Our Q3 Ransomware Report is out!

Research

Ransomware Landscape Q2

Introduction

The first quarter of 2022 [1] was rich with many unusual incidents of new ransomware groups, and new techniques. The most notable event of Q1 was without a doubt the ContiLeaks incident, courtesy of the Russia-Ukraine conflict, which lasted till not long ago, at the end of Q2.

As the shockwaves of the Russia-Ukraine conflict have faded, when it comes to the ransomware industry, we have seen many families going “back to business”. Still, the number of overall campaigns in this quarter was relatively low, compared to the last quarter.

The Lockbit group remains the undisputed ruler of the ransomware realm, with a new “brand” – Lockbit3.0. We have consistently seen families challenging their solid top position including Blackcat/AlphV, and new groups vying for the top spot, such as BlackBasta.

Although many incidents and stories might stick out when summarizing this quarter, the most important is the death of Conti, one of the cybercrime lions, which officially shut down its operations this week.

Ransomware Statistics

Looking at this quarter’s infection rates grouped by the various ransomware groups, we see the usual dominance for 2022 so far: Lockbit, leading the way by a margin, with 204 infections this quarter compared to the next-best 58 by AlphV this quarter.

Figure 1: Ransomware groups distribution in Q2

When it comes to regions, we can see that the USA leads by a landslide when looking at regional infection rates.

Out of 709 victims in Q2 2022, 267 are US-based.
Figure 2: Out of 709 victims in Q2 2022, 267 are US-based.
Q2 most targeted regions with top 3 groups breakdown
Figure 3: Q2 most targeted regions with top 3 groups breakdown

In the past quarter, the infection rate seems to tell us a different story to what were seeing at the end of last year, and in the first quarter of 2022. During that period, we saw the ransomware industry continue to break records, with more infections per quarter in each consecutive quarter. However, since the middle of this quarter, we started seeing a decrease in infections across all ransomware groups, leading to a decrease in total infections in the industry. Figure 4 shows that Q2 with almost 10% less than Q1, indicating a decrease in infections.

Top active groups per Quarter, with overall Q1 vs Q2 comparison
Figure 4: Top active groups per Quarter, with overall Q1 vs Q2 comparison

Looking at the specific weeks for Q2, we see a decrease since mid-quarter. The last week of the quarter shows a significant peak since the Karakurt ransomware group decided to publish a month’s worth of victims − 34, starting at the beginning of June, just as the quarter ended. Removing these 34 infections, paints a truer picture – a slow decrease in infection rate.

Count of victims per week in Q2
Figure 5: Count of victims per week in Q2

Conti Shutting Down

The Russia-Ukraine conflict provided us with a handful of interesting incidents, one of the most significant was the ContiLeaks[2] incident.

Conti was one of the most popular ransomware groups of our era. With around 600 successful campaigns in 2021 and total revenue of around $2.7 billion in cryptocurrency, Conti was a massive crime organization, if not the biggest at the time, and a consistent threat to every sector and region worldwide.

The ContiLeaks incident took place at the beginning of the conflict when a Ukrainian security researcher infiltrated the group’s infrastructure and leaked all the information he could find: conversations, personnel information, tools, and their product’s source code. The leak also gave us the opportunity to see that the group operated like a normal business and even had an HR department

It was pretty obvious that Conti’s days were numbered. After bleeding for months, at the end of June, Conti officially shut down its operations.

Over the past few months, Conti tried to revive their brand. After the leak, they suffered from key members leaving, campaigns were less effective when the source code was leaked, and we saw a major drop in their success rate.

After the leak, Conti changed their image entirely, both professionally and socially. Observing the professional aspect of the group, we could see that Conti was nothing but the name of a group that used to be great. The group successfully conducted only 45 campaigns in Q2 2022, a number that they achieved in one-month periods last year.

Although their campaigns in Peru and Costa Rica made waves when it came to the mainstream media, and are still affecting these victims, it seems that Conti didn’t achieve much more than headlines.

As the professional aspect of the group changed significantly, the social aspect changed just as much. Conti became more toxic and impulsive in their blog posts, using use foul language that seemed somewhat immature. One of the main examples was their blog that talked about Lockbit being scammers and that no one should work with them, or reacting very angrily when they were linked to the Hive and BlackBasta ransomware groups. Conti used to be much more socially responsible and sophisticated, and it seems that those who took over operations were significantly less experienced.

