Top 5 Ransomware Group Trends in 2021

Over the past year, ransomware gangs have ramped up their cyber attacks, increasingly targeting private companies but also hospitals and government agencies.

Using our Webz.io Cyber API, our analyst team has closely monitored these groups and identified top 5 trends in 2021:

1. The top communication channels used by ransomware groups – With many ransomware groups maintaining their own “leak sites” to publicize their targets, news and messages, we identified four main communication channels they use:
   • The most popular platform they use for their “leak sites” is the Tor Network since it is an encrypted network that helps them remain anonymous.
   • Ransomware gangs also run the same sites on the open web in order to gain high exposure among a large audience.
   • Telegram groups are also becoming increasingly popular as they function as an accessible but encrypted chat application to share their news or leaks.
   • In addition to these platforms, some ransomware groups maintain active users in hacking forums in order to recruit new members and share important announcements.
2. The top 5 most targeted industries – The industry that had the highest mentions by ransomware gangs on the deep and dark web in 2021 was the technology industry. In second place came the finance industry, followed by the healthcare industry, the educational industry and the government sector, including government service providers.
3. The top 3 countries whose companies are targeted by ransomware attacks – Using Webz.io’s location enrichment, we found that U.S. companies were the most targeted nation by ransomware gangs in the past year. They were four times more likely to be targeted than Canadian companies, which came in second, followed by U.K.-based companies in third place.
4. The 5 most active ransomware groups – The most active ransomware group this year was Lockbit, followed by other ransomware groups that hit a few headlines such as Conti, Pysa, REvil and Vice Society.
5. The emergence of new ransomware groups – New ransomware groups are emerging on a weekly basis. Only over the past week, we have added a few new ransomware groups to our Cyber API, including Rook and 54bb47h (Sabbath), that join a list of sites of established ransomware groups such as RobinHood and Snatch.

With the rise of ransomware attacks, it is becoming increasingly important to monitor ransomware groups’ platforms as they continue to change, disappear and reopen on a regular basis.