Ransomware is a continually evolving type of malware that implements encryption to hold a victim’s data at ransom. When a system is hacked and infected, ransomware has the ability to lock and encrypt data, restricting victim access, and hold the data for a monetary ransom in exchange for decryption. Costs of these ransoms can range from a few thousand dollars to millions, in addition to other disruptions a target might face. And even if the ransom is paid, there is no guarantee that the decryption key and data will be provided.
Over the years ransomware has shown its ability to evolve from a malicious floppy disk to a multi-billion dollar industry expanding operations and increasing profitability. Ransomware has become one of the most complex and prolific attacks in today’s threat landscape.
Ransomware groups are developing new strategies, especially when extorting their victims, playing on double extortion where ransomware groups encrypt and exfiltrate the victim’s data. Ransomware groups are also using triple extortion by deploying DDoS to disrupt services and quadruple extortion where the ransomware group threatens or harasses and directly contacts the victims .
In 2022, the ransomware landscape presented no exception to the continuous growth and sophistication of these types of attacks. In this new year, we take a look back at the most prolific ransomware groups DarkTower has monitored in 2022, mapping out these threat actors’ TTPs and looking forward to how they may evolve in the future.
One of the most prolific ransomware groups seen in 2022 was LockBit. LockBit is a ransomware-as-a-service (RaaS) group that hires affiliates to distribute and deploy its malware, dramatically increasing its reach. LockBit was the most prevalent ransomware group in 2022, according to data posted on the group’s dedicated leak site. The group was responsible for more than a third of the total number of victims in every quarter of the year. Beginning the year with more than two hundred known double extortion victims, the group continued at a steady lead throughout the year, even in quarter three when there was a general decrease in ransomware activity.
LockBit has claimed at least 1,000 double extortion victims that among them represent approximately $460 billion in revenue in 2022, targeting small to large enterprises. LockBit targets various industry sectors globally, with about half of its victims from the U.S., followed by France, the U.K., Italy, Canada, and Germany. The most impacted organizations have been in the manufacturing, professional and legal services, retail, construction, federal government, and healthcare and public health sectors.
We entered the year with LockBit 2.0, which was launched in June 2021, but saw the group’s latest iteration, LockBit 3.0, come onto the scene in June 2022. Along with its updated affiliate program and malware in June 2022, the group launched a bug bounty program that challenged individuals to find vulnerabilities in the ransomware program and the gang’s infrastructure, such as its Tor-hosted website, secure messenger and more. If a vulnerability is found the group would offer the individual between $1,000 and $1 million. On 19SEP2022, the first bug bounty was paid at $50,000.
Compared to LockBit 2.0, LockBit 3.0 incorporated a few additions to its dedicated leak site, including pages for affiliate rules, links to additional mirror sites, and web security, and bug bounty. The site provides nine mirror sites and three payment method options, including Bitcoin, Monero, and Zcash.
LockBit 3.0 also posted a ransom payment policy that involves different payment options, allowing anyone to: (1) extend timer for 24 hours; (2) destroy all information; or (3) download data at any moment for every victim that they publish to the leak site.
Additionally, on its leak site, LockBit includes a “Leak Index” where it retains the stolen filesets indefinitely of targets that don’t pay, showcasing the victims for however long the group wants along with their leaked data.
LockBit’s ability to continually and quickly update its malware has allowed it to be the most prominent among RaaS operations that have targeted organizations over the past few years. LockBit’s activity over the years has also shown how ruthless it can be when picking when and which victims to attack. For example, one of the group’s victims in OCT2022 was Lincare, one of the largest providers globally of oxygen for respiratory care, and LockBit targeted them in the middle of our respiratory virus pandemic.
In August, the group announced its efforts to take its operations to the triple extortion level after it was hit with a DDoS attack allegedly conducted by Entrust. Along with encrypting its victims’ files, demanding a ransom, and leaking compromised files on its dedicated leak site, LockBit added DDoS attacks against targeted victims to disrupt their operations. The group’s updated version also includes a new encryption tool called StealBit, and the group moved to target not only Windows systems but Linux computers as well.