The question remains: “Where are they now?” Even if Conti didn’t shut down their operations, clearly they are now not the same members who ran the “real” Conti operation – the ones we all knew and feared. This raises three different possibilities: Either they retired and turned to a “normal” or “legit” occupation such as developers and researchers, or they joined one of the other groups that are on the rise and making a name for themselves this quarter such as BlackBasta, Hive, Vice Society or even Karakurt, or third, and maybe most likely, they might have joined the only real competitor they used to have, Lockbit, which became a monopoly in the ransomware industry with no real competitors.

As a criminal of any kind might have a hard time going “legit” given the high levels of income they became used to, it is more likely that former Conti members have chosen one of the last two possibilities.

Lockbit3.0 – A New and Improved Nightmare

Lockbit, the undisputed ruler of the ransomware industry, launched in September 2019, and was formerly known as ‘ABCD’. LockBit group is a Ransomware-as-a-Service (RaaS) threat group that updated itself in June 2021 to Lockbit 2.0, and claimed to have the fastest encryption process on the ransomware scene.

In 2021, Lockbit positioned itself higher in the ransomware hierarchy, right after Conti, which was the leader in the number of campaigns at the time, as they were the only true competitor to Conti that year.

Following the ContiLeaks[2] incident at the beginning of the Russia-Ukraine conflict, Lockbit became the most dominant ransomware group as it expanded its operations and became the number one group by far without any real competitors.

Throughout Q2 2022, Lockbit didn’t match their numbers of the first quarter of 2022, but still led the ransomware industry and now operates as a group that is at least one level above the rest.

Recently, Lockbit announced another update to Lockbit3.0, adding enhanced capabilities and a bug bounty program.

Overall, in summarizing this quarter, the group has shown us once again that they are the only heir to the throne after Conti practically died several months ago. We witnessed this group managing itself with order, efficiency and professionalism like no other.

Although the group leads the industry by a margin, they often play their cards close to their chest, and did not fall in with the rest of the cybercrime industry by reporting any action they take on Twitter, Telegram, and other platforms. They did, however, conduct a few publicity stunts such as the Mandiant leak and the bounty of ten million dollars on their own head.

The Power Of Ransomware Groups

Once a group realizes it has power, its potential can be devastating. Lockbit, as mentioned, tops all other groups, and surely enjoys this reputation.

A few weeks ago, the Lockbit leak site published a new victim, claiming to ransom the security vendor Mandiant.

This notice made waves in the news, and the industry was amazed that a large scale security company could be targeted successfully.

Mandiant quickly released a statement saying they were not breached, and this was just a “trolling” of a ransomware group. But the news was already out, and the potential damage was already starting to spread.

 

Mandiant claims no evidence of a breach, challenging Lockbit to prove otherwise
Figure 6: Mandiant claims no evidence of a breach, challenging Lockbit to prove otherwise

Eventually, Lockbit released a statement claiming that this was indeed a fake notice, in response to Mandiant’s published research report stating that EvilCorp started using Lockbit’s services.

Lockbit confirms this was a fake announcement
Figure 7: Lockbit confirms this was a fake announcement

Karakurt’s return

The karakurt data extortion group, first identified in June 2021, gained the crowd’s attention once again after a long silence.

The group was operational as early as September 2021, and started out by registering two domains named karakurt[.]group and karakurt[.]tech, while their victims were spread across multiple industries and usually from the US.

The group mainly maintains a “Living off the Land” approach – attackers use legitimate software and functions available in the system to perform malicious actions against it. The group focuses solely on data exfiltration without major destructive measures.

Karakurt launches its new site, with a big reveal of victims
Figure 8: Karakurt launches its new site, with a big reveal of victims

At the end of June, the group launched a new onion-based leaking platform, which currently holds 34 victims, and the website operators keep updating quite frequently. The victim’s publication date was as early as June 3, however, the massive publication might be a result of an ongoing several month-long campaign that ends with publication on the platform. The platform offers the victims’ data in three different sections – Pre-release – in which the group reveals new victims that are unwilling to pay the ransom, Release – victims whose data is in the publication process, and Released – victims whose data is fully published.

If Karakurt continues with its current infection rate, which we are familiar with from the A-league threat actors, such as Lockbit, they should be considered one of the rising threats of the upcoming quarter.

Part of the massive leak published on the new onion site
Figure 9: Part of the massive leak published on the new onion site

BlackCat/AlphV

BlackCat/Alphv ransomware that’s been making waves since April 2022, is an advanced ransomware program written in the Rust programming language. This program is used in the operation of Ransomware-as-a-Service (RaaS). This group is allegedly a rebrand of the notorious Darkside ransomware group, which was responsible for the Colonial Pipeline incident [3] back in 2021. After drawing a lot of heat from the authorities in the US, they went off-grid for a couple of months, only to return as BlackMatter, and later on – BlackCat/Alphv.

