Researchers say that while ransomware attack volumes are dropping, shifts in gang activities have pivoted more attacks than ever to the finance sector.
On Monday, cybersecurity firm KELA published its Ransomware victims and network access sales report (PDF), suggesting that the number of significant ransomware victims dropped by approximately 40%, recorded as 698 in Q1 compared to Q4 2021’s 982.
On average, the company recorded 232 ransomware attacks per month during this time period.
A notable shift is Conti’s place as one of the most prolific ransomware groups, alongside LockBit, Hive, Alphv/Blackcat, and Karakurt.
There’s no honor among thieves when it comes to Conti. The ransomware gang will just as easily target a hospital as a business, encrypting systems and demanding a hefty blackmail payment in return for a decryption key.
During the first few months of this year, Conti publicly pledged its support for Russia’s invasion of Ukraine. Following the Russian-speaking group’s declaration, in retaliation, an individual broke into its systems and leaked Conti’s malware code and internal chat logs – a treasure trove for researchers and defenders alike.
While security teams were able to use the leaks to improve their understanding of the ransomware gang’s operations, it also impacted Conti’s place in the pecking order.
According to KELA, Conti has been booted from the top spot in the months following the leak. While still active, it appears that Conti’s victim list decreased from January, with LockBit moving up the ranks.
In Q1, LockBit hit 226 recorded victims, ranging from manufacturing and technology to the public sector.
However, together with its suspected subsidiary KaraKurt, Conti is still the second-most active ransomware gang in 2022.
Alphv is considered an emerging threat by KELA as a new player, having only really hit the spotlight in December 2021. The first quarter of 2022 is the first time Alphv/Blackcat has made it onto the list of the most active groups.
A few ransomware gangs, including Midas and Lorenz, are also switching up their tactics. A new victim intimidation method detected by the cybersecurity firm is for the group to publish a victim on a leak site as a “new company,” and if the business refuses to pay, the post is edited to include the brand.
The most targeted sectors are manufacturing, industrial, professional services, and technology. LockBit’s climb up the activity list has also impacted the number of recorded attacks against financial services, now making it into the top five targeted industries. In total, LockBit was responsible for 40% of the attacks against financial organizations in the first quarter.
We sometimes hear of malware designed to detect and boot rival malware off compromised systems, and in the same manner, ransomware groups are jostling for positions and victim territory.
KELA says that some gangs in the top list have been observed attacking each other or, at the very least, laying claim to the same victims.
The report states: “On January 15, 2022, a US-based auto dealer was claimed to be compromised by Conti. On March 23, 2022, the company was disclosed as a victim on Alphv’s blog. Moreover, on April 4, 2022, Avos Locker published the same company on its site, sharing screenshots identical to Alphv’s ones and the same file as the one shared by Conti.
“At this point, it is unclear if the three groups are cooperating or if it is a coincidence. Recently, researchers found out that Conti gang aimed to create smaller autonomous ransomware groups and collaborated with Alphv, AvosLocker, Hive, and HelloKitty gangs.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0