Ransomware Picture: Volume of Known Attacks Remains ConstantMassive Profit Potential and Robust Initial Access Market Keep Fueling Ecosystem
Ransomware continues to help criminal syndicates earn massive profits at victims' expense.
See Also: 2022 Unit 42 Incident Response Report
In 2022, there were about 2,800 known new ransomware victims, based on successful attacks that came to light publicly, including via ransomware groups listing victims on their dedicated data leak sites, reports threat intelligence firm Kela.
The number of known victims was virtually unchanged from the 2,860 victims the firm counted in 2021.
"Despite initial concerns about law enforcement actions against ransomware and extortion actors, the number of attacks publicly disclosed in 2022 did not decrease, indicating that threat actors still view these types of attacks as profitable despite the potential risks," Kela reports.
Kela reports that these five groups were responsible for amassing the most known victims: LockBit, Alphv - aka BlackCat, Conti, Black Basta and Hive. Collectively, those groups accounted for more than half of all known attacks. The most affected countries were the United States, which accounted for 40% of known attacks, followed by the United Kingdom, Germany, Canada and France, which each accounted for 4% to 6% of known attacks.
Top Ransomware and Extortion Groups of 2022
Looking solely at the U.S., the number of known attacks against state and local governments, the education sector and hospitals has remained "surprisingly consistent" since 2019, reports security firm Emsisoft.
The above findings carry big caveats. Last year, ransomware groups listed victims across 60 different leak sites, Kela reports. But not all groups use such sites, and those that do only list a fraction of their nonpaying victims.
"Only a minority of ransomware attacks on private sector companies are publicly disclosed or reported to law enforcement, which results in a dearth of statistical information," Emsisoft says. "The reality is that nobody knows for sure whether the number of attacks are flat or trending up or down.
The volume of known attacks staying constant is despite business not always going smoothly for ransomware operations. Last year, multiple groups' operations were disrupted by sustained distributed-denial-of-service attacks, but none went dark permanently as a result.
This too didn't scuttle any of their operations. The operators of Conti, a major player, subsequently retired their brand name after first launching multiple spinoffs. Security experts say this came about after Conti's leaders disastrously issued a public declaration supporting Russia's war against Ukraine, leading to numerous victims no longer paying it a ransom.
Ransomware remains highly lucrative. Last October, ransomware response firm Coveware reported that the average ransom payment - when a victim chose to pay - was $258,143. Last December, the U.S. government estimated that a single group called Cuba had amassed at least $60 million in ransom proceeds. The group doesn't even rank in the top 10 of ransomware operations, based on the number of known victims amassed.
Seeking even greater profits, ransomware groups keep innovating, including designing crypto-locking malware that is easier for their affiliates to use and that can lock systems more quickly. Crime groups such as Lapsus$ and Stormous are also using a newer type of business model: extortion without crypto-locking malware, in which they steal data and threaten to leak it via dedicated data leak sites or Telegram channels - without leaving systems locked, Kela reports.
How many victims pay a ransom remains unknown (see: Tracking Ransomware: Here's Everything We Still Don't Know).
But last July, the European Union Agency for Cybersecurity published a report on 623 ransomware attacks it studied during a 14-month period ending in June 2022, which says 60% of victims appeared to have paid a ransom.
Initial Access Brokers
The cybercrime ecosystem features many different types of service providers, including initial access brokers, who gain remote access to victims and then sell it to others - not least ransomware groups - to facilitate their attacks.
Last year, Kela reports seeing "a significant increase in the number of network accesses being sold publicly by IABs on major cybercriminal platforms: over 2,200 offers for a cumulative price of more than $4.5 million."
From July 2021 to June 2022, cybersecurity firm Group-IB says in a new report, the number of IABs grew from 262 to 380, with "2,348 instances of corporate access being sold on underground forums," or more than double the preceding 12 months' volume. Oversupply also appeared to be driving prices down, it said, with an individual access retailing for an average of $2,800.
The most popular types of access being sold were remote desktop protocol and VPN credentials, which each accounted for about one-third of all known access sales by IABs, it says.
"Initial access brokers … fuel and facilitate the operations of other criminals, such as ransomware and nation-state adversaries," says Dmitry Volkov, CEO of Group-IB. "As access sales continue to grow and diversify, IABs are one of the top threats to watch in 2023."
Malware at Work
Ransomware operations don't just rely on IABs to gain remote access to organizations. Some target weak passwords or known vulnerabilities directly. Others use malware offered by the likes of Emotet, Qakbot and IcedID to gain an initial foothold, Group-IB reports. In such cases, it says, 60% of the time, the attackers deploy the legitimate red-team tool Cobalt Strike to move laterally inside the victim's network.
Others use another legitimate red-team tool called Brute Ratel C4, built and developed since 2020 by India-based security engineer named Chetan Nayak - aka Paranoid Ninja. Like Cobalt Strike, the tool has repeatedly demonstrated its ability to bypass many types of antivirus and endpoint detection and response tools, says Palo Alto Networks' Unit 42 threat intelligence group.
Regardless of the tools employed, attackers involved in "hands on keyboard" attacks - meaning they manually employ various tools and tactics to hack a victim's systems - typically seek to elevate privileges, gain administrator-level access to Active Directory and then use that to steal files, deploy crypto-locking malware and more.
Such tactics continue to be successful, despite numerous governments' attempts to combat ransomware. But as the volume of new victims appears to remain unchanged, it's a reminder that with the massive potential profits at play, ransomware groups continue to innovate effectively while many victims remain all too ready to pay.
Or as Group-IB's Volkov says: "Ransomware is likely to remain the major threat for business and governments across the globe in 2023."