Intel 471's Overview of Ransomware Activity Through Q3 2022

Nov 04, 2022

Ransomware, malicious software that blocks access to computer systems and/or specific data until a ransom is paid, is a prominent threat to businesses in all sectors and regions. An underground yet professional industry of ransomware groups fuels these attacks on a global scale. Some groups conduct these ransomware attacks themselves, targeting and extorting victims personally. Others operate ransomware-as-a-service (RaaS) models, enabling ‘affiliates’ (operators of the RaaS) to conduct their own attacks and extortion operations, providing the developers of the ransomware a ‘kickback’ of money.

In Intel 471's Leading Ransomware Variants – Q3 2022 report, our analysts provide key observations and analysis based on hundreds of incidents. This blog offers insights into the ransomware landscape over the last four quarters. Additionally, we will offer thoughts on what we can expect in the future.

Key ransomware observations and trends

Intel 471 observed 722, 489, 527, and 455 ransomware attacks during the fourth quarter of 2021, and the first, second and third quarters of 2022, respectively. The spike in the fourth quarter of 2021 may be attributed to the holiday season when cybercriminal activity tends to increase. The first quarter’s decrease of 223 attacks likely stems from the Conti ransomware group leaks and Russia’s initiating the war in Ukraine. Since then, we have seen a slight oscillation in the overall number of ransomware attacks. The dip in the third quarter of 2022 may be attributed to the LockBit 3.0 leak or ransomware operators also taking summer vacations, they are human after all.

From the fourth quarter of 2021 through the second quarter of 2022, LockBit 2.0 was the most prevalent ransomware variant, followed by Conti in the second position. Other active variants included ALPHV, PYSA, Hive and Black Basta. We observed a change in the third quarter of 2022 as LockBit 3.0 supplanted LockBit 2.0 as the most prevalent variant, an expected event as LockBit 3.0 became the primary variant used by the LockBit group. Conti dropped from top contention, likely due to the Conti ransomware group leaks.

The most-impacted sectors remained constant during the last four quarters. In descending order, they were consumer and industrial products, manufacturing, professional services and consulting, and real estate. The remaining sectors showed a slight change from the fourth quarter of 2021 to the first quarter of 2022 but have remained constant for the last three quarters. These were the public sector, technology, media and telecommunications, energy, resources and agriculture, financial services, life sciences and health care, nonprofit, and scientific research and development. However, this is not to say that these ransomware groups only target, or seek to target, these industries and sectors. Instead, these groups are opportunistic in nature and will target any industry or sector. However, they have likely found the most opportunities with businesses operating within the aforementioned industries or sectors.

The most impacted regions, in descending order, during the previous four quarters were North America, Europe, and South America. Oceania, Africa and the Middle East followed though their relative positions changed each quarter.

LockBit 2.0 and LockBit 3.0 dominate the ransomware landscape

LockBit variants were the most prominent ransomware observed strains during the last four quarters. LockBit 2.0 accounted for 214, 191 and 183 attacks in the fourth quarter of 2021 and the first and second quarters of 2022, respectively. We also observed the LockBit 3.0 variant deployed in the second quarter of 2022. On June 27, 2022, the group announced version 3.0 of their ransomware which included an updated data leak blog, a bug bounty program and new functionality in the ransomware. In the third quarter of 2022, we observed 192 attacks attributed to LockBit 3.0.

In September 2022, a disgruntled coder allegedly leaked the LockBit ransomware version 3 builder via Twitter. This leaked code allows anyone to use the LockBit source code as a foundation to build other ransomware programs. Active discussions on underground cybercrime forums followed, with intense speculation about LockBit's future. One underground actor observed this was the "end of the LockBit era." However, the group claimed their operations were not impacted by the breach, likely to save face and preserve the reputation of the ransomware group. The leak may decrease LockBit breaches in Q4 2022 as the LockBit group attempts to increase their overall Operational Security (OPSEC) and adapt their tactics, techniques and procedures (TTPs). But overall, LockBit 3.0 will likely be as impactful as version 2.0 until law enforcement.

Look forward to ransomware's future

Ransomware attacks continue to cause vast amounts of damage and are considered a global threat to all organizations. In May 2022, ransomware variants amounted to the highest percentage of breach events tracked by Intel 471 yet – 80.5%. Furthermore, the number of businesses impacted by ransomware will likely increase due to its highly lucrative business model.

The end goal of any ransomware group is to make as much money as possible in the shortest amount of time while inflicting as much disruption as possible. Therefore, ransomware groups will likely evolve, create new variants, attack different sectors and adapt their TTPs to maximize profitability. However, they will also use well-established TTPs, such as double extortion tactics, which encrypts victims’ data and demands payment. They also take copies of the victims’ data, permitting them to expose or sell the data if the victim refuses to pay.

Much like Whack-a-Mole, RaaS groups will surface, conduct attacks, be taken down or have their operations impacted by law enforcement agencies and then go quiet only to resurface in the future. In addition, the instability within criminal organizations that Intel471 has observed will contribute to groups fading, as we have observed with LockBit 3.0 and Conti. Meanwhile, other groups will likely surface to fill the void. The result is a constant battle between law enforcement agencies and established and new ransomware affiliates.

But with economic instability predicted globally, coupled with the availability of RaaS, ransomware is here to stay. Therefore, enterprises and government entities must prepare accordingly by reviewing threat actors’ TTPs to mitigate against and lower the possibility of compromise.

What can be done about it?

The best protection method is utilizing a CTI vendor or publicly available security advice to identify TTPs employed by ransomware groups and track any changes they make, enabling you to build your defenses around these specific TTPs. However, here is some general advice that we recommend:

  • Ensure Multi-Factor Authentication (MFA) solutions are in place

  • Have a strong password policy in place that mandates a password update frequently and prevents the reuse of old or similar passwords

  • Monitoring for compromised access to your own organization or third parties

  • Monitoring for insider threats

  • Privileged account management

  • Frequent security audits

  • Phishing awareness training for all employees

  • Do not prioritize productivity over security

    • Security often impacts productivity, however, by prioritizing productivity over security you create an opportunity for ransomware groups (or other threat actors) to exploit - leading to a far worse impact than less productivity.

A Product Roadmap for Cybercrime
A Product Roadmap for Cybercrime
 Denial-of-Service in the Cyber Underground
Denial-of-Service in the Cyber Underground
 Russian-speaking actors offer unique perspectives on Putin's military mobilization
Russian-speaking actors offer unique perspectives on Putin's military mobilization
 Pro-Russian Hacktivism and Its Role in the War in Ukraine
Pro-Russian Hacktivism and Its Role in the War in Ukraine