A 6 Month Review of the Ransomware Landscape

4 minute read

From May to October 2021, the ZeroFox Threat Intelligence team has observed the changing ransomware landscape with new, current, and evolved threats. As new threats emerged, current threats persisted or evolved to include novel capabilities and techniques. Among new threats included the discovery of Colossus ransomware by ZeroFox Threat Intelligence and new ransomware families based on old ransomware with a history of success. One of the most active ransomware groups since 2019, REvil was responsible for large-scale attacks on organizations around the world including the Kaseya supply chain attack. In this blog, we’ll outline some of the key findings from the latest Ransomware Landscape Report. 

Six-Month Ransomware Activity: New and Continued Threats

New Threats on the Ransomware Landscape

Between May and October 2021, new ransomware variants emerged on the threat landscape that involved novel, rebranded, and new ransomware based on existing variants. Three examples of prevalent ransomware from each group during this six-month time frame included LockBit 2.0, Colossus, and BlackMatter ransomware. All three variants are Ransomware-as-a-Service tools that use evolved ransomware extortion schemes.

Example of LockBit 2.0 ransom note
Figure 1. Example of LockBit 2.0 ransom note
Source: ZeroFox Threat Intelligence

Notable Past and Current Ransomware Landscape Threats

The six month time period discussed in the Ransomware Landscape Report notes a few ransomware groups that were either new to the scene in 2021 or continued their past efforts. One group, Babuk ransomware, was first discovered in early January 2021. In its early days, victim leaks and updates from the actors were posted on underground criminal forums before they launched a data leak website. After the first researchers began to publish their analysis of the ransomware, Babuk representative biba99 made a large post to Raid Forums to “express our great gratitude to all security researchers that they are studying our product…” The post then goes on to describe Babuk as “non malicious, specialized software, created with the purpose to show the security issues inside the corporate networks.”

Ransomware Landscape Report Graphic, Babuk page
Figure 2. Babuk “About Us” page on operators’ data leak website
Source: ZeroFox Threat Intelligence

Conti is another major ransomware-as-a-service (RaaS) group that has been active since mid-2020. An alert published by the Cyber Security & Infrastructure Agency (CISA) in September 2021 noted the group typically gains access to a network in several different ways. Spearphishing campaigns, which are more targeted phishing attacks, are often used with malicious attachments or links to execute scripts or download other malware to assist in the attack. Stolen credentials are also often used to gain access through services like Remote Desktop Protocol (RDP) that have been exposed directly to the Internet. 2021 saw many vulnerabilities used by ransomware groups as well. Conti was observed using the PrintNightmare (CVE-2021-34527) and Zerologon (CVE-2020-1472) vulnerabilities.

Repeat Ransomware Offenders

As ZeroFox Research observed earlier this year, an interesting trend seems to be emerging in the ransomware landscape. Some victims are being attacked multiple times. ZeroFox Research has uncovered three victims at the time that were compromised two or more times in the span of the same month.

As we asserted at the time, there has been an increase in ransomware actors revisiting the same victims on multiple occasions, and since that time that percentage of attacks has increased. Our belief at the time that the Grief Ransomware group was a rebranding of the DoppelPaymer threat group has since been confirmed.

Rebranding and derivative actions also continue to contribute to the scale of the number of actors returning to the well of earlier success with the emergence of actors like LockBit 2.0 rising from LockBit, BlackMatter showing ties to LockBit, REvil, and DarkSide, and Payload.bin and Babuk2.0 both deriving from the former Babuk team. But review of the activities of the new derivative and rebranded groups continue to follow the trend of attacking the same victims at a similar rate of the broad-view statistics for victims being attacked multiple times. 


Ransomware once more proves to be a persistent threat to businesses and individuals. Between May and October 2021, the ransomware landscape exhibited significant activity that demonstrates how threat actors quickly adapt to an evolving market. The emergence of new, updated, and rebranded families highlights how ransomware operators shift from one RaaS to another due to improved capabilities and lucrative opportunities. Meanwhile, as threats like Babuk discontinued operations, the Conti group continues to thrive and target any organization that falls victim to their attacks. Learn more about these and other top ransomware landscape trends, including international government response and cybercriminal network activity by downloading the full Ransomware Landscape Report

ransomware landscape report card
See ZeroFox in action