BlackCat/Alphv ransomware can infect various Windows and Linux operating system versions, according to their developers. This ransomware is customizable and can be modified per victim, which is particularly important given that it is primarily used to target large entities.

Reinventing the wheel – A New extortion scheme

In an effort to put more pressure on ransomware group victims, the group will try any method at their disposal, starting from negotiation conversations, to providing the victim with reliable stolen data. With that, ransomware groups also try to “reinvent” new extortion methods, leading to new sophisticated (…or not that sophisticated) ways to pressure the victim.

AlphV demonstrated such a method only a few weeks ago.

The victim, “The Allison Hotel and Spa” luxury hotel, hosted on the domain “theallison.com”, was published on the group’s leak site.

In order to push the victim one step further, instead of threatening to publish their data if no ransom was received, the ransomware group created a new domain, similar to the group’s original site, but with a different top-level domain (TLD) – “theallison.xyz”. The new site publicly publishes the data, indexed, for all to browse its content.

The data contained the data of 1,534 employees, as well as the hotel’s guest lists, including full names, paid amounts, and more.

Leak site controlled by the AlphV group, allowing employees and guests to validate their data from the breach
Figure 10: Leak site controlled by the AlphV group, allowing employees and guests to validate their data from the breach
Browsable panel on the new domain, allowing easy search of breached employees’ data
Figure 11: Browsable panel on the new domain, allowing easy search of breached employees’ data

Q2 newcomers

BlackBasta

BlackBasta emerged in April 2022 and immediately gained the attention of security researchers, as within one month, the group claimed to attack 26 organizations, and so far nearly 50 organizations.

After they emerged, there was initially much speculation about their connection to the Conti ransomware group, partially due to some similarities in the websites of the two groups. The Cyberint Research Team was not convinced that these similarities were enough to determine that one group is connected to another. However, we cannot deny the fact that some members might know each other from past experience, given the mutual origin of the groups.

BlackBasta’s workflow includes first extracting the data and then encrypting it on the victim’s host, then, demanding the ransom.

To date, BlackBasta gained fourth place after Lockbit, BlackCat and Conti, with a fairly stable infection rate.

Industrial Spy

Industrial Spy introduced a new method of data publication and financial offering: Most of the data extractions did not include data encryption but rather the psychological effect of data publication to stress the victim. The platform’s main goal is to become the ultimate repository of victims’ data. The data is mainly gathered by threat actors and insiders. Both threat actors and insiders will gain financial benefits yielded from the publication of the data. As declared by the operators, they like to create a convenient platform that assists companies to compare or reveal sensitive and confidential data on potential partners or competitors.

Industrial Spy provides flexible consumption of data
Figure 12: Industrial Spy provides flexible consumption of data

The marketplace’s unique offering is divided into three main sections: the Premium Section, where you can purchase new data exclusively, the General Section for a specific file and non-exclusive purchasing, and lastly the Free Data Section, which gives registered users full access to the published data.

Summary – The Calm Before The Storm?

The second quarter of 2022 provided us with surprising numbers when it comes to ransomware campaigns.

After a strong start at the beginning of the year with 758 campaigns in Q1, it seems that ransomware groups had approximately 10% fewer victims over Q2 (while not necessarily less income).

The question that remained unanswered is: Are we seeing somewhat of a losing battle in the ransomware industry? Or is this just the calm before the storm?

Some speculation suggests that the reason we aren’t seeing as many victims as we used to relates to the overall worldwide financial situation, which might be resulting in fewer profitable campaigns for ransomware groups, as victims are not able to pay as much as they used to. In addition, ransomware groups may still be waiting for better timing to operate and negotiate against victims into which they already have backdoors.

The Cyberint Research Team is convinced that this is not the beginning of the end of the ransomware industry. To say the least, we are witnessing a remission at best. It seems that most ransomware groups have invested this quarter in building their name and infrastructure, along with recon on potential new targets. We are expecting to see the “fruits” of these actions towards the middle of Q3 and this will continue for the rest of the year.

References

[1] https://cyberint.com/blog/research/ransomware-q12022/

[2] https://cyberint.com/blog/research/contileaks/

[3] https://cyberint.com/blog/techtalks/colonial-pipeline-incident/

 

Uncover your compromised credentials from the deep and dark web.

Fill in your business email to start.