Affiliate Programs

Ransomware Empire: Who might blackmail your company?

Ransomware Empire: Who might blackmail your company?
Written by publishing team

The history of ransomware attacks covers just over 30 years. During this modest period, cybercriminals have worked relentlessly to build ransomware capabilities and improve the logistics of facilitating the infections of their victims and reaching the most notorious targets. This helped ransomware operators rise to the top of the cybercriminal hierarchy and earn the name of the number one cyber threat. In the first 11 months of 2021, more than 60% of all incidents investigated by Group-IB were related to ransomware.

Few people know that the first prototype of what we know today as ransomware appeared as early as 1989. Although he did not know how to encrypt files, the history of ransomware begins with this sample. Many concepts that we today consider indispensable features of ransomware, such as exorbitant ransomware, ransomware as a service (RaaS), and data leakage sites (DLS) are yet to come.

In our report “High-Tech Crime Trends 2021/2022. Part Two. Corporansom: Threat Number One,” Group-IB attempted to find out how the ransomware industry’s focus has shifted from advanced targeted attacks to untargeted affiliate malware distribution programs by looking at the history of how development of these services. Using the capabilities of our intelligence and attribution system, we looked in detail at the major malware samples, tactics, techniques, and tools used by threat actors, as well as the events in the dark web that led to the emergence of Ransomware Empire today.

early years

The first predecessor to modern ransomware that cybersecurity analysts know was spread using floppy disks (CDs) in 1989 to extort money from users using social engineering techniques. However, the Trojan was unable to encrypt the data and its creators were not aware of monetization methods other than phishing.

Extortion also used to be a common tactic for threat actors who carried out DDoS attacks to gain money from their victims, who were highly vulnerable to DDoS attacks at the time due to the lack of content delivery networks. By adding data encryption to their arsenal in 2004, when PGPcoder appeared, cybercriminals approached the concept of ransomware as we know it today. PGPcoder operators demanded a ransom of about $13 from their victims – a paltry sum by today’s standards, when ransom demands soared to more than $200 million. However, this malware failed to gain much popularity as it only targeted individuals and strained their low-performing devices at the time, making it easy to detect.

The late 2000s saw a new trend: Threat actors began blocking some functions of the operating system to demand ransom. This marked the era of WinLock, which gave rise to a phenomenon known today as Ransomware-as-a-Service (RaaS). The popularity of wardrobes continued to grow and peaked in 2012, after which it began to decline. It has been replaced by the infamous Cryptolocker ransomware, which has led to an increase in the number of ransomware offers and RaaS ads on secret forums. The main target of ransomware operators at the time were individuals.

Go big or go home

The turning point in the modern history of ransomware occurred in 2015, when attackers’ focus shifted to corporate targets, after realizing that organizations were far more valuable prey from a business perspective. 2018 saw the birth of one of the most popular affiliate programs – GandCrab; According to some sources, the source code of this malware formed the basis of REvil’s Trojan.

GandGrab became the precursor to the phenomenon of Big Game Hunting: it created teams dedicated to various activities, one of which was attacking the big companies. But another radical transformation of the ransomware industry was launched by the Snatch and Maze gangs, which, in addition to encrypting corporate data, began to download them from the networks of their victims and spread them on their own resources. These sites, which aim to publish data about hacked organizations that have refused to pay data in a so-called double blackmail technique, have been dubbed Data Leakage Sites (DLS). Data leakage sites have been widely adopted as this technique has greatly increased the conversion rate, i.e. the share of companies that have chosen to pay the ransom.

The use of DLS-based double blackmail technology, the active development of the RaaS software market, as well as the increase in the popularity of ransomware among cybercriminals who used to have a more difficult way to earn money, contributed to the emergence of ransomware empire on the stage of cybercriminals.


The past three years have seen the emergence of 51 RaaS affiliate programs. Some like LockBit, Hive, SunCrypt or Avaddon rose, while others fell – realOnline Locker, Keystore Locker and Jingo Locker. During the period from the second half of 2020 to the first half of 2021, at least 21 new RaaS programs appeared on secret forums, which is a 19 percent increase over the corresponding period the previous year. Ads promoting these programs appeared on at least 15 Darknet forums between H1 2019 and H2 2021, run by Russian-speaking moderators. Darknet Forum Exploit[.]in was the most popular of them all, with RAMP and also reaching the top three.

