Ransomware activity decreased in the third quarter of 2022 (Q3 2022), as actors regrouped and refocused after a busy start to the year. Despite this, attacks on high-profile targets—as well as potentially politically motivated attacks—kept our eyes on ransomware this quarter. New tools and techniques emerged, while older tools resurfaced or were repurposed by ransomware groups.
The aftermath of key developments in the second quarter of 2022 was felt in Q3 2022. Although new groups rushed to fill the gap left by the “Conti” ransomware group, the “LockBit” ransomware group hit the Q3 top spot again, capturing its highest-ever market share in September 2022. The lines between financially and politically motivated ransomware actors also blurred in Q3 2022, with government entities and private companies suffering the consequences.
Digital Shadows (now ReliaQuest) conducts daily monitoring of ransomware groups. This blog is the latest edition of our quarterly assessments of ransomware activity, using primary and secondary source reporting. In this blog, we look at major ransomware events and trends, assess which sectors and regions need to beware, and make predictions about what to expect in the fourth quarter of 2022.
KEY TRENDS AND DEVELOPMENTS
Q3 2022 saw ransomware activity slow, with overall activity declining 10.5% from the previous quarter. This is likely due to major developments in Q2 2022, including the demise of the Conti ransomware group, and the launch of LockBit ransomware’s latest affiliate program, “LockBit 3.0”. August was a quieter month for most ransomware groups—except for LockBit—but activity steadily picked up again in September 2022, a possible sign of what’s to come in Q4 2022.
LockBit locks out the competition
Despite a relatively slow start to Q3 2022, LockBit remained by far the leader in the ransomware space. Although LockBit’s overall activity decreased from Q2 2022, its share of total activity increased: from 32.8% to 35.1% of all victims. In September 2022, LockBit achieved its highest monthly market share, accounting for over 40% of ransomware victims. Despite some skepticism about the quality of LockBit 3.0 from other threat actors, the program has unfortunately been effective at cementing LockBit’s success.
This success has not been without consequence. In August 2022, LockBit’s data-leak sites were taken offline multiple times after being hit by distributed denial-of-service (DDoS) attacks. The DDoS attacks followed LockBit’s breach of cyber-security company Entrust. LockBit’s public representative “LockBitSupp” accused the company of conducting the attacks in retaliation for the breach, although this is unconfirmed.
More likely, LockBit’s success is coming at a price: the group is increasingly inviting resentment from competing threat groups and possibly former members. LockBitSupp frequently—and infamously—gets into public spats with other ransomware representatives, including the representatives of Conti and “Alphv”. It is realistically possible that a rival group targeted LockBit under the guise of retaliation for the Entrust breach.
In mid-September 2022, a leaked LockBit 3.0 builder was posted on Twitter by a user claiming that their team managed to “hack several LockBit servers“. LockBit denies the claims: LockBitSupp alleged that the group was not hacked, instead blaming a disgruntled former developer for the leak. Regardless of the source, the builder appears to be legitimate, which will likely have consequences in Q4 2022 if other threat actors weaponize the builder for their purposes.
Filling the Conti gap
Reporting in Q2 2022 was dominated by the fall of the Conti ransomware group. Once the most prolific ransomware operator—until LockBit stole its crown last quarter—Conti officially closed shop with the shutdown of its servers in June 2022. In Q3 2022, we observed the after-effects, including competition over Conti’s market share and a surge in new ransomware groups.
With Conti out of the picture, three groups competed for its former position as the most dominant ransomware group after LockBit, but no clear winner emerged. “Black Basta” edged out the competition, accounting for 9% of all ransomware victims, while “Hive Leaks” and Alphv came in at 8% and 7%, respectively. Black Basta and Hive Leaks both have rumored links to Conti, but these are unconfirmed.
In Q3 2022, we observed the emergence of 12 new ransomware data-leak sites. Some are from new groups, while others belong to older groups that began conducting double extortion during the quarter. Double extortion is a technique where threat actors not only encrypt victim data for ransom but threaten to publish the data on data-leak sites if a ransom isn’t paid. Some of these, including “BianLian” and “Medusa Locker”, hit the ground running, immediately surpassing established ransomware groups like “BlackByte” in the number of victims named.
At the end of last quarter, we hypothesized that we would see a rush of new groups led by former Conti members. It is unclear if these new groups have direct leaks to Conti. However, whether these new groups have links to Conti or not, they were likely launched opportunistically to fill the market gap left by Conti.
And what of Conti itself? In Q3 2022, reports emerged alleging that former Conti members were targeting Ukraine. These reports allude to a growing trend of the intersection between political and financially motivated actors. While the Conti members’ targeting of Ukrainian hospitality organizations was likely financially motivated, the decision to target Ukrainian government entities was almost certainly influenced by the current Russia-Ukraine war.
Ransomware gets political
Distinguishing threat actors as politically or financially motivated is increasingly challenging. North Korea, for example, frequently fell into both camps in Q3 2022, continuing its tactic of using ransomware groups such as “HolyGhost” to avoid sanctions and overcome financing challenges brought by international sanctions.
The highly disruptive ransomware attacks on Montenegro and Albania in Q3 2022 are notable examples of the challenges of differentiating between political and criminal activity. In late August 2022, a ransomware attack shuttered Montenegro’s government systems and national services. Now attributed to “Cuba” ransomware, Montenegrin officials initially directly attributed the attacks to the Russian government, in part due to the extent of the disruption.
In Albania, Iranian state-affiliated groups targeted the country in a series of disruptive, retaliatory attacks on government systems beginning in July 2022. These attacks, which are attributed with high confidence to Iran’s Ministry of Intelligence and Security (MOIS), were almost certainly political. Notably, ransomware was a key tool in this campaign, deployed by the attackers to encrypt Albanian data. Ransomware is, therefore, not only the tool of cybercriminals but a potentially impactful political tool.
