May 30 Webinar | SOC Talk: Automating Threat Response
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
May 14, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
Ransomware activity decreased in the third quarter of 2022 (Q3 2022), as actors regrouped and refocused after a busy start to the year. Despite this, attacks on high-profile targets—as well as potentially politically motivated attacks—kept our eyes on ransomware this quarter. New tools and techniques emerged, while older tools resurfaced or were repurposed by ransomware groups.
The aftermath of key developments in the second quarter of 2022 was felt in Q3 2022. Although new groups rushed to fill the gap left by the “Conti” ransomware group, the “LockBit” ransomware group hit the Q3 top spot again, capturing its highest-ever market share in September 2022. The lines between financially and politically motivated ransomware actors also blurred in Q3 2022, with government entities and private companies suffering the consequences.
Digital Shadows (now ReliaQuest) conducts daily monitoring of ransomware groups. This blog is the latest edition of our quarterly assessments of ransomware activity, using primary and secondary source reporting. In this blog, we look at major ransomware events and trends, assess which sectors and regions need to beware, and make predictions about what to expect in the fourth quarter of 2022.
Q3 2022 saw ransomware activity slow, with overall activity declining 10.5% from the previous quarter. This is likely due to major developments in Q2 2022, including the demise of the Conti ransomware group, and the launch of LockBit ransomware’s latest affiliate program, “LockBit 3.0”. August was a quieter month for most ransomware groups—except for LockBit—but activity steadily picked up again in September 2022, a possible sign of what’s to come in Q4 2022.
Despite a relatively slow start to Q3 2022, LockBit remained by far the leader in the ransomware space. Although LockBit’s overall activity decreased from Q2 2022, its share of total activity increased: from 32.8% to 35.1% of all victims. In September 2022, LockBit achieved its highest monthly market share, accounting for over 40% of ransomware victims. Despite some skepticism about the quality of LockBit 3.0 from other threat actors, the program has unfortunately been effective at cementing LockBit’s success.
This success has not been without consequence. In August 2022, LockBit’s data-leak sites were taken offline multiple times after being hit by distributed denial-of-service (DDoS) attacks. The DDoS attacks followed LockBit’s breach of cyber-security company Entrust. LockBit’s public representative “LockBitSupp” accused the company of conducting the attacks in retaliation for the breach, although this is unconfirmed.
More likely, LockBit’s success is coming at a price: the group is increasingly inviting resentment from competing threat groups and possibly former members. LockBitSupp frequently—and infamously—gets into public spats with other ransomware representatives, including the representatives of Conti and “Alphv”. It is realistically possible that a rival group targeted LockBit under the guise of retaliation for the Entrust breach.
In mid-September 2022, a leaked LockBit 3.0 builder was posted on Twitter by a user claiming that their team managed to “hack several LockBit servers“. LockBit denies the claims: LockBitSupp alleged that the group was not hacked, instead blaming a disgruntled former developer for the leak. Regardless of the source, the builder appears to be legitimate, which will likely have consequences in Q4 2022 if other threat actors weaponize the builder for their purposes.
Reporting in Q2 2022 was dominated by the fall of the Conti ransomware group. Once the most prolific ransomware operator—until LockBit stole its crown last quarter—Conti officially closed shop with the shutdown of its servers in June 2022. In Q3 2022, we observed the after-effects, including competition over Conti’s market share and a surge in new ransomware groups.
With Conti out of the picture, three groups competed for its former position as the most dominant ransomware group after LockBit, but no clear winner emerged. “Black Basta” edged out the competition, accounting for 9% of all ransomware victims, while “Hive Leaks” and Alphv came in at 8% and 7%, respectively. Black Basta and Hive Leaks both have rumored links to Conti, but these are unconfirmed.
In Q3 2022, we observed the emergence of 12 new ransomware data-leak sites. Some are from new groups, while others belong to older groups that began conducting double extortion during the quarter. Double extortion is a technique where threat actors not only encrypt victim data for ransom but threaten to publish the data on data-leak sites if a ransom isn’t paid. Some of these, including “BianLian” and “Medusa Locker”, hit the ground running, immediately surpassing established ransomware groups like “BlackByte” in the number of victims named.
At the end of last quarter, we hypothesized that we would see a rush of new groups led by former Conti members. It is unclear if these new groups have direct leaks to Conti. However, whether these new groups have links to Conti or not, they were likely launched opportunistically to fill the market gap left by Conti.
And what of Conti itself? In Q3 2022, reports emerged alleging that former Conti members were targeting Ukraine. These reports allude to a growing trend of the intersection between political and financially motivated actors. While the Conti members’ targeting of Ukrainian hospitality organizations was likely financially motivated, the decision to target Ukrainian government entities was almost certainly influenced by the current Russia-Ukraine war.
Distinguishing threat actors as politically or financially motivated is increasingly challenging. North Korea, for example, frequently fell into both camps in Q3 2022, continuing its tactic of using ransomware groups such as “HolyGhost” to avoid sanctions and overcome financing challenges brought by international sanctions.
The highly disruptive ransomware attacks on Montenegro and Albania in Q3 2022 are notable examples of the challenges of differentiating between political and criminal activity. In late August 2022, a ransomware attack shuttered Montenegro’s government systems and national services. Now attributed to “Cuba” ransomware, Montenegrin officials initially directly attributed the attacks to the Russian government, in part due to the extent of the disruption.
In Albania, Iranian state-affiliated groups targeted the country in a series of disruptive, retaliatory attacks on government systems beginning in July 2022. These attacks, which are attributed with high confidence to Iran’s Ministry of Intelligence and Security (MOIS), were almost certainly political. Notably, ransomware was a key tool in this campaign, deployed by the attackers to encrypt Albanian data. Ransomware is, therefore, not only the tool of cybercriminals but a potentially impactful political tool.
