{
	"id": "100c34f1-1792-403d-9632-9bc28f56f27b",
	"created_at": "2026-04-10T03:20:15.894029Z",
	"updated_at": "2026-04-10T03:22:16.506345Z",
	"deleted_at": null,
	"sha1_hash": "9fa4422268b575d7b3e9624fd3d763ae8901769f",
	"title": "Big Game Hunting on the Rise Again According to eCrime Index",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1084232,
	"plain_text": "Big Game Hunting on the Rise Again According to eCrime Index\r\nBy CrowdStrike Intelligence Team\r\nArchived: 2026-04-10 03:04:43 UTC\r\nThis announcement is part of the Fal.Con 2021 CrowdStrike Cybersecurity Conference, Oct. 12-14. Register\r\nnow for free to learn all about our exciting new products, partnerships and latest intel! The eCrime ecosystem\r\nis an active and diverse economy of financially motivated threat actors engaging in a myriad of criminal activities\r\nto generate revenue. CrowdStrike Intelligence maintains the CrowdStrike eCrime Index (ECX) to provide a\r\ncomposite score for tracking changes to this ecosystem. The ECX is composed of several key observables\r\ncovering different aspects of criminal activity that are combined using a mathematical model. Since a CARBON\r\nSPIDER DarkSide affiliate infected Colonial Pipeline in May 2021, CrowdStrike Intelligence observed big game\r\nhunting (BGH) adversaries slow or cease their activity and change their tactics, techniques and procedures (TTPs),\r\nresulting in a downward trend in the ECX. However, in recent weeks, the ECX has mirrored a resurgence in BGH\r\nransomware data leaks and demonstrated an uptick in activity.\r\nSurge in Data Leaks\r\nIn the week prior to the Colonial Pipeline incident, BGH ransomware incidents that resulted in data leaks had\r\nreached an all-time high of 92. Following the incident, many ransomware families significantly reduced their\r\noperational tempo or ceased operations, likely in an attempt to avoid the increased scrutiny that ransomware\r\ncampaigns attracted. Figure 1 illustrates the ransomware data leak activity observed since the CARBON SPIDER\r\naffiliate Colonial Pipeline infection (highlighted in white).\r\nhttps://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/\r\nPage 1 of 4\n\nFigure 1. Number of BGH ransomware data leaks by week since the Colonial Pipeline incident\r\nThe reduction of incidents following the week beginning May 3, 2021, is likely attributed to a combination of\r\nfactors:\r\nIncreased scrutiny of ransomware threat actors\r\nBanning of forum activity related to ransomware operations\r\nThe reported retirement of adversaries, such as CIRCUS SPIDER (Netwalker) and RIDDLE SPIDER\r\n(Avaddon)\r\nThe disappearance of prolific threat actors, such as PINCHY SPIDER (REvil)\r\nDisruption within certain groups, such as the operators of Babuk Locker, who have split into multiple\r\ngroups and diversified their respective offerings\r\nHowever, in the past few weeks, CrowdStrike Intelligence has observed ransomware data leak incidents reach 90\r\n— representing the highest peak since the dip. This surge in data leaks is very likely due to the return of PINCHY\r\nSPIDER’s REvil ransomware as a service (RaaS), the increase in CARBON SPIDER’s BlackMatter RaaS activity,\r\nand the prolific operational tempo of LockBit RaaS, which is responsible for 220 data leaks since it returned in\r\nJuly 2021; the LockBit data leaks account for more than 36% of the leaks since their huge resurgence.\r\nCrowdStrike Intelligence has also observed forum activity from or associated with BGH actors continuing, despite\r\nrestrictions put in place by admins in July 2021. Some notable topics observed include:\r\nRaaS projects and other posts related to ransomware partnerships continue to be posted and advertised in\r\nforums.\r\nGroups such as LockBit have recently advertised they were looking for penetration testers for “red team\r\noperations” in a style of language designed to mirror that found in legitimate cybersecurity job postings.