Ransomware Olympics – Top 3 Most Lucrative Ransomware Strains in 2021

From the defender’s perspective ransomware is the biggest threat in the modern cybersecurity landscape. From a criminal perspective it’s a highly lucrative form of cybercrime, and perpetrators face only negligible chances of being prosecuted with less than 20 arrests reported in 2020 [1].

The highest amount of ransom ever paid by a single company for a single incident is $40 million US dollars [2][3], however, the cost of a ransomware attack is not limited to ransom payments. Companies can incur millions more in remediation costs, service downtime, legal settlements, higher insurance premiums, and potentially suffer long-term deleterious effects to their brand reputation [4]. One report estimates that 74% of ransomware payments go to Russian backed groups; more than $400 million USD in 2021 [5]. Another report from blockchain research group Chainalysis suggests that nearly $700 million USD in ransomware ransom was paid in 2020 [6] [7].

Not all ransomware strains are created equal and some variants have resulted in far more damage than others. Furthermore, calculating the total amount of ransom payments has been difficult because some companies are reluctant to disclose attacks, but new legislature in the US requiring disclosure of cyberattacks means that it will be easier to calculate accurate amounts going forward [8].

Using report data released by Chainalysis [7] we have put together a list of the top 3 most lucrative ransomware strains, and in the spirit of the 2022 Olympics now underway, have awarded them gold, silver, and bronze medals accordingly. Continue reading to find out just how much loot these top strains collected in 2021 alone.

Gold medal: Conti – At least $180 million ransom collected

Conti refers to both a malware strain and a ransomware gang. The malware strain is thought to be the successor to the prolific Ryuk ransomware strain [9] and is classified as a second stage malware meaning it is typically imported into a network after initial access has been gained. Rather than being automated, Conti ransomware is served commands from a remote C2 server and has capabilities to scan host system information, map internal network devices, disable about 140 different security products, elevate privileges by taking advantage of various Windows privilege escalation flaws, and attack credentials stored in the Windows registry, among other techniques [10].

The Conti strain uses an RSA-4096 bit strength public key to decrypt an AES-256 key which is then used to encrypt any documents found on the target network including SMB file shares. File encryption happens in a flash as Conti uses multi- threading to utilize a system’s fully processing capabilities, encrypting all documents discovered during the enumeration process. In 2021 internal Conti documentation was leaked by a group insider, which provided a revealing look into the groups strategic offensive playbook, including how the group operates a Ransomware As A Service (RaaS) [11].

Silver medal: DarkSide – At least $80 Million USD ransom collected

DarkSide is a multi-extortion tactic ransomware strain that exfiltrates and encrypts victims’s data allowing the attacker to simultaneously threaten to publicly release the stolen data on the darkweb while also holding it hostage. The malware strain is associated with the DarkSide ransomware group who also operate RaaS.

On its path of destruction the DarkSide strain first gains initial access via a public facing service, then escalates privileges and pivots laterally through the network. Finally, enumerated files are both exfiltrated, and encrypted, and shadow volume copies are purged using PowerShell scripts. DarkSide also impairs the host system’s defences by killing processes associated with security products and event logging and deleting registry keys so that some services will be disabled upon reboot [12].

After successfully crippling Colonial Pipeline the DarkSide group publicized that they were shutting down operations, but like the plot of a hot spy thriller the FBI was hot on their trail and managed to track the crypto transaction trail and seize roughly half of the $5 million dollar Bitcoin ransom that was paid by Colonial [13] [14].

Bronze medal: Phoenix Locker – At least $60 Million USD ransom collected ($40 Million from a single victim)

This strain of malware created by Evil Corp is responsible for the highest ever single ransomware payment ever recorded; 40 million USD payed by CNA Financial [15]. Evil Corp was sanctioned in the US in 2019 [16] and its leader Maksim V. Yakubets was indicted in December 2019 [17]. It’s believed that Evil Corp has collected about $100 million from cybercrime including ransomware, and other illegal enterprises combined [18].

