New Ransomware Groups Emerge To Massively Change the RaaS Ecosystem

Intel 471, a cybercrime intelligence company, has recently claimed to have observed a massive change in the RaaS (ransomware-as-a-service) ecosystem. It analyzed 612 ransomware attacks, which may be associated with thirty-five different ransomware variants, from July until September 2021. Over the measuring period, it noticed that new variants had replaced RaaS or ransomware groups dominating the ecosystem until a few months ago.


Uncover adversaries across your network, endpoint, and SIEM data through LIFARS Managed Threat Hunting Response Service.


Note that new variants are relatively lesser-known and entirely different than a few months ago. The prominent ransomware groups that climbed in notoriety over the first six months of the current year took a backseat. According to Intel 471, four variants are responsible for 60% of ransomware attacks. LockBit 2.0, in particular, was to blame for about 33% of the observed attacks. Meanwhile, Conti accounts for 15.2%, BlackMatter covers 6.9%, and Hive is responsible for 6% of attacks.

The novelty in the RaaS groups might be the result of law enforcement, backbiting among ransomware groups, or people abandoning variants overall. Despite a massive shift in the RaaS landscape, however, ransomware incidents are yet rising as a whole. Manufacturing, professional services and consulting, industrial products, and real estate are the most impacted sectors. Conversely, the lesser impacted ones include financial services, healthcare, and life sciences.

The Emergence of New Ransomware Variants

Interestingly, June 2021 witnessed the discovery of the LockBit 2.0 ransomware variant. Quickly, it emerged as the most prominent one in the third quarter of 2021. It is to note that the original LockBit disappeared in late 2020 before the LockBit 2.0 surfaced after six months. Its most popular scalp up to this point has been Accenture. Undoubtedly, it bombarded this scalp with a DDoS attack and leaked information in a bid to impose a $50-million ransom payment.

Conti, however, witnessed a 64% reduction of use in attacks during the measuring period compared to the second quarter of the current year. Still, Intel 471 observed it in roughly 100 incidents. All the same, the US is the most affected country by Conti during this measuring quarter.

While considering the third significant variant, it was July 2021 when BlackMatter ransomware got discovered. According to several cybersecurity vendors, it likely derived from the DarkSide ransomware. One reaches this conclusion based on various technical code similarities, several linguistic indicators, and the manner of the name-and-shame blogs of victims.

Discovered in June 2021, Hive is a comparatively new RaaS affiliate. The affiliates pressurize the victims by relying on a name-and-shame blog. Furthermore, several ransomware attacks on hospital systems in the United States are attributable to this variant. Despite the health care focus, 18% of ransomware attacks attributed to Hive were consumer and industrial products.


The defenders must realize that the threat will stick around as long as victims pay up and antagonistic nations protect attackers. But understanding the changing tactics of cybercriminals is critical to safeguard organizations against devastating ransomware attacks. Not only has that, but it is also essential to remain proactive in the defense posture. You can leverage proactive security services for developing tactics and strategies against cybersecurity threats. 



All shift at the top as new ransomware variants emerge
Intel 471: new variants differ from prior years.
The emergence of new ransomware groups