The first quarter of 2021 showed a significant decrease in ransomware activity. After some of the most active ransomware families were shut down, because the police captured their developers, other crooks decided to stay low for a while. Then, in the second quarter, they definitely decided to have revenge. Since April, cybersecurity analysts have witnessed a significant rise in ransomware cases – as nothing happened before.
Loud and proud: attack on the Colonial Pipeline Company
Surely, in May 2021, we have witnessed one of the loudest cases of ransomware attacks on a corporation. Colonial Pipeline is the largest pipeline operator in North America, owning about 5,500 miles of pipelines, used to transport refined oil products. It can transfer 3 billion barrels of fuel per day. In fact, the majority of fuel supply on the East Coast depends on this pipeline system.
Colonial Pipeline system on the map
On May 7, DarkSide ransomware commenced an attack on the company. For the 6-day term, while searching for the solution, the company was not able to manage its fuel lines. As hackers say, they have got about 100GB of internal company data, which is about to be sold on the Darknet. DarkSide crooks asked for a $4 million ransom – and the Colonial Pipeline management decided to pay it. Exactly, it is not the biggest ransom amount, but the damage was dealt far away from the computers in a company1.
Things have gone too far
Inability to manage the fuel supplies has led to serious troubles with fuel shortages in various states all over the East Coast. The prices for a gallon of fuel surged significantly, and some of the fueling stations were forced to shut down because they ran off fuel in their storages. As analysts say, in some moments the share of fueling stations in the shutdown was reaching almost 20% in different states.
Colonial Pipeline outage update: as of 9am CT, GasBuddy reports all states now under 20% outages, which remain stubbornly high, likely thanks to high gasoline demand slowing restorations down.
% of stations without gas:
GA 19%
SC 18%
NC 16%
VA 10%
TN 9%— Patrick De Haan ⛽️📊 (@GasBuddyGuy) June 4, 2021
Nonetheless, after creating such an effect, the DarkSide ransomware developers decided to shut down their activity2. It looks like they were scared by their might – or by the fact that the FBI started an investigation on this case. Being apprehended by the FBI is a pretty bad end to the career of a cybercriminal, isn’t it?
This incident caused some massive reactions in the ransomware market. Some of the Darknet forums started to remove all topics related to ransomware, to avoid attention from executive authorities. Avaddon and Sodinokibi families claimed that they have instructed their affiliates (who are employed in distribution) about which targets to avoid in ransomware attacks.
Not only DarkSide: Avaddon shutdown
The aforementioned Avaddon ransomware, which was active at the moment of the Colonial Pipeline incident, decided to shut down its activity. It is unknown if they made this decision in the affect of the DarkSide shutdown. But the only thing is surely known – they have released all decryption keys that were not redeemed by their victims.
Such a happy end is not the first. Earlier, in 2018, the GandCrab family was shut down with a similar final. Its developers said that they have earned more than $2 billion, and this sum will be enough even for their grandchildren to have a comfortable life. They have released all decryption keys and then dissolved.
Ransomware statistics in Q2 2021
The top-10 of ransomware by the number of cases did not change significantly. There are no “newbies”, as well as no one from already known actors being expelled. Similar to Q1, the top-1 of all ransomware cases is after the STOP/Djvu family. It has a share of more than 71% of total cases – surely, the monopolist of the ransomware market.
| Ransomware family | Share, % |
| STOP/Djvu | 71.2 |
| Phobos | 3.5 |
| Sodinokibi | 2.4 |
| QLocker | 2.3 |
| Makop | 2.2 |
| Dharma | 2 |
| Magniber | 1.6 |
| eCh0raix | 1.4 |
| Lockbit | 0.9 |
| GlobeImposter | 0.9 |
The majority of the ransomware families you may see above have stayed in their places. The total number of reported cases surged by about 43% – from about 385,000 in Q1 to almost 550,000 in Q2. Pretty large surge quarter-to-quarter, but this activity level almost equal to Q4 2020. Will it grow in the future? No one can say for sure. Besides the fact that some of the families shut down their activity for certain reasons, new families appear, too.
Ransomware statistics by country
Changes by stats by countries are pretty similar to one by families. There are no global changes – just little “rebalances” of ransomware activity from one country to another. Significantly, there are almost no ransomware cases in Russia – although it has almost the same population as Mexico does. A lot of signs point to the fact that the origins of the majority of ransomware families are in the vodka and bears country.
| Country | Share, % |
| India | 21.3 |
| Indonesia | 10 |
| South Korea | 5.5 |
| Egypt | 4.1 |
| Brasil | 3.9 |
| Pakistan | 3.8 |
| USA | 3.4 |
| Germany | 2.5 |
| Philippines | 1.9 |
| Italy | 1.7 |
Some of the countries are out of this top-10 list. There may be plenty of reasons, however, only ransomware distributors may explain this phenomenon. Turkey and Spain, which had a share of 2.3% and 2.1% correspondingly in Q1, are now out of the 10. Their places are taken by the Philippines (almost 2%) and Germany (2,5%).
Let’s assume
Ransomware is one of the most hazardous viruses among currently existing ones. The organization of those cybercrimes, as well as the toughness of the whole system, is surely amazing. Malware is surely a bad thing, but it teaches the users a lot. People stopped using the “free” Photoshop or 3DS Max, as well as forgot about hack tools like KMS Pico – these things are a clear way to get malware. For sure, it will be better to learn this simple truth without losing thousands and millions of dollars. Unfortunately, a man won’t lock the barn door till after the horse is stolen.
User Review
( votes)References
- More information about the cyberattack on Colonial Pipeline.
- Darkside ransomware developers declared about their shutdown.
