New Report Profiles Ransomware Cybergangs

That old adage about crime never pays could not be more false, at least when it comes to modern-day cybercriminals. For those bad actors using ransomware as their weapon, crime is paying more than ever.

Cybersecurity company Emisoft estimates that the true global cost of ransomware, including business interruption and ransom payments in 2020, was a minimum of US$42 billion and a maximum of nearly $170 billion.

A survey by Veritas Technologies found that 66 percent of victims admitted to paying part or all of the ransom, according to a report released Wednesday by managed detection and response firm eSentire.

The report, authored by eSentire’s security research team it calls the Threat Response Unit (TRU), found that six ransomware gangs claimed at least 290 new victims fo far this year. The combined spoils tallied potentially $45 million for the hackers.

Company researchers from eSentire teamed up with dark web researcher Mike Mayes to track the Ryuk/Conti, Sodin/REvil, CLOP, and DoppelPaymer ransomware groups. They also tracked two emerging cybergangs known as DarkSide and Avaddon.

The DarkSide gang should ring some familiarity bells. It is the outfit responsible for the Colonial Pipeline ransomware attack earlier this month.

Esentire’s TRU and Hayes found that specific groups racked up hundreds of victims in 2020 and collectively compromised 292 new victim organizations between January 1 and April 30 of this year. Researchers estimated the average ransom organizations paid increased from $115,123 in 2019 to $312,493 in 2020, a 171 percent year-over-year increase.

“There are many more successful ransomware attacks which have compromised companies than the public has any idea about. There really is no type of industry/business that is not a potential target of these groups,” Mark Sangster, vice president at eSentire, told TechNewsWorld.

Booming Business for Hackers

Ransomware attacks are frequent. Their payouts are often not disclosed by the victims due to embarrassment or loss of public trust. The hacker groups are not shy, however, about self-reporting of their successful exploits on their personal blog/leak sites.

The eSentire report noted three new attacks in the previous three months:

  • Tata Steel — compromised by Sodin/REvil ransomware group in April. Tata Steel refused to pay the $4 million ransom.
  • Broward County School District — compromised by the Ryuk/Conti gang in March. Threat actors demanded $40 million, and the district said they would not pay.
  • Quanta Computer — maker of Apple’s next-generation MacBooks, also attacked by Sodin/REvil. Hackers in April reportedly demanded $50 million, first from Quanta who said no to the extortion, and then from Apple.

But researchers noted that despite the increasing reports of ransomware attacks in the media, the victim organizations the media discloses are a drop in the bucket compared to the actual events.

One ransomware incident which occurred last month but never went public involved a small private U.S. company. The threat actors demanded $12 million, which that company paid, according to a high-ranking employee of the organization who asked not to be named.

With cyberattacks evolving at breakneck speed, cyberthreat intelligence (CTI) has become a critical component in cybersecurity programs. Without intelligence, organizations are flying blind through very stormy skies, offered Dov Lerner, Security Research Lead at Cybersixgill.

“On a strategic level, CTI will enable executives to understand the threat landscape and assess risks to their organizations. On a more tactical level, CTI is used to block malicious indicators of compromise and to detect compromised data,” Lerner told TechNewsWorld.

As more daily business and activities become digitized, there is more opportunity for dark web actors to consume and exploit sensitive data posted to underground platforms, he added. The cybercrime underground is only continuing to grow, and pandemic and economic crisis may lead more threat actors to seek illicit financial activity and lately, radical political discourse.

No Doubt About Successes

Sangster said his researchers fully believe that the organizations these groups claim to have compromised are true for several reasons, which include:

  • Each of the ransomware groups the report details provide numerous examples of various files and documents that they claim to have stolen from the victim companies. Plus, they all look authentic.
  • Researchers have seen the threat groups post a victim on their leak site. Later on, perhaps weeks down the road, the target comes out publicly about suffering a ransomware attack.
  • It does not benefit these ransomware groups to lie about the victims they claim to have hacked. If they did post victims on their leak site that they had not compromised, then the word would spread very quickly, and no victim would pay them.

“Our security research team, TRU, and dark web researcher Mike Mayes went down into the dark web and spent a lot of time analyzing these six ransomware group’s blog/leak sites, and we also analyzed the TTPs of these groups which we have gathered from tracking them since they began their crime spree,” Sangster said.

Researchers just wrapped up all of their findings and are in the midst of sharing the details with the various law enforcement agencies, he added.

Expanded Attack List

Esentire and Mayes found that the six ransomware groups they tracked for this report are not only continuing to target the usual suspects — state and local government, school districts, law firms, and hospital and healthcare organizations. They have expanded their hit list to include manufacturers, transportation/logistics companies, and construction firms in the U.S., Canada, South America, France, and the U.K.

