State of Ransomware 2022: First Half Review and Predictions

September 7, 2022

Ransomware has steadily evolved since its first iterations in 1989, becoming more of a threat year over year. In 2022, 33 years later, ransomware remains one of the top threats organizations face. Over the first half of 2022, ransomware groups created new ways to put pressure on organizations, targeted the already-stressed supply chain and disrupted hundreds of business operations, costing millions of dollars between ransom demands and recovery costs.

In this blog, we’ll cover the first half of 2022’s ransomware activity and trends, as well as mitigations and what we expect looking forward. It’s important to note that the numbers discussed throughout this blog include only the victims listed on data leak sites. It’s Almost Certain that the number of overall victims is significantly higher, as data leak sites don’t typically list those who pay a ransom within a certain timeframe.

LockBit and Ransomware as-a-Service

The first half of 2022 saw some interesting activities in the ransomware landscape. One of the top stories was the Conti ransomware group’s shutdown. Most well-known ransomware groups operate from Russia or the Commonwealth of Independent States (CIS), including Ukraine. The war between Russia and Ukraine not only affected the world, but also began to split the cybercriminal realm. The Conti ransomware gang took to their data leak site and announced their full support for Russia in the conflict. As a result, a security researcher from Ukraine leaked Conti’s internal communications, including more than 60,000 messages. These messages revealed the group’s leaders, how they handled ransom negotiations and the tools used during attacks.

Conti announced they were ending operations in May 2022. Although the reason for shutting down isn’t known, the timing indicates it’s Likely related to the leak of their chats, tools and internal information. The group continued to target victims until June 2022, most recently targeting the Costa Rican government. However, these attacks reportedly gave the group members enough time to move on to other groups.

The LockBit ransomware operators, on the other hand, remained neutral and announced they would not “engage in international conflicts.” Hint: Only one of these two groups is still operating. In an interesting turn of events, the Evil Corp threat group was linked to the LockBit ransomware operation as an affiliate. Mandiant tracked a threat group known as UNC2165 (who has been linked to Evil Corp) and observed the group deploying the LockBit ransomware variant. Evil Corp Likely made this move to avoid sanctions placed by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC). The threat group is reported to be behind prominent ransomware and malware campaigns including Dridex, BitPaymer and DoppelPaymer.

Using LockBit’s ransomware as-a-Service (RaaS) program also allowed Evil Corp to blend into a sea of affiliates, making it harder to identify them. Additionally, LockBit made headlines again when the group released their LockBit 3.0 version, which included new features, a bug bounty program and Zcash cryptocurrency payment options. The operators started a new data leak site that includes the ransom demands and allows other threat actors to purchase the stolen data. This demonstrates the continued evolution of the overall ransomware economy.

High-Profile Ransomware Victims

The Lapsu$ hacking group made waves in Q1 2022 by targeting high-profile victims such as Okta, Netflix and Microsoft. The group claimed to have exfiltrated data from victims and maintained a Telegram channel where the data was publicly advertised. Lapsu$ claimed to use ransomware in the early attacks; however, no evidence was found that the group used encrypting malware. The group was found using stolen credentials and social engineering techniques to gain access to victim networks. In March 2022, a group of young adults, aged between 16 and 21, were arrested in relation to the breaches.

In Q2 2022, we observed ransomware groups including Hive and Alphv (aka BlackCat) writing ransomware code in cross-platform programming languages like Python, Rust and Golang. Using cross platform languages allows the malware to run on different combinations of operating systems and architectures, making it more difficult for security researchers to reverse engineer and release decryptors.

Ransomware Activity by Variant

In the first half of 2022, 1,246 organizations were listed as victims on ransomware data leak sites, which represents an increase of over 20% compared to the first half of 2021. When comparing the first half of 2021 to the first half of 2022, LockBit had the largest increase in activity, from 2 in 2021, to 452 in 2022, a 22,500% increase. SunCrypt (650%) and Vice Society (500%) had the next largest increases from 2021 to 2022. Likewise, REvil (-95%), RansomEXX (-54%) and LV (-49%) had the largest decreases. REvil’s decrease in victims is Likely related to their shutdown that occurred in 2021 through a joint international law enforcement effort. However, after the U.S. placed sanctions on Russia following the invasion of Ukraine, Russian president Vladmir Putin stated that the U.S. had withdrawn from the negotiation process regarding the REvil gang and closed communications channels. REvil’s infrastructure was then brought back online, and the group began to target organizations again. The graph below shows the number of listed victims per variant for the first half of 2022.

Image

Figure 1: Ransomware activity January 01 - June 30, 2022

Geographic Numbers

North America saw the highest number of victims listed on ransomware data leak sites, accounting for 571 victims in the first half of the year, an 8.5% decrease compared to the first half of 2021. The United States accounted for 87% of all victims in North America, accounting for 495 of the 571 victims, a 9.5% decrease. Percentage wise, Africa saw the largest increase in victims from 2021 to 2022, from 7 to 19, representing a 171% increase. Other increases include Asia (100%), Europe (57%), and South America (45%).

