Research | Our Q3 report details what's new in the world of ransomware.
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Find cyber threats that have evaded your defenses.
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Brands of the world trust ReliaQuest to achieve their security goals.
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
The latest threat research report from ReliaQuest Threat Research research team.
The latest white papers focused on security operations strategy, technology & insight.
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
November 30, 2023
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
Ransomware activity stayed at steady levels throughout 2022’s fourth quarter (Q4 2022). Since we bid farewell to ever-present groups like Conti, the world of ransomware has remained a game of whack-a-mole: For every group that disappears, there are always several waiting in the shadows to replace it.
One major development was the use of ransomware in hacktivism’s resurgence during 2022. Hacktivism’s popularity has accompanied several geopolitical events but was largely inspired by the Russia–Ukraine war. The lines of threat-actor categories have become increasingly blurred, as when Russian hacktivists used ransomware against Ukrainian organizations. The hacktivists didn’t post any demands or host stolen data, but they did use malware that’s more commonly associated with cyber criminals.
The ReliaQuest Photon research team monitors ransomware groups daily, in addition to tracking major developments in the ransomware landscape. This blog focuses on ransomware activity in Q4 2022, based on primary and secondary source reporting. We’ll talk major ransomware trends and events, vulnerable sectors and regions, and what to expect in the first quarter of 2023.
In Q4 2022, we published 707 ransomware and data-extortion tippers. (Tipper is just a fun name for one of our Intel Updates about the naming of a victim on a data-leak site.) The 707 tippers mark a 6.5% increase from Q3 2022. They included 645 about ransomware activity, 43 about data-leak extortion, and 19 about activity that couldn’t be distinguished as either. In the yearly total, there were 2,549 ransomware tippers issued in 2022, compared to 2377 in 2021. That represented a 7.2% increase from the previous year.
Those numbers are largely in the ballpark of what we saw during the whole of 2022. The average tippers published per month from January to September 2022 was 273, with some significant divergence per month. October saw 218 tippers, November 289, and December 257—all pretty close to what we expected.
Number of tippers published over 2022, indicating number of ransomware victims
Unsurprisingly, the most commonly targeted countries and sectors stayed the same in Q4 2022. The table below shows the most targeted countries (and the number of tippers) for each of the five most-active ransomware data-leak sites.
Regional targeting of the most active data-leak sites of Q4 2022
The United States occupies the most-targeted position, based on three factors: the abundance of targets perceived to be based in the United States, previous targeting patterns, and attackers’ nationalistic motives. Industrial goods and services remained the most-targeted sector and looks set to continue that way, given its sensitivity to extended outages, in Q1 2023 and beyond.
Data-leak extortionists solely use data exfiltration to squeeze ransom payments from victims, whereas ransomware groups do that and more: stealing, encrypting and posting sensitive data (aka double extortion). The graph below shows the trends in overall data-leak extortion activity over Q4 2022, compared to the previous 12 months, by the number of tippers published.
Number of tippers reporting on non-ransomware data-leak extortion over 2022
We’re likely to see more and more data extortion groups over 2023. It’s a worthwhile pursuit because it’s effective: The regulatory and reputational risk attached to a data breach is often reason enough for a victim to pay a ransom. No company wants their breach to be publicized, potentially reaching the ears of partners, customers, or the wider business world and casting a shadow over their reputation.
Just stealing data is arguably a “quieter” way to extort a victim than wielding ransomware. Attackers can negotiate under the table, so to speak, without broadcasting the breach. They can also offer a “bargain” by setting the ransom at an amount less than that of a regulatory fine for a data breach. Look for this to become increasingly common, as insurance companies are under regulator pressure to stop facilitating ransom payments to cyber criminals.
One of the bold predictions I made at the tail end of 2022 was that LockBit would continue to lead the ransomware pack, unless law-enforcement agencies specifically targeted the group. As you can see in the graph below, LockBit continued to lap many of its competitors over Q4 2022, claiming by far the biggest share of ransomware activity.