Here is a summary of the new victims resulting from this expanded attack list:


The Ryuk/Conti ransomware group first appeared in August 2018. Their initial victims tended to be U.S.-based organizations. These included technology companies, healthcare providers, educational institutions, financial services providers, and numerous state and local government organizations.

The gang hit a total of 352 organizations, compromising 63 companies and private sector organizations this year alone. TRU examined 37 of Ryuk’s 63 victims, and among them, 16 were manufacturers that produced everything from medical devices to industrial furnaces to electromagnetic radiation equipment to school administration software.

Ryuk reportedly compromised in 2021transportation/logistics companies, construction companies, and healthcare organizations.


Sodin/REvil listed 161 new victims this year, with 52 being manufacturers, as well as a few healthcare organizations, transportation/logistic companies, and construction firms. In March, the group hit computer and electronics manufacturer Acer and demanded a $50 million ransom.

When Quanta Computer, which manufactures notebook computers for Apple, refused to negotiate, as mentioned above, the Sodin criminals reportedly turned to Apple for the ransom. Sodin hackers posted on their blog called “Happy Blog,” a warning stating that if they did not get paid, they would publish what they claimed were technical details for current and future Apple hardware.


The DoppelPaymer ransomware group emerged in 2019. The DoppelPaymer group’s website claims they compromised 186 victims since making their debut with 59 in 2021 alone. The victims include numerous state and local government organizations, plus several educational institutions.

In December 2020, the FBI issued a warning that “Since late August 2019, unidentified actors have used DoppelPaymer ransomware to encrypt data from victims within critical industries worldwide such as healthcare, emergency services, and education, interrupting citizens’ access to services.”

Many of the SMBs the group claims as victims were never reported in the press, nor have many of the public sector entities. One of the exceptions is the Illinois Attorney General’s office, which first discovered the DoppelPaymer attack on April 10, 2021.

Clop (Cl0p)

The Clop ransomware first appeared in February 2019 and became better known in October 2020 when its operators became the first group to demand a ransom of more than $20 million. The victim, German tech firm Software AG, refused to pay.

Clop made headlines this year for culling through victims’ stolen data and retrieving contact information for the company’s customers and partners and emailing them to urge them to make the victim company pay the ransom.


DarkSide is a relatively new ransomware group. Esentire’s TRU began tracking it last December, about one month after it reportedly emerged. The operators claim on their blog/leak site to have infected 59 organizations in total, compromising 37 of them in 2021.

Victims are located in the U.S., South America, Middle East, and U.K. They include manufacturers of all types of products, such as energy companies, clothing companies, travel companies.

Late on May 13, the DarkSide blog/leak site went down with the DarkSide threat actors claiming that it had lost access to the infrastructure it uses to run its operation and would be closing. The notice cited disruption from a law enforcement agency and pressure from the U.S. Prior to the DarkSide website going down, the operators always stated that they provided their malware via a ransomware-as-a-service model.

The DarkSide operators claimed they are like Robin Hood by only going after profitable companies that can afford to pay a ransom. The group’s operators also noted that they will not attack hospitals, palliative care facilities, nursing homes, funeral homes, and companies involved in developing and distributing the Covid-19 vaccine, according to eSentire’s report.


Avaddon operators, whose ransomware demands first appeared in the wild in February 2019, claim they infected 88 victims during their lifetime, 47 of them in 2021. The nine ransomware attacks followed the ransomware-as-a-service model.

Its operators allow affiliates to use the ransomware with a portion of the profits paid to the Avaddon developers. The Avaddon threat actors also reportedly offer their victims 24/7 support and resources on purchasing bitcoin, testing files for decryption, and other challenges that may hinder victims from paying the ransom, according to Esentire.

How to Avoid Ransomware Attacks

Ransomware groups are wreaking havoc against many more entities than the public realizes, according to eSentire. No single industry is immune from this ransomware scourge which is happening across all regions and sectors.

Esentire recommends these tips to defend against ransomware attacks:

  • Backup all critical files and store them offline
  • Require multifactor authentication to access your organization’s virtual private network (VPN) or remote desktop protocol (RDP) services
  • Only allow only administrators to access network appliances using a VPN service
  • Domain controllers are a key target for ransomware actors. Ensure your security team has visibility into your IT networks using endpoint detection and response (EDR) agents and centralized logging on domain controllers (DCs) and other servers
  • Employ the principle of least privilege with staff members
  • Disable RDP if not being used
  • Regularly patch systems, prioritizing your key IT systems
  • Implement network segmentation
  • Mandate user-awareness training for all company employee

“From a cybersecurity industry perspective, there are some very effective security services, tools and policies available to companies to greatly help them protect their valuable data and applications from cyber threats such as ransomware, business email compromise, cyber espionage, and data destruction,” Sangster advised.

Jack M. Germain

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Jack M. Germain
More in Hacking

Technewsworld Channels