The real loser of this trend is the average citizen. Critical industries, including energy, healthcare, and manufacturing, were highly targeted by ransomware in Q3 2022. Unfortunately, whatever the motivation to target critical infrastructure, the consequences of disruptions to healthcare services, energy providers, or government services are the same—and may severely impact users.
Digital Shadows (now ReliaQuest) monitors 97 ransomware and data-leak sites, of which 44 are active at the time of writing. Nearly all ransomware groups experienced decreased activity in Q3 2022. Hive Leaks (up 80.8%) and “AvosLocker” (up 50%) were exceptions, displaying notable upticks in activity. The following is an analysis of observed behavior and targeting patterns.
An ongoing discussion we have had as a team this past quarter is whether to differentiate between ransomware and extortion-only groups. Both categories infiltrate victim networks, steal data, and threaten to leak the data if payment isn’t made. Critically, however, extortion-only groups do not encrypt stolen data and are unlikely to disrupt victim operations.
Ultimately, we elected to keep our data extortion numbers distinct from our ransomware statistics. We observed only 40 data extortion events this quarter: a decrease of 41.1% from Q2 2022. Together with the ransomware figures, these account for only 5.8% of all data leakage events.
There are also fewer data extortion than ransomware groups. Only 16.5% of the data-leak sites we monitor likely conduct solely data extortion. “Karakurt Hacking Team”—allegedly the data-extortion branch of Conti—is one of the most notable groups, the Ukraine-targeting “Free Civilian” is another. The lack of affiliate programs for data extortion may be one reason for this: while ransomware has a higher technical barrier to entry, affiliate programs allow less technically adept users to conduct attacks using premade tools.
As in Q2 2022, the industrial goods and services sector was the most targeted by a wide margin—accounting for 20.8% of victims—followed by the technology (9.8%), construction and materials (9%), travel and leisure (7.1%), and healthcare (6.6%) sectors. Like the previous quarter, industries that provide critical services were most often targeted, possibly because critical industries are considered more likely to pay a ransom to avoid costly downtime.
For most sectors, the number of attacks decreased in Q3 2022. Although critical infrastructure sectors were key targets, the travel-and-leisure sector saw a notable increase in targeting. Activity targeting the industry increased by 33.3% from Q2 2022, the most significant jump of any sector. It is realistically possible that this correlates with increased travel post-COVID-19 pandemic and the summer holiday season. Targeting of the technology sector also rose by 4.9%. All other sectors saw a decrease in activity, in line with the general trend for the quarter.
The US was again the most targeted country in Q3 2022, accounting for 39.3% of all victims, more than the following nine countries combined. Europe accounted for the next five most targeted countries, including France (5.1%), Spain (4.8%), the UK (4.8%), Germany (4.5%), and Italy (4.3%). Western countries are often the most targeted by ransomware attacks—a trend likely to continue in coming quarters—due to the perception that entities from such countries can afford a ransom.
Nearly all countries experienced a decrease in ransomware activity this quarter, with activity targeting the US decreasing by 10.6%. Spain is a notable exception, with activity increasing by 66.7%, primarily due to targeting from the “Sparta Blog” group. France and Israel also saw greater targeting in Q3 2022 than the previous quarter.
Past trends and developments in the Q3 2022 ransomware threat support this projection. In this final section, we examine developments that are most likely to impact the ransomware threat landscape, and include graphical projections for the coming quarter.
Q4 is historically a period of high ransomware and cyber-criminal activity. The festive shopping season—which includes major events such as Black Friday, Cyber Monday, Christmas, and Boxing Day—is often exploited by cybercriminals to distribute malware. Phishing scams normally abound, requiring caution from both companies and consumers. Ransomware activity is, therefore, likely to increase in Q4 2022, in line with previous trends.
The LockBit 3.0 builder leak is also likely to impact ransomware activity in Q4 2022. We have already witnessed cybercriminals discussing the leaked builder, including ways to re-engineer and exploit the tool, on criminal forums. Ransomware actors notoriously reuse leaked material. The “Babuk” ransomware source code leak is one example, with several new ransomware variants, including “Rook” and “Pandora”, based on the leak. Ransomware activity will likely increase if new ransomware variants based on the LockBit builder emerge.
Despite this leak, Lockbit is likely to remain the ransomware leader by a wide margin. But as the group’s activity increases and its market share grows, it is more likely to attract the concerted attention of rival threat actors, as well as law-enforcement bodies. It is realistically possible that the group will be subject to more countermeasures in Q4 2022.
Geopolitical events are also likely to continue to impact ransomware activity. Recent developments in the Russia-Ukraine war—including Russia’s annexation of several Ukrainian territories and the looming threat of a European energy crisis—are likely to continue to motivate ransomware actors to target government and critical infrastructure entities. Outside Europe, international support for the ongoing Iranian protests may lead the Iranian state to again conduct retaliatory ransomware attacks.
One takeaway from Q3 2022 is the complexity of the ransomware threat faced by organizations today. You can get a comprehensive look at the data that we used to build this blog with a free demo request of SearchLight here. Additionally, you can get a customized demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) to gain visibility of your organization’s threats and potential exposures, including access to a finished threat intelligence library with MITRE associations and mitigations from Photon Research.For further info—our previous blog article Tracking Ransomware Within SearchLight shows you how SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) tracks emerging variants, enables you to export and block associated malicious indicators in various formats, instantly analyze popular targets, and map to your security controls with ease.