Number of victims named on top 20 ransomware data-leak sites, Q4 2022
So far so good on the predictions front? Well, not exactly. I may have overestimated LockBit’s resilience to law enforcement, given that a LockBit member was arrested after an operation in October. This followed a joint investigation by a whole host of interested parties: the French National Gendarmerie, Europol’s European Cybercrime Centre, the FBI, and the Canadian Royal Canadian Mounted Police. The arrestee, Mikhail Vasiliev, a 33-year-old Russian-Canadian, was caught in Ontario awaits extradition to the United States. He’s been described as “one of the world’s most prolific ransomware operators,” having run several high-profile operations and scooped up tens of millions of dollars in ransom.
LockBit didn’t stop, but two discernable—albeit temporary—setbacks emerged. In the graph below you can see a dip in the immediate aftermath of the arrest on 26 Oct 2022; potentially, this represents turmoil, or at least concern, among LockBit members fearing more arrests.
Number of victims named on LockBit data-leak site, Q4 2022
It’s interesting to note that 23 victims were named on LockBit’s data-leak site on 31 Oct 2022—all but 3 of the victims extorted that week. Did LockBit members intentionally hold back on naming names while feeling out how badly they had been compromised? Probably. Or they waited until their fears of follow-on operations were eased.
Another dip in activity followed the public disclosure of the arrest, on 10 Nov 2022: The weeks ending 20 and 27 Nov 2022 saw only 7 and 4 victims named, respectively. It is realistically possible that this may have been caused by a further loss of confidence amongst lower ranking members who had been kept in the dark about Vasiliev’s arrest. One final thing to note about the graph is the last dip, at the end of December. This was probably just a natural slowdown over Christmas and the end of the year. Criminals need time off, too.
After the arrest, LockBit’s administrators were characteristically bullish. One, “LockBitSupp,” claimed that Vasiliev had followed poor operational security practices. They cited his transfer of “dirty” Bitcoin from a ransom account to his personal account. LockBitSupp called it a shame, but added, “5 years [in prison] is not a long stretch, but a life lesson.” Cyber criminal forum users claimed that the arrest won’t impact LockBit’s operations in the long term; at the time of writing, this seems to be holding true.
One of the biggest surprises of Q4 2022 was the debut of the “Royal” ransomware group. It was only discovered on 03 Nov 2022 and has chalked up 73 victims on its data-leak sites. They’re the third most active ransomware group of Q4 2022. So who are they?
Royal actually emerged in January 2022 and initially conducted operations by spreading malicious attachments and advertisements. The group seems to use several forms of ransomware, and typically brand affected files with the “.Royal” extension. We also know that, as evident from their initial output, Royal’s operators appear to be highly experienced. Discussions have circulated about the “Zeon” encrypter that Royal used to target the U.S. healthcare industry; Zeon was also used by the now-defunct Conti group, which also used to go after healthcare providers.
Can you see where those facts are heading? Conti’s disappearance will likely bring several splinter groups snatching up their share of malicious activity. Now it seems entirely possible that Conti members are actively involved in Royal.
One technique seen frequently in Q4 2022 by ReliaQuest’s threat hunting team was using service accounts to move laterally and fulfil objectives. Service accounts are designed to perform specific tasks for services running on endpoints. Depending on the service and how the account is configured, the account can have various privilege levels.
Malicious actors know all this. And they know that the privilege level is typically higher than for a normal user account. So misusing a service account with lofty privileges opens up doors to move laterally within a system. This has been observed over and over in investigated ransomware intrusions; the breached service accounts almost always belong to a domain-administrator group.
The blog we linked to above has some great tips for how to harden your service accounts. We recommend starting there to minimize the risk linked to them.
Q1 2023 looks poised to take off where Q4 2022 left off, except for a short lull around and after Russian Christmas (7 January). Ransomware will continue to pose the biggest cyber threat to business. Ransomware groups are raking in profits, turning over dozens of victims each week, and the “market” probably isn’t saturated yet.
Right now, there are probably more potential victims than existing ransomware groups can extort, leaving space for more groups to try their hand. And security downfalls will—we predict with regret—probably continue opening doors to ransomware groups and other cyber criminals.
Get a comprehensive look at the data that we used to build this blog with a free demonstration of GreyMatter.