Ransomware activity stayed at steady levels throughout 2022’s fourth quarter (Q4 2022). Since we bid farewell to ever-present groups like Conti, the world of ransomware has remained a game of whack-a-mole: For every group that disappears, there are always several waiting in the shadows to replace it.

One major development was the use of ransomware in hacktivism’s resurgence during 2022. Hacktivism’s popularity has accompanied several geopolitical events but was largely inspired by the Russia–Ukraine war. The lines of threat-actor categories have become increasingly blurred, as when Russian hacktivists used ransomware against Ukrainian organizations. The hacktivists didn’t post any demands or host stolen data, but they did use malware that’s more commonly associated with cyber criminals.

The ReliaQuest Photon research team monitors ransomware groups daily, in addition to tracking major developments in the ransomware landscape. This blog focuses on ransomware activity in Q4 2022, based on primary and secondary source reporting. We’ll talk major ransomware trends and events, vulnerable sectors and regions, and what to expect in the first quarter of 2023.

In Q4 2022, we published 707 ransomware and data-extortion tippers. (Tipper is just a fun name for one of our Intel Updates about the naming of a victim on a data-leak site.) The 707 tippers mark a 6.5% increase from Q3 2022. They included 645 about ransomware activity, 43 about data-leak extortion, and 19 about activity that couldn’t be distinguished as either. In the yearly total, there were 2,549 ransomware tippers issued in 2022, compared to 2377 in 2021. That represented a 7.2% increase from the previous year.

Those numbers are largely in the ballpark of what we saw during the whole of 2022. The average tippers published per month from January to September 2022 was 273, with some significant divergence per month. October saw 218 tippers, November 289, and December 257—all pretty close to what we expected.

Number of tippers published over 2022, indicating number of ransomware victims

Number of tippers published over 2022, indicating number of ransomware victims

Unsurprisingly, the most commonly targeted countries and sectors stayed the same in Q4 2022. The table below shows the most targeted countries (and the number of tippers) for each of the five most-active ransomware data-leak sites.

Regional targeting of the most active data-leak sites of Q4 2022

Regional targeting of the most active data-leak sites of Q4 2022

The United States occupies the most-targeted position, based on three factors: the abundance of targets perceived to be based in the United States, previous targeting patterns, and attackers’ nationalistic motives. Industrial goods and services remained the most-targeted sector and looks set to continue that way, given its sensitivity to extended outages, in Q1 2023 and beyond.

Data-Leak Extortionists Are Here to Stay

Data-leak extortionists solely use data exfiltration to squeeze ransom payments from victims, whereas ransomware groups do that and more: stealing, encrypting and posting sensitive data (aka double extortion). The graph below shows the trends in overall data-leak extortion activity over Q4 2022, compared to the previous 12 months, by the number of tippers published.

Number of tippers reporting on non-ransomware data-leak extortion over 2022

Number of tippers reporting on non-ransomware data-leak extortion over 2022

We’re likely to see more and more data extortion groups over 2023. It’s a worthwhile pursuit because it’s effective: The regulatory and reputational risk attached to a data breach is often reason enough for a victim to pay a ransom. No company wants their breach to be publicized, potentially reaching the ears of partners, customers, or the wider business world and casting a shadow over their reputation.

Just stealing data is arguably a “quieter” way to extort a victim than wielding ransomware. Attackers can negotiate under the table, so to speak, without broadcasting the breach. They can also offer a “bargain” by setting the ransom at an amount less than that of a regulatory fine for a data breach. Look for this to become increasingly common, as insurance companies are under regulator pressure to stop facilitating ransom payments to cyber criminals.

LockBit Resilient After Law Enforcement Operation

One of the bold predictions I made at the tail end of 2022 was that LockBit would continue to lead the ransomware pack, unless law-enforcement agencies specifically targeted the group. As you can see in the graph below, LockBit continued to lap many of its competitors over Q4 2022, claiming by far the biggest share of ransomware activity.

