Skip to Main Content

Report

Q3 2021 Crimeware Report: For Every Action, There Is an Equal and Opposite Reaction

From Q2 to Q3 2021, ransomware gained increasing attention. The government labeled it a national security threat and bolstered efforts to topple top targets, such as REvil/Sodinokibi. The heightened government focus on this group — known for the far-reaching supply chain attack against Kaseya — likely led to law enforcement action, the disappearance of the group’s spokesperson “Unkn”, the re-appearance of the developers, further enforcement action, and the group’s final shutdown.

Unfortunately, REvil/Sodinokibi was not the only highly active group this quarter. While REvil/Sodinokibi may have stolen major
media headlines for its massive ransom demands and disappearing acts, Conti exploded onto the scene in Q3 2021 with a consistent cadence of attacks. Its lesser media attention did not stem from increasing ransom demands — those remained relatively steady — but rather, disgruntled affiliates leaking sensitive operation details, including the tactics, techniques, and procedures (TTPs) of Conti ransomware partners. And most recently, in mid-October, Conti released a statement, accusing the United States of “bandit mugging” and comparing U.S. law enforcement’s efforts to target groups like REvil/Sodinokibi to U.S. military action in Afghanistan and Iraq.

In Q3 2021, threat actors also continued mass exploitation of vulnerabilities in systems, including those in Microsoft Exchange.