Dubai, U.A.E., 20.05.2022 — Group-IB, one of the global cybersecurity leaders, unveils its second annual guide to the evolution of threat number one “Ransomware Uncovered 2021/2022”.  The findings of the second edition of the report indicate that the ransomware empire kept its winning streak going with the average ransom demand growing by 45% to reach $247,000 in 2021. Ransomware gangs have also become way greedier since 2020. A record-breaking ransom of $240 million ($30 mln in 2020) was demanded by Hive from MediaMarkt. Hive and another 2021 newcomer to the Big Game Hunting, Grief, quickly made its way to the top 10 gangs by the number of victims posted on dedicated leak sites (DLS).

According to the report, between Q1 2021 and Q1 2022, the data belonging to 147 companies from the MEA region was uploaded on ransomware DLS. In the GCC region, 17 companies from the UAE had their data posted on DLS, followed by Saudi Arabia with 15 victim-companies, Kuwait with 6 and Qatar with five.

Ransomware assembly line

The new report takes stock of the most up-to-date tactics, techniques, and procedures (TTPs) of ransomware threat actors observed across all geographic locations by Group-IB Digital Forensics and Incident Response (DFIR) team. In addition to the analysis of more than 700 attacks investigated as part of Group-IB’s own incident response engagements and cyber threat intelligence activity in 2021, the report also examines ransomware DLS.

Human-operated ransomware attacks have maintained the global cyber threat landscape lead by solid margins over the last three years. The rise of initial access brokers described in Group-IB’s Hi-Tech Crime Trends report and the expansion of Ransomware-as-a-Service programs (RaaS) have become the two main driving forces behind continuous growth of ransomware operations. RaaS made it possible for low-skilled cybercriminals to join the game to ultimately bring the victim numbers up.

Based on the analysis of more than 700 attacks in 2021, Group-IB DFIR experts estimated that the ransom demand averaged $247,000 in 2021, 45% more than in 2020. Ransomware evolved with more sophistication which is clearly visible from the victim’s downtime, which increased from 18 days in 2020 to 22 days in 2021.

RaaS programs started offering their affiliates not only ransomware builds, but also custom tools for data exfiltration to simplify and streamline operations. As such, the double extortion technique became even more widespread – sensitive victim data was exfiltrated as a leverage to get the ransom paid in 63% of cases analyzed by Group-IB DFIR team. Between the Q1’2021 and Q1’2022, ransomware gangs posted data belonging to more than 3,500 victims on DLS. Most companies whose data was posted on DLS by ransomware operators in 2021 were based in the United States (1,655), Canada (176), and the UK (168), while most organizations affected belonged to the manufacturing (322), real estate (305) and professional service (256) industries.

According to the report, between Q1 2021 and Q1 2022, the data belonging to 147 companies from the MEA region was uploaded on ransomware DLS. In the GCC region, 17 companies from the UAE had their data posted on DLS by ransomware threat actors, followed by Saudi Arabia with 15 victim-companies, Kuwait with 6 and Qatar with five.

Lockbit, Conti, and Pysa turned out to be the most aggressive gangs with 670, 640, and 186 victims uploaded on DLS respectively.

In the UAE specifically, the most active ransomware gang in 2021 was Lockbit with 6 companies posted on DLS between Q1 2021 and Q1 2022, followed by Prometheus (2), 54bb47h (1), Avaddon (1), Darkside (1) and others. Industry-wise, most of the affected companies in the UAE were from the real estate sector (3).

Bots are not what they seem

Exploitation of public-facing RDP servers once again became the most common way to gain an initial foothold in the target network in 2021 – 47% of all the attacks investigated by Group-IB DFIR experts started with compromising an external remote service.

Spear phishing emails carrying commodity malware on board remained in the second place (26%).  Commodity malware deployed at the initial stage has become increasingly popular among ransomware actors. However, in 2021 the attribution of ransomware attacks became increasingly complicated since many bots such as Emotet, Qakbot, and IcedID were being used by various threat actors, unlike in 2020, when certain commodity malware families had strong affiliation with specific ransomware gangs.

Some ransomware gangs were seen trying very unconventional approaches: REvil affiliates leveraged zero-day vulnerabilities to attack Kaseya’s clients. BazarLoader, used in Ryuk operations, was distributed via vishing (voice phishing). Phishing emails contained information about “paid subscriptions”, which could allegedly be canceled by phone.

“Given multiple rebrands forced by the law enforcement actions as well as the merge of TTPs due to the constant migration of affiliates from one Ransomware-as-a-Service (RaaS) program to another it is becoming increasingly challenging for security professionals to keep track of the ever-evolving tactics and tools of ransomware threat actors,” says Oleg Skulkin, head of Group-IB DFIR team. “To help corporate cybersecurity navigate through and prepare for ransomware incidents we outlined the main trends and TTPs changes and turned them into actionable insights mapped to and organized according to the MITRE ATT&CK® matrix.”

The second 2021/2022 edition of the “Ransomware Uncovered” report is available for download via Group-IB’s website


About Group-IB

Group-IB is one of the leading providers of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigation of high-tech crimes and intellectual property protection, headquartered in Singapore. The company’s threat intelligence and research centers are located in the Middle East (Dubai), the Asia-Pacific (Singapore), Europe (Amsterdam), and Russia (Moscow).

Group-IB’s Threat Intelligence & Attribution system has been named one of the best in class by Gartner, Forrester, and IDC. Group-IB’s Threat Hunting Framework (earlier known as TDS) intended for the proactive search and the protection against complex and previously unknown cyberthreats has been recognized as one of the leaders in Network Detection and Response by the leading European analyst agency KuppingerCole Analysts AG, while Group-IB itself has been recognized as a Product Leader and Innovation Leader. Gartner identified Group-IB as a Representative Vendor in Online Fraud Detection for its Fraud Hunting Platform. In addition, Group-IB was granted Frost & Sullivan’s Innovation Excellence award for its Digital Risk Protection (DRP), an Al-driven platform for identifying and mitigating digital risks and counteracting brand impersonation attacks with the company’s patented technologies at its core. Group-IB’s technological leadership and R&D capabilities are built on the company’s 18 years of hands-on experience in cybercrime investigations worldwide and 70,000 hours of cybersecurity incident response accumulated in our leading forensic laboratory, high-tech crime investigations department, and round-the-clock CERT-GIB. 

Group-IB is an active collaborator in global investigations led by international law enforcement organizations, such as Europol and INTERPOL. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3) Advisory Group on Internet Security created in order to foster closer cooperation between Europol and its leading non-law enforcement partners.

Group-IB's experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB's mission is to protect its clients in cyberspace daily, creating and leveraging innovative solutions & services.

For more information, please contact:
Krisha Doshi

Carine El Natour
Twitter | LinkedIn |Facebook |Instagram