As 2021 progressed through its second quarter and into the third, cyber criminals introduced new—and updated—threats and tactics in campaigns targeting prominent sectors. Ransomware campaigns maintained their prevalence while evolving their business models to extract valuable data and millions in ransoms from enterprises big and small.
DarkSide’s highly publicized attack on Colonial Pipeline’s gas distribution dominated cybersecurity headlines in May. MVISION Insights quickly identified DarkSide’s early prevalence of targets within the United States, primarily Legal Services, Wholesale and Manufacturing, Oil, Gas, and Chemical sectors.
Shutting down a major U.S. gas supply chain grabbed the attention of public officials and Security Operations Centers but equally concerning were other ransomware groups operating similar affiliate models. Ryuk, REvil, Babuk, and Cuba ransomware actively deployed business models supporting others’ involvement to exploit common entry vectors and similar tools. These, and other groups and their affiliates, exploit common entry vectors and, in many cases, the tools we see being used to move within an environment are the same. Not long after DarkSide’s attack, the REvil gang stole the spotlight using a Sodinokibi payload in its ransomware attack on Kaseya, a global IT infrastructure provider. REvil/ Sodinokibi topped our list of ransomware detections in Q2 of 2021.