The real loser of this trend is the average citizen. Critical industries, including energy, healthcare, and manufacturing, were highly targeted by ransomware in Q3 2022. Unfortunately, whatever the motivation to target critical infrastructure, the consequences of disruptions to healthcare services, energy providers, or government services are the same—and may severely impact users.
Q3 2022 RANSOMWARE VICTIMS ANALYSIS
Digital Shadows (now ReliaQuest) monitors 97 ransomware and data-leak sites, of which 44 are active at the time of writing. Nearly all ransomware groups experienced decreased activity in Q3 2022. Hive Leaks (up 80.8%) and “AvosLocker” (up 50%) were exceptions, displaying notable upticks in activity. The following is an analysis of observed behavior and targeting patterns.
Ransomware vs. Extortion
An ongoing discussion we have had as a team this past quarter is whether to differentiate between ransomware and extortion-only groups. Both categories infiltrate victim networks, steal data, and threaten to leak the data if payment isn’t made. Critically, however, extortion-only groups do not encrypt stolen data and are unlikely to disrupt victim operations.
Ultimately, we elected to keep our data extortion numbers distinct from our ransomware statistics. We observed only 40 data extortion events this quarter: a decrease of 41.1% from Q2 2022. Together with the ransomware figures, these account for only 5.8% of all data leakage events.
There are also fewer data extortion than ransomware groups. Only 16.5% of the data-leak sites we monitor likely conduct solely data extortion. “Karakurt Hacking Team”—allegedly the data-extortion branch of Conti—is one of the most notable groups, the Ukraine-targeting “Free Civilian” is another. The lack of affiliate programs for data extortion may be one reason for this: while ransomware has a higher technical barrier to entry, affiliate programs allow less technically adept users to conduct attacks using premade tools.
Activity by sector
As in Q2 2022, the industrial goods and services sector was the most targeted by a wide margin—accounting for 20.8% of victims—followed by the technology (9.8%), construction and materials (9%), travel and leisure (7.1%), and healthcare (6.6%) sectors. Like the previous quarter, industries that provide critical services were most often targeted, possibly because critical industries are considered more likely to pay a ransom to avoid costly downtime.
For most sectors, the number of attacks decreased in Q3 2022. Although critical infrastructure sectors were key targets, the travel-and-leisure sector saw a notable increase in targeting. Activity targeting the industry increased by 33.3% from Q2 2022, the most significant jump of any sector. It is realistically possible that this correlates with increased travel post-COVID-19 pandemic and the summer holiday season. Targeting of the technology sector also rose by 4.9%. All other sectors saw a decrease in activity, in line with the general trend for the quarter.
Activity by country
The US was again the most targeted country in Q3 2022, accounting for 39.3% of all victims, more than the following nine countries combined. Europe accounted for the next five most targeted countries, including France (5.1%), Spain (4.8%), the UK (4.8%), Germany (4.5%), and Italy (4.3%). Western countries are often the most targeted by ransomware attacks—a trend likely to continue in coming quarters—due to the perception that entities from such countries can afford a ransom.
Nearly all countries experienced a decrease in ransomware activity this quarter, with activity targeting the US decreasing by 10.6%. Spain is a notable exception, with activity increasing by 66.7%, primarily due to targeting from the “Sparta Blog” group. France and Israel also saw greater targeting in Q3 2022 than the previous quarter.
Q4 2022 RANSOMWARE FORECAST
Past trends and developments in the Q3 2022 ransomware threat support this projection. In this final section, we examine developments that are most likely to impact the ransomware threat landscape, and include graphical projections for the coming quarter.
Q4 is historically a period of high ransomware and cyber-criminal activity. The festive shopping season—which includes major events such as Black Friday, Cyber Monday, Christmas, and Boxing Day—is often exploited by cybercriminals to distribute malware. Phishing scams normally abound, requiring caution from both companies and consumers. Ransomware activity is, therefore, likely to increase in Q4 2022, in line with previous trends.
The LockBit 3.0 builder leak is also likely to impact ransomware activity in Q4 2022. We have already witnessed cybercriminals discussing the leaked builder, including ways to re-engineer and exploit the tool, on criminal forums. Ransomware actors notoriously reuse leaked material. The “Babuk” ransomware source code leak is one example, with several new ransomware variants, including “Rook” and “Pandora”, based on the leak. Ransomware activity will likely increase if new ransomware variants based on the LockBit builder emerge.
Despite this leak, Lockbit is likely to remain the ransomware leader by a wide margin. But as the group’s activity increases and its market share grows, it is more likely to attract the concerted attention of rival threat actors, as well as law-enforcement bodies. It is realistically possible that the group will be subject to more countermeasures in Q4 2022.
Geopolitical events are also likely to continue to impact ransomware activity. Recent developments in the Russia-Ukraine war—including Russia’s annexation of several Ukrainian territories and the looming threat of a European energy crisis—are likely to continue to motivate ransomware actors to target government and critical infrastructure entities. Outside Europe, international support for the ongoing Iranian protests may lead the Iranian state to again conduct retaliatory ransomware attacks.
One takeaway from Q3 2022 is the complexity of the ransomware threat faced by organizations today. You can get a comprehensive look at the data that we used to build this blog with a free demo request of SearchLight here. Additionally, you can get a customized demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) to gain visibility of your organization’s threats and potential exposures, including access to a finished threat intelligence library with MITRE associations and mitigations from Photon Research.For further info—our previous blog article Tracking Ransomware Within SearchLight shows you how SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) tracks emerging variants, enables you to export and block associated malicious indicators in various formats, instantly analyze popular targets, and map to your security controls with ease.