two years. Two of those groups (Conti and LockBit) are still active today, and, as of Q1 2022, they make up almost 50% of the present ransomware attack volume.

This demonstrates the centralized nature of the ransomware landscape, where a very small number of threat groups drive most of the malicious activity.

The silver lining to this top-heavy ecosystem is that disruptive actions against one of these primary groups, such as law enforcement takedowns, can have a significant impact on the overall landscape. This is different from a threat like business email compromise, where targeted disruptive actions are generally less impactful to overall attack volume due to the decentralized structure of the threat landscape.

Number of Victims for Top 15 Ransomware Groups

Number of victims in all of 2020 and 2021

One of the biggest challenges to disrupting the ransomware landscape in the past few years has been the hydra-like nature of how it has grown. Whenever a primary group has exited the scene, one or more new big groups enter, along with additional smaller groups.

For example, when Maze shut down in December 2020, Conti and REvil had both just emerged to fill the void. Similarly, when REvil went offline and Avaddon shut down in the early summer of 2021, LockBit resurfaced with a new version of their malware and became the most prolific ransomware group over the remainder of the year.

So while we’ve actually seen a fair amount of turnover among the top ransomware groups, the total volume of attacks has remained consistently high. This is because exiting groups are being replaced by new ones, leading to the overall number of active groups increasing by seven times since January 2020.

Indications of Preferred Target Profiles

Ransomware actors are collectively opportunistic when selecting their targets, preferring to settle for easy victims rather than consciously singling out specific companies to attack. Individually, however, some groups have solicited access to companies that meet certain criteria on underground forums.

For example, in July 2021, an actor associated with the BlackMatter ransomware group (the successor to DarkSide) posted on the Exploit forum that the group was looking for access to corporate networks of companies meeting specific location, revenue, and industry specifications.

Black Matter Forum Post

We can also see evidence of this preferred targeting in our data. Some groups significantly deviate from the overall baseline characteristics of ransomware victims, indicating that while these groups may not be targeting specific companies, they seem to have a preferred target profile.

Threat Groups by Target Revenue

While the median annual revenue for a ransomware victim is $27 million, our data shows that a few ransomware groups aim for bigger targets than others. The group that is most prevalently involved in big game hunting is CL0P, whose victims had a median annual revenue of $111 million—more than four times higher than the average. Although not as drastic, the median revenue for victims of Conti ransomware attacks was almost two times higher than average at $48 million.

On the other end of the spectrum, a few groups seem to prefer smaller prey. Avaddon’s victims had a median annual revenue of $10 million, while the revenue for LockBit victims was even lower at only $8 million.

Threat Groups by Target Location

While most ransomware victims over the last two years have been located in North America or Western Europe, some groups have made these two regions their almost exclusive hunting grounds.

Nearly all of Conti’s almost 700 targets (94%) were located in one of these two regions. Similarly, Grief ransomware and its predecessor DoppelPaymer both almost exclusively targeted North American and Western European companies, with 92% of their victims in those areas.

Other groups have focused their efforts on other parts of the world. Ragnarok, which was active between December 2020 and August 2021, was the only group we observed where a majority (61%) of their targets were based in Europe. In fact, none of Ragnarok’s corporate victims in 2021 were located in North America—a definite outlier in the ransomware world.

Prometheus, which was active between March 2021 and July 2021 before rebranding as Spook, was the only group where a plurality (37%) of its targets were located in South America. And while companies in the Asia-Pacific region are generally lower down on a ransomware group’s list of targets, two groups—LV and LockBit—targeted organizations in the region at a significantly higher rate.

Protecting Your Organization From Ransomware

Ransomware continues to be a significant threat vector across all industries, all company sizes, and all countries. Ransomware actors have proven that they are focused on one thing: making money in whatever way possible.

Malware delivered via email continues to be the initial foothold for ransomware. Once this first payload has been delivered, threat actors can deploy additional malware to gain access to the company network and hold your information for ransom. Now is the time to secure your environment and protect your end users from these malicious emails—before the next ransomware attack impacts you.


Download the full report for a comprehensive look at the ransomware landscape.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 06 21 22 Threat Intel blog
Executives are no longer the go-to impersonated party in business email compromise (BEC) attacks. Now, threat actors are opting to impersonate vendors instead.
Read More
B 06 7 22 Disentangling ML Pipelines Blog
Learn how explicitly modeling dependencies in a machine learning pipeline can vastly reduce its complexity and make it behave like a tower of Legos: easy to change, and hard to break.
Read More
B 04 07 22 SEG
As enterprises across the world struggle to stop modern email attacks, it begs the question: how are these attacks evading traditional solutions like SEGs?
Read More
Enhanced Remediation Blog Cover
The most effective way to manage spam and graymail is to leverage a cloud-native, API-based architecture to understand identity, behavior, and content patterns.
Read More
B 05 16 22 VP of Recruiting
We are thrilled to announce the addition of Mary Price, our new Vice President of Talent. Mary will support our continued investment in the next generation of talent here at Abnormal.
Read More
B 06 01 22 Stripe Phishing
In this sophisticated credential phishing attack, the threat actor created a duplicate version of Stripe’s entire website.
Read More
B Podcast Engineering9
In episode 9 of Abnormal Engineering Stories, Dan sits down with Mukund Narasimhan to discuss his perspective on productionizing machine learning.
Read More
B 05 31 22 RSA Conference
Attending RSA Conference 2022? So is Abnormal! We’d love to see you at the event.
Read More
B 05 27 22 Active Ransomware Groups
Here’s an in-depth analysis of the 62 most prominent ransomware groups and their activities since January 2020.
Read More
B 05 24 22 ESI Season 1 Recap Blog
The first season of Enterprise Software Innovators (ESI) has come to a close. While the ESI team is hard at work on season two, here’s a recap of some season one highlights.
Read More
B 05 13 22 Hiring Experience
Abnormal Security is committed to offering an exceptional experience for candidates and employees. Hear about our recruiting and onboarding firsthand from three Abnormal employees.
Read More
B 05 11 22 Scaling Out Redis
As we’ve scaled our customer base, the size of our datasets has also grown. With our rapid expansion, we were on track to hit the data storage limit of our Redis server in two months, so we needed to figure out a way to scale beyond this—and fast!
Read More