The ransomware ecosystem has changed significantly in 2022, with attackers shifting from large groups that dominated the landscape toward smaller ransomware-as-a-service (RaaS) operations in search of more flexibility and drawing less attention from law enforcement. This democratization of ransomware is bad news for organizations because it also brought in a diversification of tactics, techniques, and procedures (TTPs), more indicators of compromise (IOCs) to track, and potentially more hurdles to jump through when trying to negotiate or pay ransoms.
“We can likely date the accelerated landscape changes back to at least mid-2021, when the Colonial Pipeline DarkSide ransomware attack and subsequent law enforcement takedown of REvil led to the dispersal of several ransomware partnerships,” researchers from Cisco’s Talos group said in their annual report. “Fast forward to this year, when the ransomware scene seems as dynamic as ever, with various groups adapting to increased disruptive efforts by law enforcement and private industry, infighting and insider threats, and a competitive market that has developers and operators shifting their affiliation continuously in search of the most lucrative ransomware operation.”
Large ransomware groups attract too much attention
Since 2019 the ransomware landscape has been dominated by big and professionalized ransomware operations that constantly made the news headlines and even looked for media attention to gain legitimacy with potential victims. We’ve seen ransomware groups with spokespeople who offered interviews to journalists or issued “press releases” on Twitter and their data leak websites in response to big breaches.
The DarkSide attack against Colonial Pipeline that led to a major fuel supply disruption along the US East Coast in 2021 highlighted the risk that ransomware attacks can have against critical infrastructure and led to increased efforts to combat this threat at the highest levels of government. This heightened attention from law enforcement made the owners of underground cybercrime forums reconsider their relationship with ransomware groups, with some forums banning the advertising of such threats. DarkSide ceased operations soon thereafter and was followed later in the year by REvil, also known as Sodinokibi, whose creators were indicted and one was even arrested. REvil was one of the most successful ransomware groups since 2019.
Russia’s invasion of Ukraine in February 2022 quickly put a strain on the relationship between many ransomware groups who had members and affiliates in both Russia and Ukraine, or other former USSR countries. Some groups, such as Conti, rushed to take sides in the war, threatening to attack Western infrastructure in support of Russia. This was a departure from the usual business-like apolitical approach in which ransomware gangs had ran their operations and drew criticism from other competing groups.
This was also followed by a leak of internal communications that exposed many of Conti’s operational secrets and caused uneasiness with its affiliates. Following a major attack against the Costa Rican government the US State Department put up a reward of $10 million for information related to the identity or location of Conti’s leaders, which likely contributed to the group’s decision to shut down operations in May.
Conti’s disappearance led to a drop in ransomware activity for a couple of months, but it didn’t last long as the void was quickly filled by other groups, some of them newly set up and suspected to be the creation of former members of Conti, REvil and other groups that ceased operations over the past two years.
Top active ransomware gangs to watch in 2023
LockBit takes the lead
LockBit is the main group that stepped up its operations following Conti’s shutdown by revamping its affiliate program and launching a new and improved version of its ransomware program. Even though it has been in operation since 2019, it wasn’t until LockBit 3.0 that this group managed to take the lead of the ransomware threat landscape.
According to reports from multiple security companies LockBit 3.0 was responsible for the highest number of ransomware incidents during the third quarter of 2022 and was the group with the highest number of victims listed on its data leak website for the entire year. This group might see its own spinoffs in 2013, as the builder for LockBit was leaked by a disgruntled former developer. Anyone can now build their custom version of the ransomware program. According to Cisco Talos, a new ransomware group dubbed Bl00dy Gang has already began using the leaked LockBit 3.0 builder in recent attacks.
Hive extorts more than $100 million
The group with the highest number of claimed victims in 2022 after LockBit according to Cisco Talos is Hive. This was the primary ransomware family observed throughout Talos’s incident response engagements this year and third on the list of incident response cases for Palo Alto Networks after Conti and LockBit. According to a joint advisory by the FBI, US Cybersecurity and Infrastructure Security Agency (CISA), and the US Department of Health and Human Services (HHS), this group managed to extort over $100 million from more than 1,300 companies worldwide between June 2021 and November 2022.
“Hive actors have been known to reinfect—with either Hive ransomware or another ransomware variant—the networks of victim organizations who have restored their network without making a ransom payment,” the agencies said.
Black Basta, a Conti spinoff
The third most prolific ransomware gang this year based on Talos’ observations has been Black Basta, a group suspected to be a spinoff of Conti giving some similarities in their techniques. The group started operating in April, not long before Conti shut down, and quickly evolved its toolset. The group relies on the Qbot Trojan for distribution and exploits the PrintNightmare vulnerability.
Starting in June, the group also introduced a file encryptor for Linux systems, primarily aimed at VMware ESXi virtual machines. This cross-platform expansion has also been seen with other ransomware groups such as LockBit and Hive, both of which have Linux encryptors, or by ransomware such as ALPHV (BlackCat) that’s written in Rust, which allows it to run on multiple operating systems. Golang, another cross-platform programming language and runtime, has also been adopted by some smaller ransomware gangs such as HelloKitty (FiveHands).
Royal ransomware group gaining momentum
Another group that’s suspected to have ties to Conti and appeared earlier this year is called Royal. While it initially used ransomware programs from other groups, including BlackCat and Zeon, the group developed its own file encryptor that seems to be inspired or based on Conti and quickly gained momentum, taking the lead from LockBit for the number of victims in November. At this rate, Royal is expected to be one of the top ransomware threats in 2023.
Vice Society targets education sector
Royal is not the only example of a successful ransomware group that achieved success by reusing ransomware programs developed by others. One such group called Vice Society is the fourth largest group based on the number of victims listed on its data leak site according to Cisco Talos. This group targets primarily organizations from the education sector and relies on forks of pre-existing ransomware families such as HelloKitty and Zeppelin.
More ransomware groups a challenge for threat intelligence
“The end of the great ransomware monopolies has presented challenges to threat intelligence analysts,” the Cisco Talos researchers said. “At least eight groups make up 75% of the posts to data leak sites that Talos actively monitors. The emergence of new groups makes attribution difficult as adversaries work across multiple RaaS groups.”
Some groups such as LockBit have started to introduce additional extortion methods such as DDoS attacks to force their victims to pay ransoms. This trend is likely to continue in 2023 with ransomware groups expected to come up with new extortion tactics to monetize attacks on victims where they’re detected before deploying the final ransomware payload. Half of Cisco Talos’s ransomware-related incident response engagements have been in the pre-ransomware stage, showing that companies are getting better at detecting TTPs associated with pre-ransomware activities.