Ransomware Landscape Q1 2022

Introduction

The first quarter of 2022 will be remembered as one of the most interesting quarters of the past years.

A historical war changed cyber warfare rules entirely, New lethal groups made their debuts, causing major damage. Conti Group Leaks and Lockbit2.0 taking over provided us with many insights and paved the way to a new era.

The number of campaigns this quarter shows that Lockbit2.0 is on top of the leaderboard with 268 successful campaigns, followed by Conti and Hiveleak with 98 and 77 successful campaigns respectively (Figure 1).

REvil Arrest

The first major event of 2022 was the REvil Arrest. While this major RaaS group had been dying for almost a year, on January 14, Russian law enforcement put the final nail in its coffin by arresting the last operators standing (Figure 3), in essence shutting down the team and the notorious REvil for good.

While some suggest that these efforts were motivated by of political interests between Russia and the US, it seems that this arrest did not slow the ransomware industry one bit, if at all, and instead, enabled other groups to thrive without REvil as a competitor.

Newcomers

2022 introduced us to new threat groups looking to become world-class threats.

While most threat groups take time to establish their reputation, some have already achieved great success, like Lapsus$, and some have brought something new to the table when it comes to the victims they target and the extortion methods they apply, such as DeadBolt.

DeadBolt – New Extorsion Method

On January 26 a new extortion method emerged courtesy of newcomer DeadBolt ransomware. DeadBolt made its debut discovering a zero-day in QNAP within its NAS devices.

Instead of using the zero-day to infiltrate the organization, DeadBolt encrypted QNAP’s customers’ devices, demanding $1,100 for each decryption key.

They also offered QNAP a full report on the vulnerability and how it can be patched for $185,000 or the zero-day vulnerability report plus a universal decryption master key for all of their clients for $1.85 million, all paid in Bitcoin.

The ransom note (Figure 4) was left on each encrypted device and a special message for QNAP contained all the details about the group’s demands.

DeadBolt is a unique figure in the ransomware landscape. It seems that each campaign focuses on a storage solution company while targeting that company’s clients and not its infrastructure, like most ransomware groups.

DeadBolt is active sporadically, but they are efficient and the fact that they made their debut with a zero-day vulnerability points to their level of expertise.

When it comes to the Russia-Ukraine conflict, no evidence was found that the group is taking part or siding with Russia or Ukraine.

LAPSUS$ – Rookie of The Year

Sometimes we encounter threat groups that we need to recover from, and sometimes we encounter threat groups that we have to learn from – Lapsus$ is the latter.

Lapsus$ will always be remembered as the group that caused the most damage in a minimal operation period.

The most valuable lesson we learned from this group is that we live in an era so vulnerable, that even the least talented can cause severe damage with the right opportunity and ambition.

Cyberint Research Team conducted thorough research on the group’s operations, victims, and more.

Level of Sophistication

Almost every “mainstream” threat group seems to be significantly more talented than Lapsus$, yet, by being responsible for major leaks at Nvidia, Samsung, Vodafone, Impersa, LG, and of course, Okta, Lapsus$ carved their name out as the most competent – and incompetent – group of all.

Most of their campaigns were based on insider threats and obtaining compromised credentials in underground forums and on the Darknet, while no evidence of recruiting vulnerability researchers, reverses, and top-of-the-line developers was found.

Once they gained employee credentials, a basic understanding of how to move and what to look for once they are inside the network was sufficient.

Hunting The Group

As the group gained popularity, it also drew the attention of the cyber security community and in the process of better understanding the group, some crucial details might have been compromised that affected the team’s activity.

Evidence shows a relationship between the Doxbin website and LAPSUS$. It seems that one of Doxbin’s former admins is currently one of LAPSUS$’s leaders after Doxbin database was leaked.

When looking at Doxbin leaks for the relevant account, we were able to find the information of a certain individual in his teenage years, based in London, UK, who is suspected of being the LAPSUS$ leader.

One day after the group’s announcement that it was “going on vacation” for a week (Figure 5), authorities announced they had arrested a 16-year-old Oxford teenage accused of being the leader of the LAPSUS$ gang, along with 6 other teenagers suspected as being part of the group.

The fact that the operators and leaders are teenagers or young adults is not surprising given the many patterns of behavior we’ve observed in the group.

As much as we would like it to be the incident that kills the team’s operation, it seems that currently, they are still operational as they leaked parts of a source code for Alphabet, Apple and Facebook via repositories they found on Globant, their new victim.

Russia – Ukraine Conflict

While we witness history in the making, the scale and complexity of the conflict are immeasurable.

This event is one of the most significant of this century so far, given that any civilian in the world can participate in this conflict just by having a browser and computing power. We witness the impacts of this phenomenon, from websites that break down, critical infrastructures being damaged, financial entities heavily DDoSed, and multiple data leakage events.

The First Cyber World War

When focusing on the cyber warfare aspect of the conflict, for first time in history, we see warfare that includes every type of cyber-personal, state-sponsored groups, ransomware groups, hacktivists, DDoS actors, script kiddies, and even volunteers who want to join the cause.

Since Russia made the first move, infiltrating Ukraine, we have witnessed massive attacks against several Ukrainian entities. While the first 48 hours were mainly comprised of Russian attacks, Ukraine-associated entities and other supporters worldwide did their best to compromise and take down Russian targets as well.

