Q2 2021 Report by Digital Shadow, Abridged


Q2 2021 was among the most important ransomware periods, with several significant events taking place. Humans witnessed one of the biggest pipelines in the United States being targeted, new ransomware organizations emerging and some others disappearing this quarter. People witnessed renowned cybercriminal forums denouncing ransomware and certain law enforcement activities radically changing some ransomware operations. 

According to the recent report by Digital Shadows, a cybersecurity firm, more than 700 firms were attacked with ransomware and their information was dumped on data leak websites in Q2 of 2021. Of the nearly 2,600 victims mentioned on the data leak websites of ransomware, 740 were identified in Q2 2021, depicting a 47% rise over Q1. 

Digital Shadows researchers found an increase of 183% between the first quarter of 2012 and the second quarter in the retail sector with ransomware operations. 

Q1 2021 was driven by supply chain attacks, such as that of the Microsoft Exchange Server and SolarWinds, compared to the latest quarter when the present and the future threat environment of ransomware was defined. 

The report includes the quarter's main events including the DarkSide Colonial Pipeline attack, the JBS attack on the world's largest meat processor, and enhanced US and European law enforcement actions. 

But the Photon Research Team from Digital Shadows noticed that other ranching themes had emerged under the surface. Since the Maze ransomware gang helped to popularize the definition of the data leak, double extortion methods among groups who wanted to inflict maximum harm after attacks have become widespread. 

 According to the investigation, data appeared to be common on dark web leak sites from organizations of the commercial products and services industry. The list of affected organizations was likewise dominated by construction and materials, retail, technology, and healthcare organizations. 

Conti Group led the way, following Avaddon, PYSA, and REvil with concerning activities. 

"This is the second consecutive quarter that we have seen Conti as the most active in terms of victims named to their DLS. Conti, believed to be related to the Ryuk ransomware, has consistently and ruthlessly targeted organizations in critical sectors, including emergency services," the report said. 

However, the research warns that several organizations have gone or emerged from nowhere in the global ransomware marketplace. According to digital shadows, the organization halted operations in Q2, are Avaddon, Babuk Locker, DarkSide, and Astro Locker, whilst groups such as Vice Society, Hive, Prometheus, LV Ransomware and Xing, Grife, and Ransomware, arose from their Dark-Web leak sites. 

In addition, 60% of victims' firms are situated in the United States, with only Canada witnessing a decline in ransomware assaults from Q1 to Q2. Over 350 US-based organizations, compared to 46 in France, 39 in the UK, and 35 in Italy, have been affected by ransomware in Q2. 

Lastly, the report's scientists questioned if Q3 saw other attacks similar to the Kaseya ransomware campaign, where REvil operators employed a zero-day vulnerability to infiltrate more than forty managed service providers.