It is noteworthy that during the review period, after a wave of massive attacks by various groups, especially REvil, the owners of the forums banned affiliate programs for advertising on secret forums. They explained that the spread of ransomware has drawn a lot of attention to the activities of other hackers. RAMP was created in response to the so-called No More Ransom movement.

The emergence of RaaS affiliate programs peaked in the second half of 2020, when 14 new frameworks appeared, which is a 75% increase compared to the first six months of 2020. However, the frequency of emergence of new DLSs was much higher: for comparison, In 2021, Group-IB analysts discovered 29 new DLS, and only 12 new affiliate programs, indicating that many ransomware programs remain private.

However, the double-extortion technique is just as popular among private and public RaaS affiliate programs, as the number of victims whose data was released on DLSs rose in the review period. In the second half of 2020 to the first half of 2021, the number of ransomware victims whose data was leaked on DLSs reached 2,371, an increase of 935% over the previous review period. It is noteworthy that in the first three quarters of this year, ransomware operators published 47% more data (1,966 companies) than in all of 2020, when 1,335 organizations were affected.

These statistics only partially reflect the rate at which the number of ransomware incidents is increasing, while the actual numbers are an order of magnitude higher. Evidence in support of this assumption was an analysis of the Hive RaaS affiliate admin panel, which showed that the gang released information on only about 13% of their victims.

Based on the analysis of DLSs, in 2020, Maze, Egregor, Conti and REvil were the most aggressive ransomware strains.


More aggressive ransomware strains in 2021 vs. 2020

In the current year, the situation has changed, the share of some ransomware gangs has decreased, the number of small ransomware groups has increased. Despite this, the Conti company managed to consolidate its leadership, as the largest number of victims was posted on the DLS – 361.

Sail around the world

According to data from DLSs analyzed by Threat Intelligence Group-IB analysts, the United States was the country most attacked in 2020, followed by Canada and the United Kingdom. The first five countries to be attacked also included France and Germany. In 2020, the regions with the highest number of casualties were North America, Europe, and the Asia-Pacific region.

This remained unchanged in 2021 as well. The situation has not changed significantly this year for the countries with the largest number of ransomware victims. France appeared in the top three, while Germany slipped to sixth.


Distribution of ransomware victims published on DLSs in 2021 by country

Speaking of industries that are prime targets for ransomware operators, they have been manufacturing, real estate, and transportation. The situation in 2021 has remained virtually unchanged, which indicates that attackers are targeting essentially the same types of businesses they believe are the most profitable.

Everything is fair in the ransomware market

The ransomware-as-a-service (RaaS) market has expanded rapidly and many financially motivated groups have shifted their focus to ransomware attacks, two factors that have both led to a rise in the number of investigated incidents of this type. In the first quarter of Q3 2021, ransomware attacks accounted for more than 60% of all incidents investigated by Group-IB. However, although this type of attack has rapidly increased and many different groups of cybercriminals are involved, there has been significant overlap in the tactics, techniques, and procedures used by the attackers. Moreover, the typical set of ransomware techniques and tools has basically remained the same.

Another factor that has greatly influenced the scale and success of ransomware attacks is the development of a market for primary access brokers, which has allowed many attackers to gain easy access to networks. In general, similar to the previous reporting period, the most used primary access techniques were remote access services hacking, phishing, and public application exploits. In terms of post-exploitation, Group-IB experts have identified the most frequently used attack techniques in security incidents. These were the command interpreter, scripting, remote services, and remote system discovery.

The current developments in the ransomware market can be seen as a so-called abolitionist, with the number of RaaS programs increasing, but decreasing in scope. However, the overall damage from RaaS operators is likely to continue to increase, driven by the emergence of new players and collaboration between RaaS software and corporate network access vendors.

Additionally, to complicate the course of potential prosecutions, the same individuals are likely to launch several RaaS programs under different brands. More predictions and recommendations on measures to be taken to guard against ransomware attacks can be found in “Hi-Tech Crime Trends 2021/2022″. part two. Corporansom: Threat Number One”.

About the author

publishing team

Leave a Comment