Another highly-prolific ransomware group in 2022 was BlackCat (also known as ALPHV), which is one of the most sophisticated RaaS operations. It is believed to be a successor to REvil and Darkside/BlackMatter (responsible for the 2021 Colonial Pipeline attack) and to have links to FIN7 and FIN12. BlackCat compromised over 200 entities worldwide in 2022, with at least sixty in just the first quarter, 55 in the second quarter, 42 in the third quarter, and, at its high in the fourth quarter, it impacted 80 entities via double extortion. BlackCat targets public and non-profit organizations as well as large entities. Most of its victims are in the U.S., followed by Canada, Germany, the U.K., and Australia, targeting the manufacturing, professional services, legal, finance, and retail sectors. In September, the group claimed attacks targeting airports, gas stations, fuel pipeline operators, and other critical infrastructure providers.
In March, BlackCat announced “ALPHV MORPH,” a ransomware variant written in the Rust programming language, making BlackCat the first ransomware group to execute attacks using this language. By using the Rust language, BlackCat is able to improve its operation and increase defense-evasion capabilities. It also allows the group to customize malware across different operating systems like Windows and Linux, providing a larger scope of enterprise environments as targets.
In July, BlackCat revealed “ALPHV Collections,” a searchable dedicated leak site that indexes and makes all of the data leaks easily viewable. On the site, visitors are able to search by wildcard, filename, and file type (pdf, docx, jpg, png). Most double-extortion ransomware groups maintain a dedicated leak site, but BlackCat, along with other groups, has added this searchable feature as a way to further shame the victims in an attempt to compel them to pay the ransom demanded.
In late September, BlackCat implemented an upgrade to its ExMatter data exfiltration tool used in conducting double extortion attacks and its new malware called “Eamfo”. The updated ExMatter tool “searches for specific file types from selected directories, uploads them to attacker-controlled servers, and then corrupts and destroys the files”. The tool adds wiper functionality, as it does not just encrypt an organization’s data but goes a step further by deleting and destroying it. Similar to LockBit, BlackCat uses triple extortion tactics where the group threatens to launch DDoS attacks on its victims, on top of exposing exfiltrated data to compel victims to pay the ransom demand.
In December, a victim published on BlackCat’s dedicated leak site did not meet the demands and led the group to publish all the stolen data, which is usually what occurs; however, this time BlackCat took it a step further and decided to also publish this data on a cloned site that looks similar to the victim’s website. Publishing the data on the clear web becomes a greater concern to victims because a wider audience aside from the infosec community is able to access it. Below, the cloned site can be seen on the left, and the victim’s original site is the image on the right.
The tabs presented by the cloned website, when clicked, take the viewer to a page where they are able to view and download this victim’s leaked data.
Last year, the group attack many major entities and caused significant disruptions including Swissport in FEB2022 causing flight delays and service disruptions; The Austrian State of Carinthia in MAY2022 demanding $5 million and causing the victim to shut down nearly 3,700 administrative systems; University of Pisa, which is one of the oldest universities in Europe, in JUN2022 with a demand of $4.5 million; Suffolk County New York in SEP2022 targeting many of the counties computer systems and causing emergency 911 operators to use paper and pencils to write down emergency call information.
Cl0p ransomware group, associated with Russia, uses the double extortion RaaS method and targeted over 250 organizations in 2022, adding it to the list of most prolific ransomware groups of last year. At the end of 2021, Cl0p’s activities decreased because six of its members were arrested; however, this did not keep the group down for long. At the end of the first quarter in 2022, Cl0p had become one of the most active groups, attacking over twenty organizations. Cl0p appears to favor the professional services, retail, manufacturing, and information technology sectors and targets mostly organizations in the U.S., Canada, Switzerland, France, and Singapore.
