The Top Dark Web Trends in 2021

This is the first edition of our Dark Web Pulse, our revamped newsletter by the cyber team at Webz.io (formerly Webhose.io). Here you will find our latest discoveries from the depths of the darknets, trends, and other key insights from our expert team.

Just before 2021 is over, let’s take a look at recent news and key trends from the past year.

On November 26, Panasonic joined a long list of companies that suffered a data breach over the past year. On that day, the company announced that they had suffered an attack earlier that month, stating that “its network was illegally accessed by a third party.”

According to reports, the attackers had access to Panasonic’s servers for 4 months, between June and November 2021.

Using our Cyber API, we searched for the leak and early indications of that breach in our systems, and found posts that are likely to be a preliminary sign that an attack was in the making. We found two different posts on the popular hacking forum Raidforums, where an actor offered SQL-injection vulnerability for sale (see one of them in the image below).

Using this vulnerability, threat actors can access the company’s servers, which according to Panasonic’s announcement, is the method behind their breach.

Monitoring similar discussions and details that are sold on the dark web helps companies stay ahead of emerging threats, conduct in depth risk analysis and prevent future attacks.

Over the past year, ransomware gangs have ramped up their cyber attacks, increasingly targeting private companies but also hospitals and government agencies.

Using our Webz.io Cyber API, our analyst team has closely monitored these groups and identified top 5 trends in 2021:

1. The top communication channels used by ransomware groups – With many ransomware groups maintaining their own “leak sites” to publicize their targets, news and messages, we identified four main communication channels they use:
   • The most popular platform they use for their “leak sites” is the Tor Network since it is an encrypted network that helps them remain anonymous. 
   • Ransomware gangs also run the same sites on the open web in order to gain high exposure among a large audience. 
   • Telegram groups are also becoming increasingly popular as they function as an accessible but encrypted chat application to share their news or leaks.
   •  In addition to these platforms, some ransomware groups maintain active users in hacking forums in order to recruit new members and share important announcements.
2. The top 5 most targeted industries – The industry that had the highest mentions by ransomware gangs on the deep and dark web in 2021 was the technology industry. In second place came the finance industry, followed by the healthcare industry, the educational industry and the government sector, including government service providers. 

3. The top 3 countries whose companies are targeted by ransomware attacks – Using Webz.io’s location enrichment, we found that U.S. companies were the most targeted nation by ransomware gangs in the past year. They were four times more likely to be targeted than Canadian companies, which came in second, followed by U.K.-based companies in third place.

4. The 5 most active ransomware groups – The most active ransomware group this year was Lockbit, followed by other ransomware groups that hit a few headlines such as Conti, Pysa, REvil and Vice Society.

5. The emergence of new ransomware groups – New ransomware groups are emerging on a weekly basis. Only over the past week, we have added a few new ransomware groups to our Cyber API, including Rook and 54bb47h (Sabbath), that join a list of sites of established ransomware groups such as RobinHood and Snatch.

With the rise of ransomware attacks, it is becoming increasingly important to monitor ransomware groups’ platforms as they continue to change, disappear and reopen on a regular basis.

The Rise in Use of Alternative Social Media Platforms for Illicit Activities

One of the biggest trends we have seen across the web in 2021 is the rise of dozens of alternative social media platforms and the increased use of these platforms for radical activities and incitement. 

Many of these platforms were created as a reaction to moderation of content on mainstream social media and the consequent loss of trust among many users.

We have seen a significant increase in the number of alternative social media sites and platforms over the past year.  As new platforms continue to emerge over the past year, we have doubled the number of alternative sites we cover, which now include 30 alternative sites and platforms. 

Our team is closely monitoring these platforms and discovered that the top illicit discussions relate to radical views, conspiracy theories and incitement and organization of violent riots. 

As more and more social media users are looking for hidden places to discuss radical activities, monitoring these alternative platforms has become essential for comprehensive web intelligence coverage. As new emerging extremist groups are taking to these unregulated platforms, we continue to monitor these platforms using relevant keywords, hashtags as well as tracing  groups, pages and profiles that are related to radical activities.

Top Dark Web Cannabis Marketplace Shuts Down

One of the world’s largest dark web marketplaces for cannabis has been closed after a distributed denial-of-service (DDoS) attack. 

Cannazon’s operators said in a statement on Dread Forum that the DDoS attack was not the reason for the shutdown, but it provided an opportunity to close the website, as had been planned (see the post below).

In the post they write: “Since our first days it was pretty clear for us that we will never do an exit scam like some other markets. We prepared a strategy to minimise the risk of vendors exit scamming and buyers losing money.” They added: “The massive DDOS attack was a very good chance to lower the number of orders and we decided to keep the market partially offline afterwards.”

Our team has seen various marketplaces shut down following DDoS attacks this past year, including the one we reported last July, when the manager of the Royal Market, known as De_professor, announced they were victims of a DDoS attack (see image below).

In his statement, he claimed the attack followed threats from managers of other dark web marketplaces. These attacks are often suspected to be linked to competing-parallel platforms, as a way to limit or restrict activity of the other marketplaces.

DDoS attacks occur across the web and can affect the entire market. For example, as a result of the closure of a major dark web marketplace, new players often emerge to replace it. Vendors and buyers are also in danger of losing their money or purchases. Another effect is that it weakens the trust in existing and newly-opened marketplaces.

It is common to see dark web sites under attack, although sometimes the claim of a DDoS attack may not be true as it is an exit scam. Whether the attack is true or not, it often signals market instability.

This is the last edition of the Dark Web Pulse for 2021, we will return in the new year (in the second half of January) with more news and insights from the dark web. If you have any questions, reach out to us at: [email protected].

Until next time,

Team Webz.io