The state of ransomware in 2022

Egress | 30th Aug 2022

According to a recent report released by IBM, ransomware was the top security threat faced by IBM's team of hackers, responders, researchers, and analysts in 2021. 

The end of 2021, in particular, saw a spike in ransomware attacks. This decreased slightly in at the beginning of 2022, mostly due to the disappearance of one of the top ransomware groups, as well as a significant drop in attacks from Conti, a human-operated “double extortion” ransomware that steals and encrypts information and threatens to expose it. 

In this article, we’ll cover the state of ransomware in 2022 and outline some of the key events that have taken place in the first half of the year. 

A small number of groups are responsible for the majority of ransomware attacks

Research shows that over half of all ransomware attacks that have taken place since 2021 were carried out by just five groups – Conti, LockBit, Pysa, REvil, and Maze/Egregor. In Q1 2022, Conti and LockBit accounted for almost 50% of ransomware attack volume. 

Most of the malicious activity is driven by a small number of threat groups, but these groups change rapidly. Whenever one of the major groups leaves the scene, another one quickly pops up to take its place. These new groups are often made up of members that have disbanded from other groups. 

Email is still typically the first point of attack for bad actors. However, it is becoming increasingly common for these bad actors to deploy ransomware through previously established corporate network access. Once groups have access to the company network, they can exploit it to gain access to critical information. Then, they can encrypt it and hold it for ransom, leaving companies crippled. 

The US remains the prime target for ransomware attacks

Most ransomware attacks over the past couple of years have focused on North America or Western Europe. In Q1 2022, 38.5% of all organizations posted to ransomware data-leak websites were located in the US. This is likely a result of the country’s perceived wealth, combined with the success of ransomware groups receiving payments from US companies in past attacks. 

However, this could soon be about to change. Over the past few months, innovations in preventative policy have evolved. In April 2022, North Carolina became the first US state to prohibit public entities from paying ransoms. The law also prohibits public entities from communicating with threat actors in response to ransomware incidents. Instead, any public entity in North Carolina that falls victim to a ransomware attack must contact the North Carolina Department of Information Technology. 

In June, Florida followed suit and prohibited state agencies from paying or communicating with threat actors. 

Costa Rica became the first country to declare a national emergency in response to a ransomware attack

The U.S. is not the only target. In April 2022, Conti launched a major cyberattack against nearly 30 institutions of the government of Costa Rica. The affected institutions included the Ministry of Finance, the Ministry of Labor and Social Security, and the Ministry of Science, Innovation, Technology and Telecommunications (MICITT). 

The attack left online tax collection, public healthcare, and the pay of some public sector workers crippled. Conti offered to return the government data in exchange for up to $20 million. However, the government refused to pay the ransom. 

When Rodrigo Chaves began his four-year term as president on May 8, he immediately declared a “national emergency” as a result of the cyberattacks. This was a significant event, as it marked the first time that a country had declared a national emergency in response to a cyberattack. 

Costa Rica is now recovering from the attack, but a significant amount of important data has been lost. Since the initial attack, Many of the government’s systems have since been restored, but some systems have had to be rebuilt from scratch – a process that can take months or years. 

The ransomware arms race between attackers, defenders, and governments continues

By the end of June, both Conti’s public-facing website and its dark-web negotiations website had been shut down. 

Shmuel Gihon, a security researcher at Israel-based Cyberint, told the Financial Times that “Conti in Costa Rica was somewhat of a desperate last try to gain any sort of title, some buzz around their actions”. 

However, there is increasing evidence Conti has merely rebranded itself as several new ransomware groups. One of the groups is Black Basta, a ransomware group that first emerged in April this year. By the end of June, the group was already thought to have hit almost 50 organizations. 

The state of ransomware will continue to develop rapidly, and it is likely that we will continue to see major changes throughout the rest of 2022. Worried about ransomware? Learn how the rising epidemic can be stopped here.