Who is Behind Ransomware in 2022?

Even as other events push cyber attacks out of the headlines, ransomware risk hasn’t stopped growing. In a 2022 survey of IT professionals working in organisations with between 100 and 5,000 employees, about two-thirds of companies globally reported experiencing a ransomware incident recently. 

Behind today’s threat are familiar faces. Although some ransomware gangs have disappeared over the past 12 months (i.e., the Night Sky ransomware threat that was only active for a short period of time in 2022), for the vast majority of threat actors, “retirement” ends up being little more than a rebranding exercise. Members of the notorious BlackMatter ransomware crew, which shut down its operations last year, are now suspected of being behind the new ALPHV gang. And the Russia-based REvil ransomware group (aka Sodinokibi), thought to be defunct since October 2021, has, to quote The Register, recently come back from “the bowels of the dark web.” 

Few organisations are able to spot threats from these groups fast enough. On average, cybercriminals spend 11 days in a target’s network before they are found out, with detection often only happening because ransomware is launched. By automating detection, investigation, and response, security solutions like SenseOn can dramatically cut down ransomware mitigation times, stopping threats before damage happens.

Two Groups Dominate the Ransomware Threat Landscape Today

Remarkably, just two groups — Conti and LockBit 2.0 — accounted for more than half (57.8%) of all ransomware incidents in the first quarter of 2022.

Conti, the ransomware cartel behind attacks on organisations like the Health Service Executive in Ireland and the Scottish Environment Protection Agency, may have suffered a data breach of its own earlier in the year, but the group is still in business. Conti ransomware was responsible for 20% of all ransomware campaigns between January and March of this year, targeting businesses like the marketing giant RR Donnelley, electronics company (and supplier of Apple and Tesla) Delta Electronics, and famous snack producer KP Snacks. 

In April, Conti attacked Costa Rican government agencies. This attack forced the Costa Rican president Rodrigo Chaves to declare a state of national cybersecurity emergency. In response, the US is now offering a reward of up to $15 million for information on the group. 

LockBit 2.0, a ransomware-as-a-service (RaaS) gang, topped Conti, executing 38% of ransomware attacks in Q1 of 2022. Like Conti, LockBit 2.0 has had a busy April, having attacked Rio de Janeiro’s finance department systems. More recently, Top Aces, a supplier of fighter jets for airborne training exercises, reported being hit by LockBit 2.0 ransomware. LockBit 2.0 was also the most widespread ransomware strain in Q4 of 2021. The gang is perhaps best known for attempting to coax corporate employees to help them infiltrate networks in return for “millions of dollars.”

Both Conti and LockBit 2.0 exfiltrate data and publish it on their leak sites if victims ignore their ransom demands. Since the start of the year, LockBit 2.0 has exposed data on more than 200 victims. 

Other Ransomware Groups and Strains to Watch Out for

Although the most prominent, LockBit 2.0 and Conti are by no means the only ransomware groups organisations are up against in 2022. Other gangs (and ransomware variants) like Hive, BlackByte, Quantum, ALPHV, AvosLocker, and Onyx, to name just a few, are just as dangerous and active, often displaying no qualms about who they target. 

Prevent & Limit the Impact of Ransomware with Security Automation 

When it comes to cyber threats, attribution is interesting, but defence is more important. When an attack happens, the first thing on any defender’s mind is not where did it come from but “how do I make it go away?” 

Although prevention-first solutions are still important, mitigating ransomware risk means rethinking cybersecurity controls. Detection-based solutions like EDR, NDR, and SIEM can help organisations detect ransomware, but they are also the leading cause of a phenomenon known as alert fatigue that causes missed alerts and long response times. 

When an attack chain is in progress, the longer it takes to find, isolate and remove a threat, the more damage happens. A few hours of delay can cause a career-ending amount of damage. In this situation, the time it takes to sort through logs from different systems can be operationally fatal. To remove the risk of this kind of nightmare scenario, security controls need to combine and automate detection, investigation, and response functions. 

As a security automation platform, SenseOn integrates security tools like EDR and SIEM into a single platform, giving defenders complete visibility into what’s happening within their digital estate. Using a blend of detection methods, SenseOn identifies and correlates behaviour that deviates from what’s considered “normal” for any given organisation, surfacing alerts that are only genuine threats. To ensure a speedy response to critical threats, SenseOn can also automatically isolate infected devices to prevent ransomware from spreading without any human input.  

Sign up to our newsletter

Join thousands of like-minded professionals who are already 
receiving our blog updates and best practice guides.