State of Ransomware: 2022 in Review

February 1, 2023

As 2022 came to a close, ransomware continued to make headlines and target organizations worldwide. Ransomware groups found new and innovative ways to conduct attacks, update their tooling, and disrupt hundreds of business operations—costing millions of dollars between ransom demands and recovery costs. In this blog, we will cover 2022 ransomware activities and trends, mitigations, and what we expect looking into 2023. It is important to note that the numbers discussed through this blog include only victims that were listed on data leak sites. It is Almost Certain that the number of overall victims is significantly higher. This is because data leak sites do not typically list victims who pay a ransom within a certain time frame, and there are several ransomware variants that do not maintain data leak sites.

Headlines

This year we saw some perplexing activities in the ransomware landscape, from Conti shutting down operations in May to the LockBit 3.0 builder leak in September. Conti announced they were shutting down operations in May 2022. Although the reason for the shutdown remains unknown, the timing indicates it was Likely related to the leak of their chats, tools, and internal information. The leak occurred just after the group announced their allegiance to Russia at the start of the Russia-Ukraine war. Shortly after the shutdown, ransomware groups Play and Royal (aka Zeon) were linked to previous Conti operators that had split into two different groups.

September 2022 was an eventful month for data leaks and ransomware attacks. Two different users (or possibly the same user under two different usernames) leaked the LockBit 3.0 builder on Twitter. The first user, “Ali Qushji,” claimed to have hacked LockBit’s servers and found the builder for the LockBit 3.0 ransomware encryptor. Another user, “VX-Underground,” shared that they were contacted by a user named “protonleaks,” who also shared a copy of the builder. However, according to "LockBitSupp,” the public representative of the LockBit operation, the servers were not hacked. Instead, the representative stated that the leak stemmed from a disgruntled developer who was upset with LockBit leadership. At the time of writing, the LockBit group is still functioning and remains the most active group. This leak Likely forced the group to make changes to their builder and functions and allowed other ransomware groups, such as “Bl00dy,” to use the builder to start their own ransomware operation. Also in September 2022, the Alphv (aka BlackCat) ransomware group added a wiper to their toolset. The group was observed using the tool, ExMatter, which searched for specific file types, uploaded them to an attacker-controlled server, and then corrupted and destroyed the files. This would require the victim to purchase the data back, which would be the only way to recover the data.

The use of ransomware to encrypt files, steal data, and threaten to release the data has become a common strategy—causing the ransomware market to become saturated. By creating data-corruption and destructive capabilities, rather than encryption, Alphv can distinguish itself from other ransomware operations. While researchers often focus on weaknesses or other methods that can be used to build free decryptors for ransomware variants, data destruction would render any detection or mitigation strategies impossible—leaving ransomware payment as the victim’s only viable option. Lastly, eliminating the encryption process could speed up the attack process and lower development costs. Combined with payment being the only recovery method, the group would be more likely to make higher profits. At the time of this writing, the ExMatter data corruption feature appeared to be under development and has not been reported as an actively used attack method. Data deletion and corruption attacks are most often observed in ransomware attacks targeting cloud environments, such as AWS, where the attacker simply copies and then deletes the data. As more and more organizations shift to cloud environments, it is Likely that more ransomware groups will shift to this tactic in order to execute attacks faster and create a bigger impact.

Ransomware groups infamously attacked not only companies and individuals, but also national governments. In April 2022, Conti ransomware operators targeted the Costa Rican government; the group reportedly had access to the government networks from April 11-15 before exfiltrating 672GB of data. Using compromised credentials, the group gained access to Costa Rica’s Ministry of Finance via a VPN connection. The compromised credentials were purportedly obtained from malware installed on the initial device compromised on the victim network. There were more than 10 Cobalt Strike beacon sessions set up during the initial phases of the attack. Cobalt Strike is often used to deploy the ransomware payload. The use of 10 sessions Likely provides redundancy; in the event that one Cobalt Strike session is identified and stopped, there are more that can be used to deploy the payload—thus ensuring the success of an attack. Conti demanded $10 million for the ransom and then raised that to $20 million after the government refused to pay. On May 08, 2022, the Costa Rican President declared a national emergency as the attack spread to multiple government bodies. In May, Conti began shutting down operations and took the leak site down in June 2022.

In May 2022, the Hive ransomware group also targeted Costa Rica just a few weeks after the president declared an emergency due to the Conti attack. Hive was able to take down 800 of 1,500 Costa Rican government-run servers and 9,000 out of 40,000 user terminals. After the Conti group shut down, it reportedly partnered with multiple other ransomware operations, including Hive, AvosLocker, Alphv, BlackByte, and more. However, Hive and Conti are believed to have partnered as early as November 2021, when evidence showed that Hive was taking advantage of initial access vectors provided by Conti. Additionally, the same victims appeared on both Hive and Conti data leak sites. It is Likely that Hive picked up the Costa Rica attack as Conti shut down their operations.