Phoenix Locker is a Remote Access Trojan (RAT) that uses Remote Desktop Protocol (RDP) or compromised VPS credentials for initial access to a network or cloud VPS cluster. After initial access, elevated privileges are gained by tricking users into launching a digitally signed and therefore trusted application [19]. The malware then proceeds to enumerate network and system information, and encrypt files on the victim’s network. Since there is no mention of Phoenix Locker using a double extortion scheme, we can only assume that it will be updated with new and more malicious features in the future. Perhaps with a few improvements we will see Phoenix Locker topping the ransomware podium next year.

Conclusion

There were some prolific strains of ransomware that did not make the 2021 medal podium such as REvil, Petya/Not Petya, and WannaCry, but if Olympic medals were given out for 2021 ransomware carnage, the gold, silver, and bronze medals would have to go to Conti, DarkSide, and Phoenix Locker respectively. 2021 was a record year for ransomware payouts and these top 3 strains collected almost half of the total payout.

Technical analysis showed they also presented similar TPP attack patterns. Therefore, in defensive planning, it’s crucial to take note of these highly successful attack patterns and offensive playbooks and architect your defensive cyber security strategy accordingly.

References

[1] Ransomware attackers down shift to ‘Mid-Game’ hunting in Q3 2021

https://www.coveware.com/blog/2021/10/20/ransomware-attacks-continue-as-pressure-mounts

[2] A timeline of the biggest ransomware attacks

https://www.cnet.com/personal-finance/crypto/a-timeline-of-the-biggest-ransomware-attacks/

[3] US insurance giant CNA Financial paid $40 million ransom to regain control of systems: report

https://www.zdnet.com/article/us-insurance-giant-cna-financial-paid-40-million-ransom-to-wrestle-back-control-of-systems/

[4] The True Cost of Ransomware

The True Cost of Ransomware

[5] 74% of ransomware revenue goes to Russia-linked hackers

https://www.bbc.com/news/technology-60378009

[6] Nearly $700 million spent on ransomware payments in 2020 alone: report

https://www.zdnet.com/article/nearly-700-million-spent-on-ransomware-payments-in-2020-report/

[7] Chainanlysis – 2022 Ransomware Crypto Crime Report Review

As Ransomware Payments Continue to Grow, So Too Does Ransomware’s Role in Geopolitical Conflict

[8] Cyber Incident Reporting Act of 2021

https://www.hsgac.senate.gov/imo/media/doc/210928_PetersPortmanCyberIncidentReportingAct_AsIntroduced.pdf

[9] Conti ransomware shows signs of being Ryuk’s successor

https://www.bleepingcomputer.com/news/security/conti-ransomware-shows-signs-of-being-ryuks-successor/

[10] 2021 Ransomware and the Mitre Att&ck Framework

2021 Ransomware and the Mitre Att&ck Framework

[11] Conti ransomware affiliate goes rogue, leaks “gang data”

Conti ransomware affiliate goes rogue, leaks “gang data”

[12] DarkSide Ransomware

https://blog.qualys.com/vulnerabilities-threat-research/2021/06/09/darkside-ransomware

[13] FBI Claws Back Millions of DarkSide’s Ransom Profits

FBI Claws Back Millions of DarkSide’s Ransom Profits

[14] Department of Justice Seizes $2.3 Million in Cryptocurrency Paid to the Ransomware Extortionists Darkside

https://www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside

[15] CNA Financial Paid $40 Million in Ransom After March Cyberattack

https://www.bloomberg.com/news/articles/2021-05-20/cna-financial-paid-40-million-in-ransom-after-march-cyberattack

[16] Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware
https://home.treasury.gov/news/press-releases/sm845

[17] Alleged Russian Hacker Behind $100 Million Evil Corp Indicted

https://www.wired.com/story/alleged-russian-hacker-evil-corp-indicted/

[18] Inside ‘Evil Corp,’ a $100M Cybercrime Menace

https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/

[19] Phoenix Cryptolocker Ransomware Threat Intel Advisory

https://cloudsek.com/threatintelligence/phoenix-cryptolocker-ransomware-threat-intel-advisory/

Leave a comment

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.