2022 marked another year in which ransomware proved to be one of the most pernicious cyberthreats around the world. Targeting victims both large and small, ransomware gangs showed that they could still wreak havoc despite efforts by law enforcement and governments to crack down on them.
SEE: Use this security incident response policy from TechRepublic Premium.
Though a variety of these criminal groups litter the cyberspace landscape, a few were especially dangerous and destructive in their ransomware attacks throughout the year. Here are four of those ransomware groups.
Jump to:
ALPHV, a.k.a. BlackCat, specializes in ransomware as a service, through which it offers the necessary malware and infrastructure to affiliates who then carry out the actual attacks. Though seemingly new to the ransomware landscape, having surfaced in 2021, ALPHV is reportedly connected to the BlackMatter/DarkSide group responsible for the infamous ransomware attack against Colonial Pipeline in 2021.
Infiltrating its victims by exploiting known security flaws or vulnerable account credentials, ALPHV pressures organizations to pay the ransom by launching distributed denial-of-service attacks against them. The group also likes to expose stolen files publicly through a search engine for the data leaks of its victims.
ALPHV targets public and nonprofit organizations as well as large corporations, according to Brad Crompton, director of intelligence at cyber threat intelligence provider Intel 471.
During the third quarter of 2022, this ransomware variant hit 30 organizations, impacting real estate businesses, professional services and consulting firms, consumer and industrial product makers, and technology companies. In September, ALPHV took credit for attacking airports, fuel pipeline operators, gas stations, oil refineries and other critical infrastructure providers.
Appearing in April 2022, RaaS group Black Basta reportedly comprises former members of the Conti and REvil ransomware gangs, with which it shares similar tactics, techniques and procedures. Boasting highly skilled and experienced group and affiliate members, Black Basta increasingly gains access to organizations by exploiting unpatched security vulnerabilities and publicly available source code, Crompton said.
Black Basta often relies on double extortion techniques, threatening to publicly leak the stolen data unless the ransom is paid. The group also deploys DDoS attacks to convince its victims to pay the ransom.
In some cases, Black Basta members have demanded millions of dollars from their victims to keep the stolen data private.
Ransomware attacks stemming from Black Basta hit 50 organizations in the third quarter of 2022, according to Intel 471. The sectors most impacted by these ransomware attacks included consumer and industrial products, professional services and consulting, technology and media, and life sciences and healthcare.
Among different countries, the U.S. was the group’s biggest target for the quarter, with 62% of all reported attacks.
Springing up in early 2022, Hive quickly earned a name for itself as one of the most active ransomware groups. The number of attacks from this gang alone jumped by 188% from February to March in 2022, according to NCC’s March Cyber Threat Pulse report. This ransomware variant was also one of the top four most observed during the third quarter of the year, Intel 471 said.
The group is fast, allegedly encrypting anywhere from hundreds of megabytes to more than four gigabytes of data per minute. To help carry out its attacks, Hive hires penetration testers, access brokers and threat actors, Crompton said.
In August 2022, an alleged operator of the Hive ransomware reported using phishing emails as the initial attack vector.
Traditionally focused on the industrial sector, Hive has also targeted academic and educational services as well as sciences and healthcare companies, along with energy, resources and agriculture businesses. In the third quarter of 2022, the Hive ransomware hit 15 countries, with the U.S. and the U.K. as the top two targets, respectively.
With 192 attacks in the third quarter of 2022, the LockBit 3.0 ransomware continued its reign as the most prominent variant of the year, according to Intel 471. First announced in the second quarter of 2022, the LockBit 3.0 variant reportedly included an updated data leak blog, a bug bounty program and new features in the ransomware itself.
The bug bounty concept was a first for ransomware groups, with LockBit offering as much as $1 million for anyone who discovered vulnerabilities in the gang’s malware, its victim shaming sites, its Tor network and its messaging service, Intel 471 reported.
Unlike other ransomware groups, LockBit reportedly prefers low-profile attacks and tries to avoid generating headlines, Crompton said. The gang is always evolving and adapting its TTPs and software. LockBit also runs a proprietary information stealer called StealBit. Instead of acting as a typical information stealer that grabs data from browsers, StealBit is a file grabber that quickly clones files from the victim’s network to LockBit-controlled infrastructure in a short period of time.
The LockBit 3.0 variant has impacted 41 countries, with the U.S. as the top target, followed by France, Italy, Taiwan and Canada. The sectors most impacted by LockBit were professional services and consulting, manufacturing, consumer and industrial products and real estate.
“There are numerous reasons why these ransomware groups are dangerous in their own right,” Crompton told TechRepublic. “Generally speaking, these groups have good malware with good infrastructure, experienced negotiation teams and custom-made tools that make ransomware attacks more straightforward, in turn attracting more affiliates to their groups.”
To help organizations better protect themselves, Crompton shares the following tips:
SEE: Learn more about how to protect your organization from ransomware attacks.