There were signs of change in 2022 for ransomware. Those changes included fewer victims paying, increasing law enforcement pressure and clamp-downs on cryptocurrency exchanges. Nonetheless, ransomware will remain one of the most significant cyber threats for organizations this year. In this post, we’ll discuss some of the key trends around ransomware from last year with a view to forecasting what defenders may see this year.
Attack Levels and the Big Players
Gathering statistics on ransomware attacks is a far from perfect exercise for many reasons. Many ransomware attacks fly under the radar and never become public. Not all incidents trigger news coverage. Fear of embarrassment is a barrier to public disclosure. Organizations may not necessarily have a regulatory obligation to disclose. If there is a requirement, the incident may become part of aggregated and anonymized statistics later released by a government. While many nations have mandatory data breach reporting laws, the reporting of ransomware events specifically is often encouraged but not always a statutory requirement.
Our analysts track ransomware by examining claimed data breaches and trying to confirm their legitimacy. When a breach occurs, our analysts write a Breach Alert that appears in Intel 471’s Titan intelligence platform. Analysts also monitor the data leak sites of ransomware gangs and sources of technical data. As new intelligence emerges related to a breach, analysts may write a Spot Report, which is a more detailed look at a possible breach, including, but not limited to, specific actor involvement and current impact of the breach. With those data sources and reports, it’s possible for us to extrapolate some of the most active ransomware groups, which we’ve listed below.
LockBit: This ransomware-as-a-service (RaaS) group, known in part for its tattoo stunt, was one of the most impactful ransomware variants between January and June 2022. The group’s administrator, who is believed to use the “LockBitSupp” handle, announced an upgrade from version 2.0 to LockBit version 3.0, which included an updated data leak blog, a bug-bounty program and new functionality in the ransomware. LockBit’s success is based on several decisions and strategies that have allowed the group to remain ahead of competitors. This has included a strong focus on operational security (OPSEC) and continuous development of technical methods, extortion and negotiation techniques. The 2.0 version was used in 394 breaches, and LockBit 3.0 landed just behind it at 367 breaches.
ALPHV: Also known as ALPHV-ng and BlackCat, this ransomware group was first observed in December 2021. Several former DarkSide and REvil ransomware affiliates allegedly joined this RaaS, which likely contributed to the group’s numerous and impactful attacks throughout 2022, with 199 breach events.
Black Basta: The Black Basta ransomware variant was first seen in April 2022 but likely was active as early as mid-February 2022. We observed several similarities between the Black Basta and Conti ransomware groups’ data leak blogs, payment sites, recovery portals and victim negotiation methods, which led us to suspect a possible association between the two. The Black Basta RaaS quickly gained notoriety for high-profile attacks and was the third most impactful ransomware in 2022 with 165 total breach events. Factors likely contributing to Black Basta’s success included practicing a selective recruitment strategy, sourcing capabilities from the underground, leveraging alleged insiders at strategic organizations and seeking to exploit vulnerabilities in victim networks.
Trend: IABs Sell Access
Initial access brokers (IABs) continue to provide a funnel of fresh victims to ransomware gangs and their affiliates. IABs specialize in securing illicit access to an organization and then selling that access to other threat actors. For example, that may mean a sale of stolen login credentials or a sale of a web shell that has been uploaded to a victim organization. IABs are a critical part of the cybercrime economy, where different actors specialize in supplying goods or services to other actors, enabling crimes such as ransomware to achieve scale. Purchasing access from IABs significantly reduces the amount of time it takes ransomware operators to move ahead with an attack. With access already secured, ransomware perpetrators can move on to the next phase, such as performing reconnaissance of an organization’s network in preparation for deployment of an encryptor and exfiltrating key data.
We identified at least 68 instances in 2022 where a victim organization appeared to have been impacted by an IAB and, subsequently, a ransomware incident. The average time between an IAB listing and a ransomware incident in 2022 was 79 days, and the shortest period was 13 days. This is fairly consistent with a previous analysis we conducted looking at offers made in 2021 with a small selection of IABs. In that year, we found the average time between an offering and an attack was 71 days.
In one example, the CLOP RaaS affiliate program claimed in November 2022 to compromise a U.S.-based full-stack development software provider. We had previously reported that two threat actors offered access to the same organization. In the same month, we observed the Hive RaaS group claim to compromise a U.S.-based health care services provider. We’d observed that a threat actor had offered to sell compromised network access credentials for the same health care services provider. Lastly, another prolific IAB appeared to have supplied access to numerous ransomware groups, including Conti, Hive, LockBit 2.0, LV, PYSA, RansomEXX and ViceSociety.