Number of victims named on top 20 ransomware data-leak sites, Q4 2022

Number of victims named on top 20 ransomware data-leak sites, Q4 2022

So far so good on the predictions front? Well, not exactly. I may have overestimated LockBit’s resilience to law enforcement, given that a LockBit member was arrested after an operation in October. This followed a joint investigation by a whole host of interested parties: the French National Gendarmerie, Europol’s European Cybercrime Centre, the FBI, and the Canadian Royal Canadian Mounted Police. The arrestee, Mikhail Vasiliev, a 33-year-old Russian-Canadian, was caught in Ontario awaits extradition to the United States. He’s been described as “one of the world’s most prolific ransomware operators,” having run several high-profile operations and scooped up tens of millions of dollars in ransom.

LockBit didn’t stop, but two discernable—albeit temporary—setbacks emerged. In the graph below you can see a dip in the immediate aftermath of the arrest on 26 Oct 2022; potentially, this represents turmoil, or at least concern, among LockBit members fearing more arrests.

Number of victims named on LockBit data-leak site, Q4 2022

Number of victims named on LockBit data-leak site, Q4 2022

It’s interesting to note that 23 victims were named on LockBit’s data-leak site on 31 Oct 2022—all but 3 of the victims extorted that week. Did LockBit members intentionally hold back on naming names while feeling out how badly they had been compromised? Probably. Or they waited until their fears of follow-on operations were eased.

Another dip in activity followed the public disclosure of the arrest, on 10 Nov 2022: The weeks ending 20 and 27 Nov 2022 saw only 7 and 4 victims named, respectively. It is realistically possible that this may have been caused by a further loss of confidence amongst lower ranking members who had been kept in the dark about Vasiliev’s arrest. One final thing to note about the graph is the last dip, at the end of December. This was probably just a natural slowdown over Christmas and the end of the year. Criminals need time off, too.

After the arrest, LockBit’s administrators were characteristically bullish. One, “LockBitSupp,” claimed that Vasiliev had followed poor operational security practices. They cited his transfer of “dirty” Bitcoin from a ransom account to his personal account. LockBitSupp called it a shame, but added, “5 years [in prison] is not a long stretch, but a life lesson.” Cyber criminal forum users claimed that the arrest won’t impact LockBit’s operations in the long term; at the time of writing, this seems to be holding true.

Royal Ransomware’s Crowning Debut

One of the biggest surprises of Q4 2022 was the debut of the “Royal” ransomware group. It was only discovered on 03 Nov 2022 and has chalked up 73 victims on its data-leak sites. They’re the third most active ransomware group of Q4 2022. So who are they?

Royal actually emerged in January 2022 and initially conducted operations by spreading malicious attachments and advertisements. The group seems to use several forms of ransomware, and typically brand affected files with the “.Royal” extension. We also know that, as evident from their initial output, Royal’s operators appear to be highly experienced. Discussions have circulated about the “Zeon” encrypter that Royal used to target the U.S. healthcare industry; Zeon was also used by the now-defunct Conti group, which also used to go after healthcare providers.

Can you see where those facts are heading? Conti’s disappearance will likely bring several splinter groups snatching up their share of malicious activity. Now it seems entirely possible that Conti members are actively involved in Royal.

Service Accounts: A Pattern of Abuse

One technique seen frequently in Q4 2022 by ReliaQuest’s threat hunting team was using service accounts to move laterally and fulfil objectives. Service accounts are designed to perform specific tasks for services running on endpoints. Depending on the service and how the account is configured, the account can have various privilege levels.

Malicious actors know all this. And they know that the privilege level is typically higher than for a normal user account. So misusing a service account with lofty privileges opens up doors to move laterally within a system. This has been observed over and over in investigated ransomware intrusions; the breached service accounts almost always belong to a domain-administrator group.

The blog we linked to above has some great tips for how to harden your service accounts. We recommend starting there to minimize the risk linked to them.

What Comes Next

Q1 2023 looks poised to take off where Q4 2022 left off, except for a short lull around and after Russian Christmas (7 January). Ransomware will continue to pose the biggest cyber threat to business. Ransomware groups are raking in profits, turning over dozens of victims each week, and the “market” probably isn’t saturated yet.

Right now, there are probably more potential victims than existing ransomware groups can extort, leaving space for more groups to try their hand. And security downfalls will—we predict with regret—probably continue opening doors to ransomware groups and other cyber criminals.

Get a comprehensive look at the data that we used to build this blog with a free demonstration of GreyMatter.