Dozens of ransomware variants used in 722 attacks over 3 months

The ransomware space was very active in the last quarter of 2021, with threat analysts observing 722 distinct attacks deploying 34 different variants.

This massive amount of activity creates problems for the defenders, making it harder to keep up with individual group tactics, indicators of compromise, and detection opportunities.

Compared to Q3 2021, the last quarter had 18% higher attack volume, while the comparison to Q2 2021 results in a difference of 22%, so there’s a trend of increasing attack numbers.

Actors and targets

The most prevalent ransomware groups in Q4 2021, according to a report by Intel 471, were LockBit 2.0 (29.7%), Conti (19%), PYSA (10.5%), and Hive (10.1%).

Compared to the preceding quarter, only PYSA had a noticeable rise in activity, which was also noted in a report by the NCC Group that examined November 2021 data.

The most targeted region was North America, accounting for almost half of all attacks by the ransomware operations mentioned above. Europe followed with roughly 30%, leaving only 20% to the rest of the world.

The stats are rather balanced for targeted industries, and only the Consumer and Industrial products sector stands out, accounting for one out of four attacks. Manufacturing, professional services, and real estate also had substantial shares.

Shifting focus

When looking at this from the perspective of trends, compared to Q3 2021 data, the manufacturing sector dropped while consumer and industrial products rose. In addition, life sciences and health care also had a significant rise.

This shift could be due to the seasonal interest for shopping during Christmas and Black Friday/Cyber Monday, which makes associated targets more lucrative.

Healthcare also obtains a more critical role as we move towards the end of the year, possibly due to the winter in the northern hemisphere bringing higher viral transmission rates.

Ransomware groups aim to disrupt the operations of firms at the worst possible time, to increase the chances of having a quick resolution in their negotiation for the payment of the demanded ransom.

For example, the FBI recently warned that ransomware gangs commonly target companies during mergers and acquisitions to further apply pressure during negotiations.

However, in many cases, the targeted companies are purely opportunistic in nature, where ransomware gangs simply attack whoever they can gain access to rather than based on any vertical or season.