One of the largest ransomware attacks that occurred in the second half of 2022 was the Vice Society attack on the Los Angeles Unified School District (LAUSD) in September. The Vice Society ransomware operations were first discovered in June 2021. The group has previously used third-party ransomware payloads such as HelloKitty, RedAlert, Quantum, and Zeppelin. Vice Society reportedly stole 500GB of data from LAUSD that included social security numbers and psychological exams of students. The ransomware attack affected 1,300 schools and more than 500,000 students. LAUSD is the second-largest school district in the country, and Vice Society was the most prevalent threat to the Education vertical in 2022 as reflected in gTIC tracking. LAUSD reported that the ransom demand would not be paid, and as a result Vice Society leaked the purported stolen data on their data leak site.

Rounding out the headlines, in November 2022, Rackspace Technologies was targeted in a Play ransomware attack that affected the company’s Hosted Exchange platform, which left tens of thousands of users without access to their emails. Play threat actors gained access to the Microsoft Exchange Server via a zero-day exploit against a server-side request forgery (SSRF) vulnerability, CVE-2022-40180 (CVSS Score 9.8). Security researchers with CrowdStrike identified how the Play ransomware group was employing a new technique that leveraged CVE-2022-40180 to trigger the next-stage ProxyNotShell RCE vulnerability, CVE-2022-41082 (CVSS Score 8.8). The new technique effectively bypassed previous ProxyNotShell mitigations. It is not known if Rackspace paid the ransom demand to the attackers.

Ransomware Activity by Variant

Throughout 2022, 2,716 organizations were listed as victims on ransomware data leak sites, which represents an increase of over 16% compared to 2021 (2,330 organizations). When comparing 2021 to 2022, LockBit was the most active ransomware group with 816 listed victims. LockBit’s named victims increased 97.1%, an increase of 402 victims (414 in 2021). Alphv (2180%), Quantum (544.4%), and Vice Society (248.4%) had the largest percentage increase in victims from 2021 to 2022. Likewise, REvil (-90.6%), Entropy (-90%), and Grief (-88.8%) had the largest percentage decreases. Conti observed the largest decrease in victims when compared to 2021, a decrease of -278 victims (177 in 2022; 455 in 2021). The decreases in victims are Likely related to the shutdown of these specific variants. However, it is Very Likely that the affiliates of these operations have shifted to other groups or created rebranded groups. The graph below shows the number of listed victims per variant for 2022.

Image

Figure 1: Ransomware activity from January 01-December 31, 2022

Geographic Numbers

North America saw the highest number of victims listed on ransomware data leak sites, accounting for 1,287 victims in 2022—a 1% decrease compared to 2021 (1,300 victims). The U.S. accounted for 86.3% (1,111) of all victims in North America, a 1.5% decrease compared to 2021 (1,141 victims). All other geographies saw an increase in victims. Africa saw the largest increase in victims from 2021 to 2022, from 25 to 46, representing an 84% increase. Other increases include Asia (50%), South America (44.7%), Europe (30.1%), and Oceania (18.3%).

Image

Figure 2: Victims by Geography from January 01-December 21, 2021, compared to January 01-December 21, 2022

Vertical Numbers

Industrials was the highest-targeted vertical, which is in line with the previous 24 months’ findings. The Industrials vertical includes organizations in the business sectors and industry groups of Manufacturing, Construction & Engineering, Transportation, and Industrial Services. These organizations are often targeted due to their inability to suffer significant downtimes, the types and amount of sensitive information on clients and partners, and the perceived increased chance of receiving a ransom payout. Industrials victims compromised 1,076 victims in 2022, compared to 977 in 2021—an increase of 10.1%.

Image

Figure 3: Victims by vertical from January 01-December 31, 2021, compared to January 01-December 31, 2022

Education saw the largest percentage increase from 2021 to 2022, with an increase of 91% (from 78 incidents to 149). Education institutions maintain sensitive information on staff, teachers, and students who are most often minors, which Likely makes the sensitive information more attractive to threat actors. Additionally, education institutions have students that bring their own devices, work in public spaces (i.e., coffee shops), and are Unlikely to be as security conscious. Therefore, these networks can often be more open and bigger—thus Likely considered easier to target. Vice Society targeted the most education institutions, with 38 listed victims, followed by LockBit, with 28 listed victims.

Telecommunications saw the next largest percentage increase from 2021 to 2022, with an increase of 48.3% (from 29 incidents to 43). Telecommunications organizations are Likely attractive targets for threat actors, as these organizations provide services that the public relies on, such as cell service and internet connection. These services, along with the amount of sensitive information stored by telecommunications organizations, make these organizations an attractive target. LockBit targeted the most telecommunications organizations, with 10 listed victims, followed by Hive, with 5 listed victims.