In December, Cl0p began inserting malware into medical records that are then sent to telehealth medical practices. The group booby-trapped medical records for the “patients.” Cl0p infiltrated entities in the healthcare industry by sending the infected files that were disguised as ultrasound images or other medical documents for patients that were being provided remote consultations. Another tactic used by Cl0p entailed the group reaching out to victims’ customers directly and threatening that their data will be leaked unless they convince the victim to pay the ransom.
Cl0p is the successor of a group called CryptoMix and is operated by Russians. Cl0p has been observed to be a payload for different Russian groups including the FIN11 group as well as TrueBot malware. The ransomware is able to dodge security detection and appear as an authentic file by using verified and digitally signed binary. The group is able to avoid detection and disrupt investigations by using anti-analysis and anti-virtual machine analysis.
First observed in June 2021, Hive has become one of the most prolific ransomware groups in the double extortion RaaS ecosystem. Its operations are also supported by its dedicated leak site, which is accessible on the dark web. The group sprung up in 2022, attacking over a hundred entities, and became most active in the first and third quarter of the year. The U.S. had the most double extortion victims from Hive in 2022, followed by the U.K., Spain, Brazil and the Netherlands. The highest targeted industry by this group is the healthcare industry, followed by hospitality, telecommunications, manufacturing, and construction.
In November, CISA, the FBI, and HHS warned that Hive has exploited more than a thousand entities globally, collecting $100 million in ransom payments, and, in April, HHS warned that Hive had become exceptionally aggressive in its attacks against the healthcare sector. This warning came right after the group attacked Partnership HealthPlan of California in March, shutting down its operations. Other healthcare entities, as seen in the images below, that were hit by Hive this year included Baton Rouge General Hospital in Louisiana in June, Henry Regional Medical Center in September, and Lake Charles Memorial Health System (LCMH) in October, stealing more than 200GB of data.
Hive leveraged Golang to design its malware, and in July the group started using the Rust language in its newest version, just like BlackCat, to make it more difficult for security researchers to analyze the group’s operations.
Conti, one of the world’s most aggressive double-extortion RaaS groups which is associated with Russia, first appeared in Summer 2020. It took the place of Ryuk ransomware and ended its operations in Summer 2022 in the wake of Conti Leaks.
Although Conti has been disbanded, it accounted for about 20% of attacks in the first quarter of 2022. Conti’s dedicated leak site has been inactive since May, with the last victim being posted on 25MAY2022. The leak site officially disappeared in June.
The group’s last victim was the Costa Rican government’s network in April, when it breached various government bodies, taking 27 government agencies offline for an extended period of time. After the government refused to cooperate with the group and pay the demanded ransom, Conti increased its price to $20 million. The FBI referred to Conti as “the costliest strain of ransomware ever documented,” targeting over 1,000 victims and obtaining over $150 million as payouts since its inception. In its final months, the group’s targets were in North America and Europe, with manufacturing as the leading industry sector victimized, followed by professional services, retail, transportation, and construction. The gang behind Conti ransomware, is based in Russia and the Russia-Ukraine war was a major factor in the ransomware group going offline, as the group announced its full support of Russia. This move made any financial support almost impossible, cutting off a large part of the group’s income and ultimately damaging its ability to operate.
Members have moved elsewhere and have been partnering with well-known smaller ransomware gangs, including Black Basta, BlackByte, BlackCat (ALPHV), Hive, and Karakurt.