Image

Figure 3: Victims by geography January 01 - June 30, 2021, compared to January 01 - June 30, 2022

Ransomware Targets by Vertical

Industrials was the highest targeted vertical, which is in line with the previous 24 months findings. Industrials includes organizations in the Manufacturing, Construction & Engineering, Transportation and Industrial services. These organizations are often targeted due to the inability to suffer significant downtimes, the amount of sensitive information on clients and partners and the greater likelihood of a ransom payout. From 2021 to 2022, every vertical saw an increase in the number of victims. Below is a graph breaking down the number of victims by vertical during the first half of each year.

Image

Figure 2: Victims by vertical January 01 - June 30, 2021, compared to January 01 - June 30, 2022

Consumer Cyclicals saw the largest percentage increase from 2021 to 2022, with an increase of 125% (33 incidents to 66). Consumer Cyclicals includes organizations in Retail, Automobiles & Parts, Consumer Products, Travel & Leisure and Media. Retail had the second largest increase of 86%, which contributed to the increase of Consumer Cyclicals. Government victims increased 79%, which is Likely due to the political nature of many ransomware attacks seen in 2022. Additionally, many smaller governments lack the resources or funding to deter attacks from ransomware groups and are more Likely to fall victim to one.

Finally, Health Care victims increased by 59%. Health Care is an attractive target for ransomware operators due to the critical nature of the organization. Facilities cannot afford to have significant downtime and delay the care of individuals. Additionally, the organizations in this vertical hold sensitive and personal information of patients. What’s more, the additional pressure of COVID-19 on Health Care organizations only increases the chances of a ransom payment.

Predictions

As we’ve observed over the previous 24 months, ransomware attacks are Likely to continue to increase over the next six months. When ransomware groups adopted the double extortion method in 2019-2020, they began operating in a business-like model. Trust was a core value of the groups; pay the ransom and get the decryption key. Using this business model is what kept the ransom operators paid. However, by 2022, ransomware groups have shown they have little regard for building trust or a reputation. Groups come and go, rebrand, affiliates have little regard for the type of organization they target, and many don’t follow the rules established by the earlier ransomware groups. Additionally, affiliate member and developers have reported to be involved with multiple ransomware strains and campaigns, thus undermining the attribution. According to the Sophos State of Ransomware 2022 report, nearly 92% of organizations in 2021 that paid the ransom fail to recover nearly half of their data, compared to 2020 when 95% of ransom-paying organizations got all their data back. These numbers indicate that ransomware groups have shifted away from a business-like model and switched to simply causing disruption and chaos.

Conti ransomware closing operations had a significant effect on the number of ransomware incidents in the first half of 2022, with a 23% decrease in victims compared to the first half of 2021. This will Likely continue to have a rippling effect through the second half of the year. However, as we’ve seen with previous groups, the group name may be gone, but its affiliates have been observed partnering with other groups to continue their activity. This renders post-incident attribution less valuable and emphasizes the need to focus on proactive and risk-based intelligence and defensive measures. There is an Even Chance that other ransomware groups may increase their number of attacks as Conti affiliates move on. Additionally, with the release of LockBit 3.0, the gTIC assesses with High Confidence that the LockBit group will remain the top ransomware group throughout the second half of 2022. As the group implements new extortion techniques, it’s Likely they’ll begin setting trends for other groups to follow in the ransomware landscape throughout 2022 and beyond.

Ransomware groups have historically used phishing to gain Initial Access to victim’s networks and use global events to lure victims into interacting with the email. This technique will Likely remain a top intrusion vector throughout 2022. As uncertain times continue – remote working, the Russia/Ukraine war, economic instability, etc. – ransomware groups will use them to exploit the fear and curiosity of employees and lure them in.

The gTIC assesses with High Confidence that ransomware is Likely going to remain a prevalent threat over the next 12 months. Despite high-profile ransomware incidents and government and law enforcement attention on ransomware operations, there’s currently little motive for ransomware operations to cease. Ransomware operators have continued to operate and adapt throughout 2021-2022 and are continuing to build infrastructure and capabilities around themselves as a one-stop shop, with less reliance on marketplaces and forums in the coming year. Critical verticals – Health Care, Energy, Industrial Services, Government - are Likely to remain an attractive opportunity for ransomware operators due to the high-value information, inability to have significant downtime and likelihood of a ransom payment.

Additionally, if extortion payments continue to be made and attackers continue to profit, targeted ransomware attacks will Very Likely continue over the next 12 months. Finally, more ransomware groups are Likely to emerge as rebranding and fly-by-night operations increase and relationships between affiliates and developers change. The double-extortion method will Very Likely remain the primary procedure across the ransomware threat landscape. It’s Likely that ransomware operators will increasingly partner with Initial Access Brokers to gain Initial Access and use Remote Access markets, which are automated stores that allow threat actors to sell and exchange access credentials. These roles and markets play an essential role in the ransomware landscape, as they allow quick access to victim environments.

Mitigations

Optiv gTIC makes the following recommendations on mitigation for the threats highlighted in this report: