5 Most Active Ransomware Gangs in 2021 and Their Attack Patterns

cover image

Ransomware has become the biggest cybersecurity threat to all kinds of organizations regardless of industry and size. Since 2019, ransomware gangs and operators have continuously refined their attack methods to gain greater leverage by avoiding detection and infecting highly critical servers. From an economic standpoint, as long as the price of the ransom is below the projected costs of operation disruption and data leak, it is always rational for an organization to make the payment. Hence, the more leverage the attackers gain, the higher the price becomes.

With the majority of ransomware attacks today being double extortion attacks, victims are finding it more and more difficult to recover, making it harder to refuse ransom demands despite their skyrocketing prices. In the first half of 2021, we have seen a number of highly disruptive ransomware attacks with record-breaking ransom demands.

In this article, we will look at five of the most active ransomware gangs in 2021 and some of their key characteristics.


REvil – most expensive ransom demand

REvil, also known as Sodinokibi, is a financially motivated ransomware gang that operates as a ransomware-as-a-service (RaaS). RaaS is a business model in which the ransomware gang sells their ransomware tools as a subscription model to affiliated hackers, who then use the tools to launch targeted attacks. The ransomware gang then receives a portion of the ransom payments collected. The increased prevalence of RaaS is highly concerning because it allows any entry-level hacker to easily conduct sophisticated ransomware attacks against large targets. Moreover, the fact that the ransomware gang does not need to directly initiate the attacks makes them very difficult to trace. Having a lot of affiliates also means that many attacks can be carried out at the same time.

Emerged from Asia in early 2019, REvil is known for its double extortion attacks and is infamous for demanding extremely high ransom payments. Data stolen are usually posted on REvil’s leak site known as “Happy Blog”. Thanks to its massive affiliate network, the REvil group has a wide pool of data to exploit, allowing it to breach targets using a variety of methods. Some of the most common techniques include sending phishing emails or exploiting software and web vulnerabilities. Other times, REvil would gain unauthorized access through data readily available from other leaks.

REvil has been highly active since the beginning of 2021 and has conducted several high-profile attacks against some of the largest companies in the world. In March, an affiliate of REvil stole data from computer giant Acer and deployed ransomware to its systems. Initial demand of $50 million made it the most expensive ransom demand ever. Forensic investigations showed that the attackers gained access to the systems using leaked data from the Microsoft Exchange Server supply chain attack.

Soon later in April, REvil breached another Taiwanese company, Quanta, which happened to be an outsourced manufacturer of Apple products. Stolen data contained not only information related to Quanta, but also designs of unreleased MacBooks, Apple Watches, and Lenovo ThinkPad laptops. REvil used these as leverage to demand $50 million worth of ransom payments from both Quanta and Apple.

In May, REvil attacked JBS S.A., the world’s largest processed meat distributor, leading to significant disruptions to the supply chains of North America and Australia.


Conti – greatest threat to healthcare

First appearing in mid-2020, Conti ransomware is operated by the Wizard Spider cybercrime group, an organization based in Saint Petersburg, Russia. Within a year, the group became one of the most wanted targets by the FBI and Europol. Despite having no direct links to the Russian government, local law enforcement appeared to be highly lenient towards the group. 

Utilizing AES-256, Conti ransomware has the fastest encryption speed in the industry. The group is heavily criticized for taking advantage of the COVID-19 situation by initiating double extortion attacks against the public and healthcare sectors. Its most recent attack against Ireland’s Health Service Executive (HSE) in May 2021 has disrupted the entire country’s healthcare and social services for months after Irish PM Micheál Martin refused to pay the $20 million ransom. An update on June 28 showed that the country’s hospitals continue to operate without internet access and do not expect to fully recover anytime soon. Patients are asked to bring in their own health records, whereas diagnosis and treatment details are recorded using pen and paper. HSE’s Director expected the total recovery costs to exceed $600 million.

In June 2021, the FBI issued a warning to all healthcare organizations after its investigations showed that the Conti ransomware gang had targeted at least 16 healthcare organizations in the US alone.

Apart from the healthcare industry, Conti ransomware also frequently attacks other public organizations. In December 2020, the group successfully breached the Scottish Environment Protection Agency (SEPA), sending the email servers, reporting tools, and databases offline throughout January. A portion of the 1.2 GB of stolen data was posted on Conti’s leak site.

The Conti ransomware gang often gains initial access through email phishing or by exploiting hardware and web vulnerabilities. With an average ransom payout of $900,000, Conti ransomware is one of the greatest threats to the healthcare industry today.