\r\nhttps://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/\r\nPage 2 of 4\n\nSeparately, other actors have resorted to advertising ransomware partnerships on RAMP — a forum\r\npurportedly established by Babuk Locker operators specifically for ransomware-related chatter.\r\nECX Reflections\r\nWhile the ECX models a wide range of data points within the eCrime marketplace, it is clear that a recent surge in\r\ndata leaks is reflected in the ECX. Also having a significant impact on the ECX is the number of high ransom\r\ndemands. For example, PINCHY SPIDER REvil affiliates have been observed issuing a ransom demand of $80\r\nmillion USD, and CARBON SPIDER’s BlackMatter affiliates have been observed demanding as much as $60\r\nmillion USD in the past weeks. The combination of these factors has resulted in a significant increase in the ECX\r\n(Figure 2).\r\nFigure 2. ECX values by week since the Colonial Pipeline incident\r\nOutlook\r\nAttempts by the Biden administration to put political pressure on the Russian government to assist in clamping\r\ndown on BGH actors do not appear to have borne fruit. Although some groups have stated they will avoid\r\ntargeting certain sectors, these pledges have proven to be rather limited. Despite increased law enforcement\r\nattention following a REvil attack on the U.S.-based food processing company JBS in May 2021, some BGH\r\nactors remain willing to continue targeting major and possibly critical companies. For example, on Sept. 18, 2021,\r\na BlackMatter operator attempted to ransom a North American agricultural cooperative for more than $11 million\r\nUSD despite this business being clearly identified as critical infrastructure by the U.S. Department of Homeland\r\nSecurity. The CrowdStrike Intelligence ECX is mathematically calculated using multiple tracked observables.\r\nhttps://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/\r\nPage 3 of 4\n\nOver the past few weeks, the increase of ransomware data leaks — and a consistent number of high ransom\r\ndemands — has resulted in a substantial upward trend, which is likely to continue in the short term. This\r\nassessment is made with moderate confidence based on the continuation of BGH actors restoring to their prior\r\noperational tempo, as well as new and existing ransomware operators emerging and maturing. The ECX remains a\r\nvaluable tool used to identify significant events affecting the eCrime ecosystem. The ECX provides an easily\r\nreferenced index to mark areas of disruption or change in the eCrime ecosystem in real time. Monitor the ECX\r\nregularly in the CrowdStrike Adversary Universe to make sure you stay up-to-date on eCrime trends.\r\nAdditional Resources\r\nLearn how CrowdStrike Falcon® Intelligence Recon™ mitigates digital risk from the deep, dark web and\r\nbeyond.\r\nRead about BGH adversaries tracked by CrowdStrike Intelligence in 2020 in the CrowdStrike 2021 Global\r\nThreat Report.\r\nTo find out how to incorporate intelligence on threat actors into your security strategy, visit the\r\nCROWDSTRIKE FALCON® INTELLIGENCE™ Threat Intelligence page.\r\nLearn about the powerful, cloud-native CrowdStrike Falcon® platform by visiting the product webpage.\r\nGet a full-featured free trial of CrowdStrike Falcon® Prevent™ and learn how true next-gen AV performs\r\nagainst today’s most sophisticated threats.\r\nSource: https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/\r\nhttps://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/"
	],
	"report_names": [
		"big-game-hunting-on-the-rise-again-according-to-ecrime-index"
	],
	"threat_actors": [],
	"ts_created_at": 1775791215,
	"ts_updated_at": 1775791336,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9fa4422268b575d7b3e9624fd3d763ae8901769f.pdf",
		"text": "https://archive.orkl.eu/9fa4422268b575d7b3e9624fd3d763ae8901769f.txt",
		"img": "https://archive.orkl.eu/9fa4422268b575d7b3e9624fd3d763ae8901769f.jpg"
	}
}