No, it’s not Revil, Ragnar Locker, BlackMatter, or Conti to make it to the top three ransomware threats responsible for a crushing majority of attacks in the U.S. and worldwide. Instead, the danger comes from where you least expect it.
While there are countless ransomware gangs, it seems that only a few of them dominate the whole encryption-attacks landscape. Just three ransomware families, all of them keeping a low profile, account for 64% of all threats detected, according to new data gathered by Bitdefender in August: WanaCryptor, Stop/DJVU, and Phobos.
A Bitdefender report published earlier this week examined 19.8 million malware detections collected by its telemetry to better understand the current ransomware ecosystem. The team managed to spot a jaw-dropping total of 250 different ransomware families, with only three dominating the field with their massive attack volumes.
Top Ransomware Threats
WannaCryptor was found responsible for 30% of threats, Stop/DJVU for 19%, and Phobos trailed just behind with 15%.
All three have somehow kept a low profile, none of them making loads of headlines. However, Phobos was listed as a top ransomware threat in a Joint Cybersecurity Advisory put out by the U.S. government ahead of Labor Day weekend. The FBI said that cybercriminals were likely to attack during the holiday, while most employees were on vacation.
Other names that made it to Bitdefender’s list include BearCrypt, Locker, Avaddon, BrainCrypt, GoldenEye, Cerber, and LockBit. Although Avaddon announced it would release decryptors and shut down its RaaS operations, plans changed, and the group was highly active in August.
LockBit was behind a late August attack on Bangkok Airways and exposed sensitive data after the company refused to pay the ransom. The attack was allegedly related to an Accenture data breach in July.
Cerber also made an appearance in an August SonicWall analysis as one of the top threats of 2021 H1. That same report pointed the finger at the highly active Ryuk as being the culprit for the most significant attack volume, with the SamSam rounding out the top three. The latter two don’t make Bitdefender’s top 10, however.
Ransomware Families Prefer High-Volume Attacks
With headlines revolving around ransomware families such as REvil and BlackMatter, it’s only natural to think their attacks are the greatest threat to organizations. But those are high-profile attacks, which require weeks or months of preparation and go for millions of dollars in ransom.
The high-volume ransomware attacks are instead carried out by affiliates looking for quick strikes, many of them targeted at smaller businesses.
“Opportunistic adversaries and RaaS groups will represent a higher percentage compared to groups that are more selective about their targets, since they prefer more volume instead of higher value,” the report noted.
The majority of these attacks are limited and less impactful. The researchers added that the report analyzed malware detections rather than the extent of the infections within a given organization.
“We are only counting total cases, not considering how significant the impact of infection is,” they wrote.
Ransomware In Numbers
The sector most targeted by ransomware is by far telecommunication, with 51% of ransomware attacks detected.
“Telecommunications services are particularly high as their customers are included within the detections,” the analysts noted.
According to the report, organizations like utilities only accounted for 1% of threats detected, while tech companies were only targeted by 7% of ransomware threats.
Geographically speaking, the report showed that the U.S. is at the top of the list of countries bombarded by ransomware attacks, with a full 30% of detections. India (17%) and Brazil (15%) fall second and third, respectively.
While ‘detection’ doesn’t equal ‘infection,’ Bitdefender’s concerning findings show that a handful of RaaS groups launching mass attacks still dominate the ransomware business.
Bitdefender Top 10 Ransomware Families