OPSEC: A Higher Priority
Legal businesses want to maintain business continuity, and ransomware groups are no different. Part of maintaining continuity for ransomware groups is having a high standard of OPSEC, which are measures intended to thwart identification or disruption of ongoing activity. As the scale of ransomware has grown, so have the law enforcement and intelligence agency resources dedicated to countering it. Ironically, like their victims, ransomware groups make mistakes when setting up servers and infrastructure and even masking their real-life identities. Their operations have been vulnerable to intrusions, takeovers and monitoring.
We saw this play out when the FBI announced it had obtained a universal decryption key for the victims of a REvil affiliate’s attack against managed service providers in 2021. We saw it with the leak in February 2022 of two years of chat logs and other documents related to the Conti ransomware gang. Most recently, it occurred with the disruption of the Hive ransomware group, where law enforcement was inside the group’s systems and quietly taking decryption keys for about seven months. As a result, ransomware groups have become increasingly aware of their vulnerability and we’ve observed them developing and advocating a variety of OPSEC measures to maintain business continuity.
The LockBit group’s dominance in ransomware can be attributed to its awareness of OPSEC. The release of LockBit 3.0 in June 2022 featured a range of updates likely aimed at improving the group’s internal security. This included upfront deposits from all new affiliates. The deposit was likely intended to prevent competitors, cyber threat intelligence (CTI) researchers, law enforcement agents and journalists from infiltrating the group and leaking sensitive information. In another OPSEC-related development, LockBit launched a bug-bounty program that promised payouts of up to US $1 million for the discovery of vulnerabilities in the group’s malware, victim shaming sites, Tor network and messaging service. However, even these increased OPSEC measures didn’t prevent one of their own developers from leaking the LockBit 3.0 builder to GitHub.
With the rise and fall of ransomware variants over the years, we continue to observe the complexity and interconnected nature of the ransomware operator, affiliate and variant environment. As we predicted last year, our understanding of the relationships between groups, partnerships or individual actors behind each ransomware service continues to build as we see additional changes in the management of existing programs and development or rebranding of “new” services.
Our view into the underground marketplace provides the ability to observe the interconnectedness of different ransomware groups, variants and affiliates over time. Although not always verified or fully corroborated at the time of this report, we have assessed the likelihood of several connections, associations and spinoffs. An example of one of these types of evolutions can be seen with the Ryuk, Conti and Black Basta groups. The Conti and Ryuk ransomware strains generally were attributed to the same hacking group, and Ryuk likely was a predecessor to the Conti strain. One of our assessments was that Ryuk ransomware operators initially joined the Conti team as a stand-alone group in order to use the TrickBot banking trojan to distribute Ryuk ransomware. The two groups apparently merged at some point. We later reported on the possibility that the Black Basta group might be affiliated with the Conti ransomware gang. The attribution was based on some visual and structural similarities with the victim shaming blogs and recovery portals and a similar way of communicating with victims. However, Conti group members publicly deny any connection with Black Basta.
The most profitable and prominent ransomware groups – think GandCrab, Ryuk, REvil, Conti – have generally lasted about two years. The catalyst for a rebrand or shut down of a ransomware group has typically been increased public attention, law enforcement pressure and internal disputes within the gangs. LockBit 3.0 remains the most prominent player now and will likely preserve its prominence for a while longer. The longer it remains on top, however, the more attention will be paid to it, putting it at greater risk of law enforcement intervention or even internal forces. Shuffling the infrastructure now and again also helps with OPSEC, as we’ve noted in this report.
The changes in the ransomware scene we saw in 2022 may have an effect on smaller RaaS services. If the trend of falling ransom payments continues to hold, it may become more frustrating for ransomware actors to succeed. Merely stealing data and threatening to release it may not prove to be a feasible alternative either. When data is encrypted, the organizations that do not have viable backups will need to buy decryption keys to remain operational. For those organizations with good backups, there’s no need to pay if data was stolen, as a breach is a breach. This is good. Fewer ransoms paid will have an impact, although we’d caution that the crime remains highly profitable. Many of the anti-ransomware action plans launched worldwide include measures to improve the baseline levels of cybersecurity across all industries, such as implementation of multifactor authentication (MFA), tidying up privileged access management, closing external ports, faster patching of applications and more. Cybersecurity uplifts are long-term projects, and we don’t expect those efforts to have a drastic impact on the quantity of initial access offerings for sale this year. It will, however, over time make it harder for ransomware actors to succeed. The long game must be played.