Deep Instinct identifies top 5 ransomware attacks in the first half of 2021

Mid-year threat landscape report has highlighted some of the ways that organizations and individuals are at risk online

James Spiro 13:2702.08.21

Israeli cybersecurity platform Deep Instinct, which uses deep learning to protect against zero-day threats and APT attacks, has released its bi-annual report highlighting some of the most pressing issues in the cybersecurity space. The report has identified that ransomware attacks have remained a dominant trend for attackers and has highlighted the five most effective ransomware attacks as well as some takeaways for how the world can best prepare against this new way of warfare.


“Cybersecurity attacks have continued to expand, not only in terms of threat vectors and sheer volume, but also in their damage and impact,” wrote the report’s author Shimon N. Oren, the company’s VP of Research and Deep Learning. “The global community has begun to realize the importance of communication and cooperation in investigating and pursuing cybercriminals and their networks, and malware and ransomware are now top agenda items in strategy meetings among global leaders.”
Shimon N. Oren, Deep Instincts’ VP of Research and Deep Learning. Photo: Nofar Hasson Handelman Shimon N. Oren, Deep Instincts’ VP of Research and Deep Learning. Photo: Nofar Hasson Handelman


The top five ransomware campaigns in H1 2021 were identified as the following:


STOP (Djvu) - 66.3%


By far the most popular tactic used by criminals was the STOP campaign first discovered in December 2018. Its method involves encrypting files on a victim’s computer using a specific algorithm and targets file extensions that include PDFs, Microsoft Office documents, photos, music, and applications. One STOP in particular, named Djvu, is a variant that can modify Windows functionalities that disables Windows Defender, blocking web traffic to security websites that would prevent the victim from downloading security and decryption tools.


Sodinokibi (REvil) 18.3%


Sodinokibi, also known as REvil, first appeared in April 2019 and has been involved in several targeted attacks against companies and government organizations. It operates as a ‘Ransomware-as-a-Service’ and uses a ‘double extortion’ tactic, meaning the victim’s stolen information is threatened to be released if the ransom is not paid. Notable examples include demanding $42 million from former U.S President Donald Trump and $50 million from the Taiwanese electronics company Acer.

Ryuk - 6.3%


This type of ransomware was first identified in August 2018 and has been used against municipalities, hospitals, and private companies. Ryuk infects a system and can gain administrator privileges capable of killing more than 40 processes and over 180 services, gaining persistence on the system. In March 2021, the malware welcomed the addition of worm-like capabilities that can help spot vulnerable machines on a network and encrypt those, too.


Avaddon - 4.6%


Avaddon was first discovered in early 2020 when a recruitment message was posted on a forum, suggesting it would operate in a Ransomware-as-a-Service model. Two days later, its first malware was spotted. In January of this year, it adopted a ‘triple extortion’ technique. This means that as well as stealing and encrypting the victim’s data, they also conduct DDoS attacks against the targets to force them to communicate. Allegedly, the team announced they were ceasing their operations following an attack on insurance company AXA.


DarkSide - 4.5%


Although the least prevalent form of ransomware attack, DarkSide is perhaps most famous for its attack on the Colonial Pipeline company in May of 2021. First appearing in August 2020, the group behind the malware operates as a Ransomware-as-a-Service company but notably avoids certain sectors such as health and education, according to a code of conduct adopted by the gang. As a consequence of the attack on the pipeline, which caused fuel shortages across the East Coast of the U.S, it became the target of several law enforcement agencies.


According to the report, there has been an 800 percent increase in ransomware attacks between January to June in 2019 compared to the same period in 2021. The Coronavirus pandemic surely helped cybercriminals infiltrate a wider network as millions started working from home, leading to more complex crime organizations deploying their attacks around the world. As well as maintaining a safe network at home, Deep Instinct also urges governments to partner with the private sector to help prevent future attacks.


The report was authored by members of the Deep Instinct Threat Research team including Shaul Vilkomir-Preisman, Bar Block, Moshe Hayun, Ido Kringel, Maxim Smoliansky, and David Krivobokov. The company uses the first and only purpose-built, deep learning cybersecurity framework. Its Deep Instinct Prevention Platform extends and enhances existing security stacks to provide complete protection against malware and other cyber threats anywhere in the enterprise - network, endpoint, and mobile.