Light Dark
December 27, 2022 By Jennifer Gregory 3 min read
Risk Management

As we look forward to 2023, we can find many ransomware lessons in looking back at 2022. The year brought us numerous attacks by many of the same gangs we’ve watched for years, as well as some newcomers.

Many ransomware gangs operate like businesses, with their own marketing departments and user documentation. With the advent of Ransomware-as-a-Service (RaaS), gangs now sell their software to other criminals and get a portion of the profits — revenue without having to lift even a virtual finger.

But just like legitimate companies, some gangs are more successful than others. By understanding recent and common tactics, companies can create an effective plan to thwart ransomware attacks in the new year.

Here are four ransomware gangs that made headlines in 2022:

LockBit

LockBit had a big year — especially in May when the group was responsible for 40% of all ransomware attacks. The group even bragged on social media that it attacked 12,125 organizations, including Thales Ground and the French Ministry of Justice.

One of the biggest reasons the group made the headlines in 2022 was its release of a new ransomware variant, dubbed LockBit 3.0. While the group targeted organizations worldwide, the United States was the top target with the most victims. LockBit also made headlines this year by being the first group to launch its own bug bounty program, offering up to a million dollars to those willing to share sensitive personal information with them.

LockBit’s attack method of using a propriety information stealer and downloading browser data to its secure server separates it from other groups. LockBit was also one of several gangs that appeared to be “dead” and then become active again.

REvil

A story about the top gangs of 2022 wouldn’t be complete without REvil, even though the group had an official death date of May 2022.

Many group members were arrested in Russia in early 2022, but they are now back up and running, causing business disruption with their attacks. The resurrected REvil is using many of the same strategies, such as creating and attaching a random extension to affected files. However, attacks now use an updated encrypter, which makes it easier for the gang to target its attacks.

Read the Ransomware Guide  

BlackCat (ALPHV)

This group is new on the ransomware scene, launching its first official attack in 2021. The FBI reported that members are connected to the BlackMatter/DarkSide Group.

BlackCat has launched attacks on more than 60 organizations, targeting both nonprofits and corporations in industries ranging from technology to real estate. Among its high-profile attacks was one on the Austrian federal state Carinthia, in which they demanded a $5 million ransom. Additionally, the group has the distinction of being the first to launch an attack on an organization using RUST, which is typically considered to be one of the more secure programming languages.

BlackCat’s attacks tend to use a similar approach: gaining access through previously compromised credentials and then using distributed denial-of-service (DDoS) attacks. The attacks start by taking over Active Directory user and administrator accounts and then deploying the ransomware. Ransoms are usually requested to be paid in Bitcoin and Monero, but the gang has settled for ransom payments lower than the demanded amount.

Black Basta

Many of Black Basta’s members were previously part of the Conti and REvil ransomware gangs. The group’s first known attack happened in April 2022, when the American Dental Association was forced to shut down services to members, including online, telephone, chat and email. Other victims included the building and construction firm Knauf and the agriculture equipment company AGCO.

Black Basta specializes in using a RaaS double-extortion technique, which renders the victim’s data unusable and threatens to make sensitive information public. Like many other groups, Black Basta tends to rely on DDoS attacks to increase the odds that the target will pay the ransom demanded.

As we move into 2023, cybersecurity professionals should leverage the lessons we’ve learned and the ransomware tactics we’ve seen in 2022 to help make organizations safer and more secure.

 |  |  |  |  |  |  |  |  |  |  |  | 
Jennifer Gregory
Cybersecurity Writer

More from Risk Management
July 25, 2024

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

July 24, 2024

Crisis communication: What NOT to do

4 min read - Read the 1st blog in this series, Cybersecurity crisis communication: What to doWhen an organization experiences a cyberattack, tensions are high, customers are concerned and the business is typically not operating at full capacity. Every move you make at this point makes a difference to your company’s future, and even a seemingly small mistake can cause permanent reputational damage.Because of the stress and many moving parts that are involved, businesses often fall short when it comes to communication in a crisis.…

July 10, 2024

Digital solidarity vs. digital sovereignty: Which side are you on?

4 min read - The landscape of international cyber policy continues to evolve rapidly, reflecting the dynamic nature of technology and global geopolitics. Central to this evolution are two competing concepts: digital solidarity and digital sovereignty.The U.S. Department of State, through its newly released International Cyberspace and Digital Policy Strategy, has articulated a clear preference for digital solidarity, positioning it as a counterpoint to the protectionist approach of digital sovereignty.What are the main differences between these two concepts, and why does it matter? Let’s…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature