McAfee Enterprise has witnessed a surge in REvil and DarkSide ransomware proliferation in Q2 2021. McAfee Enterprise published its Advanced Threat Research Report: October 2021, which looked at cybercriminal activities linked to ransomware and cloud threats in the second quarter of 2021. With the transition to a more flexible pandemic workforce and the well-known Colonial Pipeline assault, cybercriminals brought new – and updated – threats and methods in campaigns targeting major industries, including Government, finance, and entertainment.
“Ransomware has evolved far beyond its origins, and cybercriminals have become smarter and quicker to pivot their tactics alongside a whole host of new bad-actor schemes,” said Raj Samani, McAfee Enterprise fellow and chief scientist.
He also said, “Names such as REvil, Ryuk, Babuk, and DarkSide have permeated into public consciousness, linked to disruptions of critical services worldwide. And with good measure, since the cybercriminals behind these groups, as well as others, have been successful at extorting millions of dollars for their personal gain.”
McAfee evaluates the condition of the cyber threat landscape every quarter based on in-depth research, investigative analysis, and threat data collected by the McAfeeGlobal Attack Intelligence cloud from over a billion sensors across different threat vectors all around the world.
Following the attack on the Colonial Pipeline, ransomware became a high-profile cyber agenda item for the United States administration in the second quarter of 2021. The impact of the supply chain’s unexpected halt was felt across most of the eastern United States, resulting in a frantic consumer fuel run. Ransomware has been evicted from previously safe cybercriminal underground forums, which has had a negative influence on the supply chain. Two of the most popular underground sites, XSS and Exploit, announced a ban on ransomware adverts in response to the Colonial Pipeline attack. It also appears to have caused the DarkSide ransomware group to cease operations abruptly, though McAfee Enterprise believes its silence, which coincided with the appearance of the BlackMatter group, is more than coincidental, especially since it mirrors the same move made before and after REvil’s period of silence. Despite these noticeable changes in behavior, McAfee Enterprise’s worldwide threat network discovered a spike in DarkSide attacks in the United States, mostly targeting legal services, wholesale, and manufacturing sectors.
Other ransomware groups using similar affiliate models, such as Ryuk, REvil, Babuk, and Cuba, were as troubling to DarkSide’s activities. They used business strategies that encouraged others to participate to take advantage of shared entry vectors and comparable appearances to navigate an environment. In fact, in Q2 of 2021, REvil/Sodinokibi dominated our ransomware detections, accounting for 73 percent of our top-10 ransomware detections.
We saw the problems of moving cloud security to meet a more flexible pandemic workforce and greater workload in the second quarter of 2021, which provided attackers with more potential exploits and targets.
According to McAfee Enterprise Advanced Threat research, among the top 10 reporting countries (the United States, India, Australia, Canada, Brazil, Japan, Mexico, the United Kingdom, Singapore, and Germany) in Q2 2021, the following cloud threat incidents and targets rated high:
• The most reported cloud incidents were in the financial services sector, followed by healthcare, Manufacturing, retail, and professional services.
• Fifty percent of the top ten cloud events targeted financial services, including occurrences in the United States, Singapore, China, France, Canada, and Australia.
• In the United States, cloud incidents targeting verticals amounted to 34% of all occurrences, compared to 19% in the United Kingdom.
• The United States had the most cloud events targeting countries, followed by India, Australia, Canada, and Brazil.
• Cloud-based incidents aimed at the United States accounted for 52 percent of all events.
Ransomware focus is the focus of this article. The Government was the most commonly attacked sector by ransomware in Q2 2021, followed by Telecom, Energy, and Media & Communications.
Attack Vectors Malware was the most commonly employed tactic in reported events in Q2 2021. From Q1 to Q2 2021, the number of reported occurrences for Spam increased by 250 percent, followed by 125 percent for Malicious Script and 47 percent for Malware.
Sector Activity. During the second quarter of 2021, McAfee Enterprise observed a 64 percent increase in publicly reported cyberattacks targeting the governmental sector, followed by a 60 percent increase in the Entertainment industry. In particular, Information/Communication fell by 50% in Q2 2011, while Manufacturing fell by 26%.
Regions. In Q2 2021, these occurrences increased mostly in the United States and Europe. In the second quarter, the United States had the most reported occurrences, and Europe had the biggest increase in reported events, with 52 percent.
