‘Double-Extortion’ Ransomware Damage Skyrockets 935%

Startling triple-digit growth is fueled by easy criminal access to corporate networks and RaaS tools, an analysis found.

The ransomware business is booming, and feeble corporate security and a flourishing ransomware-as-a-service (RaaS) affiliate market are to blame, researchers say.

Access to compromised networks is cheap, thanks to a rise in the number of initial-access brokers and RaaS tools can turn everyday petty crooks into full-blown cybercriminals in an afternoon, for just a few bucks.

That’s according to findings from Group-IB’s Hi-Tech Crime Trends Report 2021/2022, which unpacks the startling numbers behind what the report calls an “unholy alliance” between ransomware operators and corporate-access brokers — which analysts said has fueled a 935 percent spike in the number of organizations which had their stolen data exposed on a data leak site (DLS).

Infosec Insiders Newsletter

Ransomware groups have increasingly used the tactic called double extortion, where they not only steal a company’s data, but threaten to publish it to ratchet up the pressure to pay a ransom. The report proves these groups are following through on the threats.

RaaS, Initial-Access Brokerage Spike

Over the past year, Group-IB identified the number of active initial-access brokers jumped from 85 to 229 and the sheer number of offers to sell access tripled, from 362 to 1,099.

Source: Group IB.

“Poor corporate cyber-risk management combined with the fact that tools for conducting attacks against corporate networks are widely available both contributed to a record-breaking rise in the number of initial access brokers,” the report said.

RaaS affiliates also grew this year. Group-IB found 21 new RaaS affiliate programs over the past year and the number of new leak sites more than doubled to 28, the report said.

Stolen Company Data Leaked

Over the first three quarters of 2021, 47 percent more stolen company data was leaked on ransomware operators’ leak sites than during all of 2020, according to the report. However, the report reminds readers that paying the ransom is no guarantee the data won’t be leaked anyway.

“In practice, however, victims can still find their data on the DLS even if the ransom is paid,” the report added.

Also, the real number of victims is probably larger than detected, the firm found: “Taking into account that cybercriminals release data relating to only about 10 percent of their victims, the actual number of ransomware attack victims is likely to be dozens more,” the report said. “The share of companies that pay the ransom is estimated at 30 percent.”

The Conti ransomware gang is the worst offender, leaking data on around 361 targets and accounting for about 16.5 percent of all the exfiltrated data published on DLSs in 2021, Group-IB found.

Most double-extortion victims were in the U.S. (968), Group-IB found, followed by Canada with 110 and France with 103. The industries most impacted were manufacturing, education, financial services, healthcare and commerce, in that order.

Phishing Scam Affiliate Growth

Besides ransomware, the affiliate market for phishing scams is also on the march. Group-IP found more than 70 new programs that popped up last year and said these scammers stole about $10 million last year.

“Phishing and scam affiliate programs actively use Telegram bots that provide participants with ready-to-use scam and phishing pages,” the report said. “This helps scale phishing campaigns and tailor them to banks, popular email services, and other organizations.”

In a bit of good news, Group-IB’s research found that credit-card data dumps were down, largely due to the shutdown of the popular Joker’s Stash marketplace.

There’s a sea of unstructured data on the internet relating to the latest security threats. REGISTER TODAY to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This LIVE, interactive Threatpost Town Hall, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken.

Register NOW for the LIVE event!

Suggested articles