Ransomware Review – September 2021

This month saw the return of the REvil ransomware group (also known as Sodinokibi). The group’s infrastructure went offline in July, soon after their high-profile supply-chain attack targeting Kaseya. At the time, it was unclear if this was a voluntary decision or stemmed from a potential operation by law enforcement entities. However, the group’s infrastructure has now come back online and new victims are being publicly named on the re-launched leaks site, albeit at a considerably slower rate than before, potentially indicating that the threat actors are not carrying out as many attacks as they were previously. It is also noteworthy that a decryptor for REvil was recently released, which is likely to further hamper the group’s activity in the short term.

The BlackMatter ransomware group has become increasingly active in the past month, having disclosed the third-highest number of victims publicly via their leaks site (behind LockBit and Conti respectively). While this does not necessarily equate to increased success for the group, it does indicate a relatively high rate of attacks. Recent high-profile victims of the BlackMatter ransomware include Olympus, NEW Cooperative and Crystal Valley Cooperative. The latter two victims are of particular note, given their role in the agricultural sector and potential disruption to food supply chains these attacks will have.

The operators of BlackMatter claim they do not attack critical infrastructure, yet the Biden Administration’s current position is that food and agriculture constitute critical infrastructure. Therefore, it is possible these attacks will result in a disruptive law enforcement operation targeting BlackMatter, like the operation that targeted DarkSide after the Colonial Pipeline attack. BlackMatter has also recently launched an updated version of their malware, which includes many features found in other types of ransomware. Barring unforeseen events, such as an exit scam or intervention by law enforcement, we anticipate that this group will continue to grow in the coming months.

A new ransomware gang, known as Groove, has emerged. These threat actors appear to be connected to the Babuk ransomware operation. On a forum associated with Babuk, the Groove operators claimed that they ended their business relationship with other members of Babuk after the Washington DC Metropolitan Police Department attack. However, it is also noteworthy that several days prior to this post, the source code of the Babuk ransomware was leaked. So far, the Groove threat group has only named a handful of victims publicly on its leaks site. However, Groove was responsible for the recent leak of approximately 500,000 Fortinet VPN credentials, which was potentially intended to promote their ransomware and operation.

Finally, the LockBit operators continue to disclose a large number of victims via their data leaks site. In August, they disclosed the second-highest number of victims, just behind Conti. In September, LockBit disclosed the highest number of victims by a significant margin. It should be noted that public disclosure of victims is just one of many metrics for measuring ransomware activity and that naming victims does not necessarily indicate attacker success. Nevertheless, the sheer volume of public activity does indicate the LockBit group is carrying out attacks at a high rate.

Key Events

1 September – The FBI issues an advisory concerning ransomware attacks targeting the food and agriculture sector.

3 September – A disgruntled member of the Babuk ransomware group leaks the source code of their malware on a darknet forum. This leak included Babuk variants specifically for targeting Windows, VMware ESXi and NAS systems.

5 September – Irish authorities reportedly carry out a disruptive operation targeting Conti’s infrastructure. This disruption was likely intended as retaliation for the recent Conti attack against Ireland’s Health Service Executive.

8 September – Revil infrastructure comes back online. Subsequently, new victims were added to the group’s data leaks site.

9 September – Credentials for approximately 500,000 Fortinet VPN user accounts were leaked on RAMP Forum, a darknet forum associated with the Babuk ransomware. Data in this leak includes usernames, cleartext passwords and associated IP addresses. This leak was also shared by the operators of the Groove ransomware.

10 September – A new ransomware group known as Darkcrypt emerge, taking responsibility for an attack against Bar Ilan University in Israel.

10 September – The Vice Society ransomware group targets Barlow Respiratory Hospital, a Los Angeles-based healthcare unit.

13 September – The Department of Justice and Constitutional Development of South Africa discloses ransomware attack.

13 September – The operators of the LockBit ransomware publicly reach out to the operators of the Meris botnet to suggest a potential partnership. The Meris botnet conducts large-scale Distributed-Denial-of-Service (DDoS) attacks to extort organisations with ransom demands.

13 September – Japanese medical technology company Olympus hit by the BlackMatter ransomware.

14 September – A new ransomware group known as AtomSilo is identified.

16 September – US-based online services provider TTEC hit by the RagnarLocker ransomware.

16 September – Free decryptor for the REvil ransomware publicly released.

21 September – The BlackMatter ransomware group discloses two new victims: the US-based farmers’ cooperative, NEW Cooperative; US-based software solutions provider Marketron.

22 September – BlackMatter targets second victim in the US agriculture sector, Crystal Valley Cooperative.

26 September – The Vice Society ransomware group targets United Health Centers (UHC).

26 September – The Conti ransomware group targets GSS, the Spanish and Latin American division of Covisian, and one of Europe’s largest customer care and call centre providers.

28 September – The data leaks site for a potential new ransomware group known as Karakurt is launched.

Scroll to Top