While there seem to be legions of ransomware gangs, it turns out that just a handful of ransomware-as-a-service (RaaS) actors dominate the entire ecosystem of encryption-attack threats.
In fact, just three ransomware families, none of them household names, make up 64 percent of all threats detected, according to telemetry data collected by Bitdefender during August: WannaCryptor, Stop/DJVU and Phobos.
A report from Bitdefender out this week looked at 19.8 million malware detections collected by its telemetry to find insights about the current ransomware threat landscape. The team of analysts were able to identify a total of 250 different ransomware families, but just three dominated the field in terms of sheer attack volume.
Top Ransomware Groups
WannaCryptor accounted for a full 30 percent of threats, Stop/DJVU was behind 19 percent and Phobos trailed just behind with 15 percent.
None of these has made loads of headlines with high-profile attacks, but Phobos was listed as a top ransomware threat in a Joint Cybersecurity Advisory put out by the U.S. government ahead of Labor Day weekend. The feds at the time said that threat actors were likely to strike during the holiday, while most workers were on vacation.
Others on Bitdefender’s list include BearCrypt, Locker, Avaddon, BrainCrypt, GoldenEye, Cerber and Lockbit. In terms of this “best of the rest” group, it should be noted that Avaddon announced it was releasing decryptors in June and said it was shutting down its RaaS operations. Apparently, its plans changed, since it was highly active in August.
Lockbit, one of the better-known names on the list, was behind a late August attack on Bankok Airways and published the sensitive files after the airline refused to pay up. The attack was reportedly linked to an Accenture breach earlier in the month.
Cerber was also listed in an August SonicWall analysis as one of the top threats for the first half of 2021. That same report fingered the highly active Ryuk as leading the way in terms of attack volume, with the older SamSam gang rounding out the top three. The latter two don’t make Bitdefender’s top 10, however.
RaaS Operators Prefer High-Volume Attacks
With the headlines that groups like REvil, Ragnar Locker, BlackMatter and Conti make, one would think their attacks represent the greatest threat to businesses. But those attacks are rare and highly targeted, go after ransoms in the millions of dollars, and take weeks or even months of recon and preparation.
The higher-volume attacks are instead carried out by ransomware affiliates looking for quick strikes and low-hanging fruit, many of them aimed at smaller businesses.
“Opportunistic adversaries and RaaS groups will represent a higher percentage compared to groups that are more selective about their targets, since they prefer more volume instead of higher value,” the report said.
Many of the attacks might be limited, or less impactful. The report analyzed detected malware, rather than the extent of the infections within a given company, the researchers added.
“We are only counting total cases, not considering how significant the impact of infection is,” the wrote.
Ransomware by the Numbers
The rank of industries most targeted by ransomware is dominated by telecommunications companies, with 51 percent of ransomware threats detected.
“Telecommunications services are particularly high as their customers are included within the detections,” the analysts explained.
Lumbering legacy organizations like utilities only accounted for 1 percent of threats detected. And tech companies were only targeted by 7 percent of ransomware threats, the report showed.
When it comes to geography, the report put the U.S. at the top of the list of countries being bombarded by ransomware, accounting for a full 30 percent of detections. India and Brazil follow, making up 17 percent and 15 percent, respectively.
While detection isn’t the same as an infection, the results show the ransomware game continues to be dominated by handful of RaaS groups launching mass attacks on unsuspecting users and organizations.
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.