DarkSide – culprit of the Colonial Pipeline attack

Active since August 2020, DarkSide’s creators used to run the attacks themselves, but later adopted a RaaS model just like REvil, selling subscription plans on Russian-speaking hacking forums.

In less than a year, DarkSide made international headlines after one of its affiliates carried out an attack that paralyzed the US-based Colonial Pipeline in May 2021. As the largest pipeline in the US that supplies 45% of fuel on the East Coast, the disruption caused an immediate fuel shortage across more than a dozen states and led to a temporary oil price spike. A ransom deal of $5 million was soon reached due to political pressure.

The pipeline attack made DarkSide one of the greatest adversaries of the US government. As such, the group later softened its rhetoric by claiming that it has no political intention and that its sole purpose is to make money, while promising to supervise its affiliates more responsibly in the future.

DarkSide’s intrusion method is mostly based on manual hacking techniques. By identifying critical servers and obtaining admin credentials, it slowly escalates its permission within the network and deploys ransomware on its way. DarkSide’s affiliates use more advanced approaches such as exploiting software vulnerabilities in corporate IT systems.


Ragnar Locker – the stealth attacker

Ragnar Locker ransomware was first spotted in early 2020, and became the first ransomware strain with the ability to hide within the targeted network by deploying as a virtual machine on individual devices. For instance, in a major attack against energy giant Energias de Portugal (EDP), ransomware was hidden and deployed inside an Oracle VM VirtualBox virtual machine running on Windows XP. More recently, Ragnar Locker breached Taiwanese-based DRAM maker ADATA in May 2021 and stole 1.5 TB of data prior to deploying the ransomware. 

Similar to all other ransomware strains, Ragnar Locker gains its entry to targeted networks by exploiting software vulnerabilities or leveraging social engineering attacks such as phishing. Running on Microsoft Windows virtual machines, what makes Ragnar Locker distinctive is its capability of bypassing detection by disabling certain devices hosted by managed service providers.


Clop – linkage with Accellion FTA supply chain breaches

Clop ransomware was evolved in 2019 from a previous strain called CryptoMix, which was associated with financially motivated threat actor TA505. Prior to REvil, Clop was the first ransomware gang to demand ransom payments above $20 million when it attacked German IT giant Software AG back in October 2020. 

This year, Clop ransomware was found to be involved with FIN11 in exploiting the vulnerabilities of Accellion FTA servers, resulting in one of the largest software supply chain attacks in history. Even though it is unclear whether the Clop ransomware gang directly exploited the vulnerabilities or was given the data by others, Clop’s involvement was undeniable as it was able to gain access to a large number of the Accellion victims. Through this supply chain breach, Clop claimed to have obtained sensitive data from Royal Dutch Shell, Canadian aerospace giant Bombardier, US law firm Jones Day, US bank Flagstar, and several universities including Stanford, California, Colorado, and Miami. Clop ransomware claimed responsibility for a total of 39 breaches in 2021 alone, according to its leak site.

On June 16, 2021, six suspected members of the Clop ransomware gang were arrested by Ukrainian police in cooperation with law enforcement bodies of the US and South Korea, making it the first mass arrest against a ransomware group in history. However, only a few days later, Clop ransomware claimed two new victims, showing that the arrest only posed a minor impact on the group. Still, in the near future, we may expect Clop to rebrand themselves to avoid further attention from law enforcement. Cases like this show that it is nearly impossible for law enforcement to completely eradicate ransomware gangs.


Stay Prepared for the Fight Against Ransomware

Ransomware gangs target everyone. From corporations to governmental institutions, healthcare providers to schools, no particular industry is off the radar. This means that every organization must raise its alarm and stay fully prepared for a potential ransomware attack.

Since a large number of ransomware attacks originate from phishing, it is crucial to not only protect admin credentials, but keep their privileges to a minimum. An identity and access management (IAM) solution like iSIGN+ utilizes single sign-on (SSO) multi-factor authentication (MFA) to keep accounts safe from leaked login credentials, without causing inconvenience to the user. Its authorization tools control access to crucial systems, adding another layer of protection to sensitive data.

Lastly, as the last line of defence, always encrypt sensitive data to prevent the attackers from using stolen data as leverage. To learn more about database encryption, see: The Benefits of Using a Database Encryption Solution.


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: iSIGN+ 

Car, Energy, Factory, City Solutions: Penta IoT Security