More than 290 enterprises hit by 6 ransomware groups in 2021

A report from eSentire said the six groups have already brought in more than $45 million this year from dozens of local governments, hospitals, universities and multinational conglomerates.
Written by Jonathan Greig, Contributor

Every week there is a new organization facing a ransomware attack, but a new report from eSentire's security research team and Dark Web researcher Mike Mayes says the incidents we see in the news are just a small slice of the true number of victims.

The eSentire Ransomware Report says in 2021 alone, six ransomware groups compromised 292 organizations between Jan. 1 and April 30. 

The report estimates that the groups managed to bring in at least $45 million from these attacks and details multiple incidents that were never reported. 

The eSentire team and Mayes focused exclusively on the Ryuk/Conti, Sodin/REvil, CLOP, and DoppelPaymer ransomware groups, as well as two emerging but notable gangs in DarkSide and Avaddon. 

Each gang focuses on particular industries and regions of the world, according to the report. The Ryuk/Conti gang has attacked 352 organizations since 2018 and 63 this year, focusing mostly on manufacturing, construction and transportation companies. 

Dozens of their victims have never been publicized but the most notable organizations attacked include the Broward County School District and French cup company CEE Schisler, both of which did not pay the exorbitant ransoms, the report said. 

In addition to manufacturing, the group made waves in 2020 for attacking the IT systems of small governments across the United States like Jackson County, Georgia, Riviera Beach, Florida, and LaPorte County, Indiana. All three local governments paid the ransoms, which ranged from $130,000 to nearly $600,000. The group also spent much of 2020 attacking local hospitals as well. 

Like the Ryuk/Conti gang, the people behind the Sodin/REvil ransomware similarly focus on healthcare organizations while also devoting their efforts to attacking laptop manufacturers. Of their 161 victims, 52 were hit in 2021 and they made international news with attacks on Acer and Quanta, two of the world's biggest technology manufacturers. 

Quanta, which produces Apple's notebooks, was hit with a $50 million ransom demand. The company refused, and the Sodin/REvil gang leaked detailed designs of an Apple product in response. The gang threatened to leak more documents but pulled the photos and any other reference to the attack by May, according to the report, which noted that Apple has not spoken about the intrusion since. 

The DoppelPaymer/BitPaymer has made a name for itself by targeting government institutions and schools. The FBI released a notice in December specifically about the ransomware, noting that it was being used to attack critical infrastructure like hospitals and emergency services. 

The report adds that most of the group's 59 victims this year have not been publicly identified other than the Illinois attorney general's office, which was attacked on April 29.

The Clop gang has focused its efforts on abusing the widely-covered vulnerability in Accellion's file transfer system. The eSentire team and Mayes explain that the group used the vulnerability profusely, hitting the University of California, US bank Flagstar, global law firm Jones Day, Canadian jet manufacturer Bombardier, Stanford University, Dutch oil giant Royal Shell, the University of Colorado, the University of Miami, gas station company RaceTrac and many more. 

The report notes that the Clop gang became infamous for allegedly combing through an organization's files and contacting customers or partners to demand that they pressure the victim into paying a ransom. 

The DarkSide gang has been in the news as of late for their attack on Colonial Pipeline, which set off a political firestorm in the United States and a run on gas stations in certain towns along the East Coast. 

The group is one of the newest of the leading ransomware groups, emerging in late 2020, according to the report. But they've wasted little time, racking up 59 victims since November and 37 this year. 

The report notes that the DarkSide group is one of the few that operates as a ransomware-as-a-service operation, offloading responsibility onto contractors who attack targets and split ransoms. eSentire said their research indicated that the people behind DarkSide were unaware of the Colonial attack before it happened and only found out from the news. They made waves last week when they allegedly shut down all of their operations due to increased law enforcement scrutiny. 

The ransomware has been implicated in multiple attacks on energy producers like one of Brazil's largest electric utility companies, Companhia Paranaense de Energia, which they hit in February. 

The final group studied is the Avaddon gang, which was in the news this week for their attack on major European insurance company AXA. The attack was notable because AXA provides dozens of companies with cyberinsurance and pledged to stop reimbursing their customers in France for paid ransoms. 

In addition to AXA, the group has also attacked 46 organizations this year and operates as a ransomware-as-a-service operation like DarkSide. The report explains that the gang is notable for including a countdown clock on their Dark Web site and for the added threat of a DDoS attack if the ransom is not paid. 

The list of their victims includes healthcare organizations like Capital Medical Center in Olympia, Washington and Bridgeway Senior Healthcare in New Jersey. 

The eSentire team and Mayes added that the vast number of unreported attacks indicate that these gangs are "wreaking havoc against many more entities than the public realizes."

"Another sobering realization is that no single industry is immune from this ransomware scourge," the report said. "These debilitating attacks are happening across all regions and all  sectors, and it is imperative that all companies and private-sector organizations implement security protections to mitigate the damages stemming from of a ransomware attack."

Editorial standards