Government saw the third-largest increase from 2021 to 2022, with an increase of 41% (from 88 incidents to 129). Government agencies and organizations were Likely targeted more often due to the political nature of numerous ransomware attacks in 2022. Many smaller governments also do not have the resources or funding to deter attacks from ransomware operators and are more Likely to fall victim. Additionally, the targeting of Costa Rica’s government agencies by both Conti and Hive Likely contributed to the increase in listed victims in 2022. LockBit targeted government agencies and organizations the most, with 39 victims listed, followed by Vice Society, with 13 victims listed.

Decreases were observed in the Legal Services vertical (-19.7%), the Construction & Engineering vertical (-13.5%), and the Transportation vertical (-9.8%).

Looking Forward

As we have observed over the previous 24 months, ransomware attacks are Very Likely to continue to increase throughout 2023. When ransomware groups adopted the double extortion method in 2019-2020, they began operating in a business-like model. Trust was a core value of the groups, who essentially operated by the model of “pay the ransom and receive a working decryption key.” Using this model is what gave ransomware operators a reputation for being credible threat actors (as much as one can be); it kept the operators paid. However, throughout 2022, ransomware groups showed that they have little regard for building trust or a reputation. Groups come and go. Some rebrand. Affiliates switch from one group to the next, and many do not follow the same rules set by older ransomware groups. In 2020, 95% of organizations who paid the ransom received their data back. By 2021, 92% who paid got less than half of their data back. And by 2022, there are groups that simply wipe the data completely. These numbers indicate that ransomware groups have shifted away from a business-like model and have switched to a more chaotic methodology of simply causing disruption, destruction, and chaos by deploying wipers—a technique and model formerly employed by a handful of state-sponsored groups.

From events such as Conti’s shutdown, LockBit’s Leak, and the Russian-Ukraine war, to the formation of multiple new groups, new connections between groups, and the execution of similar tactics, it is evident that several key factors impacted ransomware victims throughout 2022. These factors render post-incident attribution less valuable and emphasize the need to focus on proactive, risk-based intelligence and defensive measures. There is an Even Chance that ransomware groups that are attributed to former Conti developers and affiliates will increase their attacks throughout 2023. Additionally, the gTIC assesses with High Confidence that the LockBit group will remain the top ransomware group throughout the first half of 2023, despite the leak of the LockBit 3.0 builder. It is Likely that the group will begin setting trends for other groups to follow in the ransomware landscape throughout 2023.

Ransomware groups have historically used phishing attacks to gain Initial Access to a victim’s network and use global events to lure victims into interacting with the email. This technique will Likely remain one of the top intrusion vectors throughout 2023. As uncertain times continue – remote working, the Russia-Ukraine war, economic instability, etc. – ransomware groups will use these events to exploit the fear and curiosity of employees to lure victims.

Researchers with Cyber Security Works reported a 466% growth in vulnerabilities (323) tied to ransomware groups from 2019 to 2022. The oldest vulnerability dates back to 2007, with many of them being more than two years old. This research supports Optiv’s gTIC’s previous assessment that ransomware groups will continue to scan for and target older vulnerabilities (2+ years) in ubiquitous software and services for Initial Access, Privilege Escalation, Defense Evasion, and Lateral Movement.

Optiv’s gTIC assesses with High Confidence that ransomware is Likely going to remain a prevalent threat over the next 12 months. Despite high-profile ransomware incidents and government and law enforcement attention on ransomware operations, there is currently little motive for ransomware operations to cease. Ransomware operators have continued to operate and adapt throughout 2021-2022. Our assessments suggest that they will Likely focus on continuing to build infrastructure and capabilities around themselves as a one-stop-shop, with less reliance on marketplaces and forums over the next 12 months. Optiv’s gTIC assesses with Moderate Confidence that APT groups will increase the use of ransomware as part of their campaigns over the next 12 months as a means to steal information and profit financially. Critical verticals – Health Care, Energy, Industrial Services, Government - are Likely to remain attractive opportunities for ransomware operators due to the high-value information, inability to have significant downtime, and likelihood of a ransom payment.

Additionally, if attackers continue to profit from extortion payments, then targeted ransomware attacks will Very Likely continue over the next 12 months. Finally, more ransomware groups are Likely to emerge, with an increase in rebranding and fly-by-night operations, as well as changed relationships between affiliates and developers. The double-extortion method will Very Likely remain the primary procedure across the ransomware threat landscape. It is Likely that ransomware operators will increasingly partner with Initial Access Brokers to gain Initial Access and use Remote Access markets, which are automated stores that allow threat actors to sell and exchange access credentials. These roles and markets play an essential role in the ransomware landscape, as they allow quick access to victim environments.