While Russia, as expected, used their heavy cannons, with major Russian threat groups such as Unit 74455 and others introducing new wipers into the battle, Ukraine, lacking major groups received help from many hacktivist groups such as Anonymous and Belarusian Cyber Partisans, along with volunteers worldwide who were provided with simple scripts and websites that initiated DDoS attacks on Russian strategic targets such as media, banks, government and energy websites and infrastructures.

Gang Wars On Tweeter – Utopia For Threat Actors

This war is the first in history where threat groups and threat actors have intervened. Almost every respectable family sided with either Russia or Ukraine.

As expected, the majority, around 60% of the threat groups, sided with Ukraine, but this war has motivated threat groups to not only operate against Russia or Ukraine, but also to operate against each other while stepping into the light to show the world who they really are. And what platform is better than Twitter to do exactly that?

While criminals usually tend to exploit war times to leverage the chaos for their own benefit, this time the agenda and politics took over this arena as well.

One of the most widespread stories about two gangs going at each other is CoomingProject and AgainstTheWest. While the former announced they would fully support Russia and initiate cyberattacks against its rivals (Figure 6), the latter, AgainstTheWest, which sided with Ukraine, was able to compromise the CoomingProject’s infrastructure and leaked all its members’ information to the authorities (Figure 7).

This is just one example, but since the beginning of this conflict, more and more threat groups and malware families, which usually communicated and built their names within the dark side of the internet with Onion pages, Darknet, Deepweb, or Telegram channels, came to the forefront by joining Twitter and talking freely about their actions and the part they are playing in the warfare.

Conti Leaks – One Bad Decision That Ruined Everything

Surely one of the rarest events and opportunities we have ever witnessed.

Conti had a massive impact on the cybersecurity world and stoked fear within every organization worldwide. It’s only natural for an organization of this scale to employ a variety of people from a variety of nationalities. Although it is true that the group mostly comprises people from the Russian region, it seems that some are also from Ukraine.

Once Conti’s senior management published the announcement about siding with Russia in the conflict (Figure 8), a chain of events unfolded that paved the way for Conti to end its operations or at least cause severe damage.

A few hours after the announcement, an alleged security researcher (presumably a former member of the team), who likely didn’t agree with Conti’s decision and had a strong connection to the Russian-Ukrainian conflict, decided to leak and expose every piece of information on Conti he could gather from the past two years.

The researcher opened a Twitter account (Figure 9) named @Contileaks and every couple of hours published new leaks regarding the group’s operations, chat history, training program, tools source code, guides, management guidelines, and of course, the source code of the Conti’s ransomware malware (Figure 10).

The leaked details revealed Conti’s day-to-day work processes, negotiations with victims, discussions about strategies, cooperation with Emotet and Trickbot, government arrangements, affiliate payments and recruits, some names, and very strong suggestions as to who the key members were and what Conti was really all about.

The Cyberint Research Team carefully examined the leaked files in order to draw the best possible picture about the massive organization that, by all standards, was one of the most successful organizations worldwide.

The Last Titan – Lockbit2.0

Even before Conti’s leaks, Lockbit started 2022 with their foot on the gas, releasing new victims almost daily.

Since Conti’s major leak, Lockbit directed its best efforts at both expanding its infrastructure by trying to buy the Emotet and Trickbot infrastructures and recruiting more members. Some suggest that a few Conti members defected to Lockbit, which puts Lockbit in an ideal position when it comes to who is the one and only ruler of the ransomware industry.

Vanity at Its Best

In a somewhat bold and first seen move, in the past few days Lockbit offered one million dollars to whomever can provide information about the Lockbit group itself (Figure 11).

While at first, it seemed that this was Lockbit poking at the authorities, later they explained that this offer is valid for everyone.

As unusual as offering a bounty on yourself sounds at first glance, trying to understand the interest of the group in this bounty shows us, yet again, its sophistication, learning from others, and the number one gang’s strategic planning.

When looking at the bounties on legitimate organizations, their purpose is to improve their product and find a way to protect their most valuable assets – their software, projects, sometimes patents, and financial information. On the other hand, Lockbit’s most valuable asset is their identities.

Learning from former incidents such as Conti’s leaks and the hunting of Lapsus$ by the cybersecurity industry, Lockbit tries to incentivize researchers and hunters to share what they have found on the group, thus providing the best community OpSec possible, while the price to pay is insignificant for the group but is significant for the individuals.

As planned, after the announcement, the discussion around Lockbit hunting skyrocketed, and researchers and hunters from around the world are doing their best to find every piece of information that will land them the big prize.

It seems that at the moment Lockbit is in a very secure place when it comes to its confidence in its anonymity, dominance, and their abilities to add victims daily.

Summary and Predictions

The beginning of the year slammed us with one major event after another, and taught us that there can always be more surprises on the way.

While more groups are being introduced into the industry, and everyone is looking to take Conti’s place on the Olympus of ransomware, the rest of the year should be full of more daring campaigns from the intermediate groups, an improving curve with the Conti source code out for others to utilize, and of course, greater exposure to both the cybersecurity community and mainstream media from the ransomware groups.

The Russia Ukraine conflict has created a reality in which threat groups feel comfortable stepping out of the shadows, talking freely about their intentions, goals and potential targets.

Although we expected the most talented and vicious threat actors to succeed, Lapsus$ showed us that with no zero-days and no special tools, you can still cause major damage to large enterprises. This terrifying truth is clear to us just as much as it is to intermediate threat actors who dream big.

Are you prepared for 2022’s security challenges?
Get Your Organization’s Digital Risk Snapshot