REvil, DarkSide highlight surge in Q2 ransomware attacks: report

Dive Brief:

The REvil/Sodinokibi and DarkSide families saw a surge in activity during the second quarter, with REvil/Sodinokibi dominating activity during the quarter, accounting for 73% of ransomware detections, according to a report released overnight by McAfee Enterprise. REvil was linked to the ransomware attacks at leading beef and poultry supplier JBS USA after Memorial Day, as well as the Independence Day weekend attack on IT platform Kaseya. DarkSide was linked to the Colonial Pipeline attack in early May.
Government agencies were the most targeted sector by ransomware families during the quarter, followed by telecom, energy and media and communications, according to the report. In overall cyber threat activity, reported incidents against the public sector grew 64%, followed by a 60% increase against the entertainment business.
The financial services sector saw the most activity in terms of cloud threats. Financial services was targeted in 50% of the top 10 cloud incidents, according to the report. Cloud incidents targeting organizations in the U.S. accounted for 52% of all incidents. Movement to cloud-based security is still an important shift as companies and other organizations transform the workplace in response to the ongoing COVID-19 pandemic.

Dive Insight:

The spike in ransomware activity during the quarter, as well as the brazen nature of the attacks on critical infrastructure targets, led to a great deal of movement among the major ransomware families, according to McAfee Enterprise researchers.

Two of the top underground forums, XSS and Exploit, announced bans on accepting ransomware advertising. The forums had historically provided a lucrative safe haven for many ransomware groups, trading in stealer logs, crypter services and other resources, according to the report. Researchers say the bans were likely enacted to prevent the forums from being shut down permanently.

"Now the RaaS groups no longer have a third-party platform on which to actively recruit, show their seniority, offer escrow and have their binaries tested by moderators or settle disputes," John Fokker, principal engineer and head of cyber investigations for McAfee Enterprise Advanced Threat Research.

The DarkSide organization temporarily vanished amid increased pressure from law enforcement and U.S. government pressure against international ransomware groups. The U.S. Department of Justice retrieved about $2.3 million of the reported $4.4 million in ransom that Colonial Pipeline paid to DarkSide after the initial attack.

McAfee Enterprise officials agreed the sudden appearance of BlackMatter group was a bit more than coincidence.

"After shutting down the Colonial Pipeline, DarkSide created the appearance of walking away after attracting government scrutiny, thinking we would miss the (alleged) connection to BlackMatter," Raj Samani, chief scientist at McAfee Enterprises wrote in a new blogpost.

BlackMatter, which emerged in July, was linked to a new attack against a farm cooperative in Iowa during late September. Federal officials have recently warned of threats against agricultural and food industry targets.

Researchers also noted the emergence of LockBit 2.0, which is an updated version of LockBit ransomware that emerged in 2020. LockBit 2.0 accesses systems using remote desktop protocol and automatically encrypts data across the domain in preparation for exfiltrating information.