Emerging in April and less than a year old, Black Basta, a RaaS group, has quickly become another one of the most prolific ransomware groups of 2022. The group rose to prominence, based on the frequency of attacks in such a short period of time. In the first month of its existence, it attacked a little over ten victims, causing speculations of it being tied to a more-established group. It is believed that Black Basta is connected to the Conti ransomware group. A thread on XSS forum reveals LockBit stating that Black Basta is a rebrand of Conti:
Black Basta has victimized over 150 entities, mainly targeting organizations headquartered in the U.S., the U.K., Canada, Australia, and Germany. In the second half of the year, Black Basta was the third highest ransomware group based on total victim count from its leak site at a little over a hundred victims. The group has targeted the manufacturing, construction, retail, transportation, and healthcare industries. Although a relatively new ransomware group compared to others in this list, Black Basta has shown a steady climb in attacks over the past year.
Black Basta is a double-extortion RaaS ransomware group that also uses DDoS attacks to compel victims to pay. The group also uses Qakbot malware by means of phishing emails to gain initial access on a victim’s network before moving laterally within the network. Additionally, the group has developed a Linux variant where in June it was seen targeting Linux systems used by larger companies and enterprises, which left VMware ESXi virtual machines at risk of attacks.
Black Basta has also been linked to FIN7, which has a notable track record and is known for innovating the criminal ecosystem, showing that threat actors are always trying to find ways to expand and evolve.
Interestingly, the group has not been seen advertising for recruits or calling the malware a RaaS on darknet forums, which could possibly go to suggest that the group works with a close set of affiliates or installs the ransomware through its own custom toolset.
Karakurt, a relatively new ransomware group that emerged in late 2021, is another one of the most prolific ransomware groups of 2022. The group has claimed around 150 victims, targeting the manufacturing, retail, construction, professional services, and healthcare industries mostly in the U.S., the U.K., Canada, Turkey, and Australia. Alongside LockBit and Black Basta, Karakurt registered the highest number of attacks in the second and third quarters of 2022.
Karakurt is unlike typical ransomware groups which encrypt the stolen data, but rather the group simply steals the data and demands a ransom. Karakurt threatens to auction off the stolen data or leak it to the public if the ransom is not paid.
In June, the FBI, CISA, and other federal entities released a cybersecurity advisory on the group. Federal agencies have focused on Karakurt because it is believed to be the “data extortion arm” of the Conti ransomware group. The group’s name reflects its extortion tactics as the Karakurt spider’s bite is “very toxic and dangerous,” according to the group’s description on its dedicated leak site.
Karakurt has created both Twitter and Telegram profiles that allow it to expand its online presence. The group not only posted recruitment information on its dedicated leak site but also on Telegram, where it claimed to be looking for disgruntled/fired employees with network access, insiders of financial services companies, pentesters and security researchers, data recovery companies, and hacktivists to join its efforts.
During the fourth quarter, Karakurt has been trying out new tactics on its dedicated leak site. When the group publishes a new victim on its leak site, it does not disclose the victim’s name fully but rather only partially shows it using asterisks. This prompts users to guess the name of the victims but can also be a teasing game for those entities that know it is their name that is hidden. This method can compel victims to pay the ransom so that their name is not revealed because, if they do not pay the ransom, their name will be revealed to the public.
Over the past year we have seen disruptions in some of the major ransomware groups, the emergence of new groups from the old, an expansion of operations, incorporation of novel TTPs, and an evolution of systems and procedures. Ransomware groups have adopted new programming languages, switched up their targeting to impact both Windows and Linux servers, developed new methods of deployment on compromised systems, grown their leak sites to incorporate a diversity of features, expanded their compel-to-pay methods, and more.
Ransomware continues to become highly targeted and a human driven operation functioning in a sophisticated and methodical manner. Traditional malware, which is much more predictable and automated, is no longer in use. Ransomware is now much more organized and closely resembles software-as-a-service companies.
These groups are not stopping at double extortion, but moving beyond to triple and quadruple extortion, making it a nightmare for their victims, while also continuing to target critical infrastructure. Ransomware will steal sensitive information and monetize the data, become solely extortion groups, and turn their faces toward the cloud as more companies are moving their assets and critical data there.
Ransomware operations will not die anytime soon, but rather these groups will continue to innovate and reinvent themselves.