LockBit, BlackCat, Swissport, Oh My! Ransomware Activity Stays Strong

However, groups are rebranding and recalibrating their profiles and tactics to respond to law enforcement and the security community’s focus on stopping ransomware attacks.

Law enforcement, C-suite executives and the cybersecurity community at-large have been laser-focused on stopping the expensive and disruptive barrage of ransomware attacks — and it appears to be working, at least to some extent. Nonetheless, recent moves from the LockBit 2.0 and BlackCat gangs, plus this weekend’s hit on the Swissport airport ground-logistics company, shows the scourge is far from over.

It’s more expensive and riskier than ever to launch ransomware attacks, and ransomware groups have responded by mounting fewer attacks with higher ransomware demands, Coveware has reported, finding that the average ransomware payment in the fourth quarter of last year climbed by 130 percent to reach $322,168. Likewise, Coveware found a 63 percent jump in the median ransom payment, up to $117,116.

Fewer Attacks, Bigger Ransom Demands

“Average and median ransom payments increased dramatically during Q4, but we believe this change was driven by a subtle tactical shift by ransomware-as-a-service (RaaS) operations that reflected the increasing costs and risks previously described,” Coveware analysts said. “The tactical shift involves a deliberate attempt to extort companies that are large enough to pay a ‘big game’ ransom amount but small enough to keep attack operating costs and resulting media and law enforcement attention low.”

Infosec Insiders Newsletter

That means ransomware groups have started to focus on small-to-medium sized businesses to avoid law-enforcement attention and publicity like what came with the Colonial Pipeline attack last year, Coveware added.

Groups Looking to Lower Their Profile

“The proportion of companies attacked in the 1,000- to 10,000-employee count size increased from 8 percent in Q3 to 14 percent in Q4,” the researchers found. “The average ransom payment in just this employee bucket was well north of one million dollars, which dragged the Q4 average and median amounts higher.”

The Coveware team said it expects this trend will likely continue, led by the most prolific ransomware-as-a-service operators out there: Conti, LockBit 2.0 and Hive. Following splashy law-enforcement takedowns, including the Russia’s roundup of REvil members, Coveware predicted that these groups will try and keep a low profile.

“While all RaaS operations need to recruit affiliates, we expect groups to become more reserved in their public messaging and more careful about what companies they target,” Coveware researchers added. “The lessons learned from the pipeline attack and the recent FSB arrests are likely to keep some of the more vibrant displays of public bravado in check.”

But a lower profile doesn’t mean ransomware operators aren’t still honing their skills.

BlackCat’s Rebrand, Triple-Extortion Threat

BlackCat, also known as ALPHV, an upstart RaaS operation, is on the rise and rapidly recruiting affiliates, according to Tripwire’s Graham Cluley, who explained that the group has started adding pressure for their victims to pay by not only stealing their data and threatening to release it, but also promising a crippling distributed denial-of-service (DDoS) should they refuse to pay — a ransomware tactic known as “triple extortion.”

First discovered by the MalwareHunterTeam, the operators of the Rust-coded BlackCat ransomware call themselves ALPHV, but the MalwareHunterTeam dubbed them BlackCat after the image used on the payment page the victims must visit on Tor to pay, Bleeping Computer reported. The report also confirmed that BlackCat is essentially a re-brand, adding the group members have confirmed they were previous members of the BlackMatter/DarkSide group.

LockBit 2.0 is another group adding pressure on its victims to pay with threats to release a company’s customer data — and it hasn’t been laying so low, either.


LockBit 2.0 recently took credit for breaching cryptocurrency exchange platform playbito.com, threat hunter DarkTracer tweeted. The researcher also posted a warning from LockBit2.0 that the group will publish the personal data of more than 100,000 of the platform’s users unless the ransom is paid by Feb. 21.

“Customers from USA/WorldWide personal data, mail/hash, weak has algorithm,” the message read. “Admins personal data, admin emails and hashes. If you want it buy it — contact us with TOX.”

The following day, the FBI put out indicators of compromise associated with LockBit 2.0 and asked anyone who thinks they might have been compromised by the group to contact the FBI Cyber Squad immediately.

“The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with the threat actors, Bitcoin wallet information, the decryptor file, and/or a benign sample of an encrypted file,” the FBI alert said, adding that the department does not encourage paying ransoms, but understands business decisions need to be made to keep operations going.

Swissport Attack: Ransomware Still Going Strong

But even as ransomware operators are feeling new pressure, successful attacks are still being pulled off regularly.

Over the weekend, Swissport was taken down by a ransomware attack which caused the delay of 22 flights out of Zurich, Switzerland, according to an airport spokeswoman who spoke with Der Speigel.

Bottom line? For now, ransomware is here to stay, but evolving.

The latest research from Trellix suggests that moving forward in 2022, financial services are going to be bombarded with ransomware attacks. From the second to the third quarter of 2021, attacks on the finance and insurance sector increased by 21 percent, followed by just a 7 percent increase in healthcare attacks, the firm noted.

“In the third quarter of 2021, high-profile ransomware groups disappeared, reappeared, reinvented, and even attempted to rebrand, while remaining relevant and prevalent as a popular and potentially devastating threat against an increasing spectrum of sectors,” Trellix chief scientist Raj Samani said.

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles