The nonprofit Global Resilience Federation (GRF) has created a semiannual report detailing ransomware attacks across sectors, based on incident data gathered directly from threat actor chatter on the Dark Web. The report highlights major attacks, emerging ransomware gangs, and offers analysis on evolving techniques like triple extortion and encryptionless ransomware.

“GRF analysts have mined what we believe to be a comprehensive incident source: threat actor discussions and postings on closed Dark Web forums,” said Mark Orsi, president of GRF. “Ransomware incidents have clearly become a problem, with higher dollar demands and supply chain attacks, but we believe by going directly to criminals’ discussions we can gain an even more holistic picture of the threat, beyond what is visible in service outages to consumers and what may be publicly disclosed by companies.”

The GRF team has already observed well over 1,000 incidents this year. Critical Manufacturing experienced 184 events, 16% of the total attacks tracked, followed closely by Financial Services with 133, or around 12% of attacks. Commercial Facilities and Information Technology were the next most targeted sectors.

In these incidents, GRF analysts witnessed a progression in tactics and techniques, with a shortening of the development cycle by ransomware gangs and their affiliates. Since 2020, when the Maze gang popularized the double extortion method, there has been a progression to groups widely using public statements and disclosures to pressure organizations to pay ransom demands.

Accompanying this evolution in operations comes added scrutiny on the actors. With significant attacks on Colonial Pipeline and the meat producer JBS, governments and law enforcement have become increasingly involved. Some threat actors like Avaddon and Darkside have closed shop and others, like REvil, may have been forced to shut down. Still others, like Babuk, possibly seeking less attention while maintaining steady cash flow, are transitioning to the arguably less impactful “encryptionless” ransomware.

“With the increase in available attack vectors due to pandemic-related work from home, the usual actors out of Russia and North Korea upped their activity. Every sector has had to deal with ransomware in the last year and unless the Biden administration and other responsible nation-states offer a significant disincentive to the behavior, we don’t anticipate a long-term change in activity,” added William Nelson, chair and CEO of GRF. “We’ve simply seen a weening of ransomware groups. The tough talk and recouping of victim cryptocurrency seem to have scared some actors but it likely won’t be enough.”

Read the public version of the report at https://grf.org/ransomware-report-2021-form

About GRF

Global Resilience Federation (GRF) is a non-profit hub and integrator for support, analysis, and cross-sector intelligence exchange among information sharing and analysis centers (ISACs), organizations (ISAOs), and computer emergency readiness/response teams (CERTs). GRF’s mission is to help assure the resilience of critical and essential infrastructure against threats that could significantly impact the orderly functioning of the global economy and general safety of the public. Learn more at www.GRF.org, by visiting @GRFederation on Twitter or Global Resilience Federation on LinkedIn. Questions may be directed to Patrick McGlone at pmcglone@grf.org