Ransomware Attacks Reign Supreme in 2022


Ransomware attacks reign supreme as the most prevalent type of cyberthreat for the second year in a row. Attacks involving this type of malware represented 73% of the 144 incidents investigated by Sophos’ Managed Threat Response (MTR) team in 2021 — and they don’t appear to be slowing down anytime soon.

Scott Barlow, global VP of MSP and cloud alliances, Sophos
Author: Scott Barlow, global VP of MSP and cloud alliances, Sophos

The 2022 Active Adversary Playbook details insights from the investigated incidents, including which adversaries to watch for as well as the tools and tactics they’ve honed to execute attacks. Managed service providers (MSPs) should use the report as an indicator of what to expect throughout the rest of 2022 and beyond. Considering the myriad risks ransomware poses to an organization, it’s imperative that MSPs understand the ransomware threat landscape and its evolving trends.

Your Ransomware Questions Answered

While ransomware isn’t a new phenomenon, bad actors who execute the attacks are growing in sophistication and in number. Ransomware infections can devastate an organization, resulting in downtime, reputational damage and network and device repair costs. These incidents also put organizations in the difficult position of determining whether to pay the ransom or risk losing valuable data. Even if an organization does pay a ransom to retrieve their encrypted files, who’s to say the attacker will follow through with decryption?

Unfortunately, no organization is safe from ransomware attacks. But MSPs can provide the best possible protection to customers by staying versed in the latest cybercrime trends and implementing the right security protocols and measures. Here are three points to keep in mind...

1. What is the Impact of Ransomware as a service?

Ransomware as a service (RaaS) has matured into a commercialized industry over the past decade. The RaaS business model has spurred the proliferation of professional ransomware gangs and operators, increasing both the frequency and severity of attacks. And as adversaries’ tactics increase in sophistication, intruder dwell times rise, providing a greater opportunity for threat actors to access an organization’s network.

The median dwell time for victims of ransomware was 11 days, which is in line with the increased involvement of initial access brokers (IABs) in attacks. As a key player in the ransomware space, an IAB uses multiple tactics to gain entry to an organization’s environment and sells access to a cybercrime group to use in its RaaS attack.

2. Who is Behind Ransomware Attacks in 2022?

In addition to IABs, our team witnessed multiple types of groups execute attacks, including ransomware gangs, cryptominers and ransomware operators. We also saw significant activity from several notable cybercrime groups in 2021, including Conti — the most prolific group, which accounted for 18% of incidents. Additionally, REvil ransomware was responsible for nearly 10% of incidents, followed by DarkSide and Black KingDom.

We identified 41 unique ransomware adversaries across the 144 investigated incidents, with 28 groups new to the list in 2021. Additionally, 18 adversary groups present in 2020 vanished from the list this year. These changes highlight how quickly the ransomware landscape evolves — and how difficult it is for organizations to keep pace.

3. How Often Do Adversaries Successfully Exfiltrate Data?

Data exfiltration is typically the last phase of an attack before the adversary unleashes its ransomware on a victim’s network. Fifty percent of the total number of ransomware attacks investigated in 2021 involved data exfiltration. Stolen data poses serious risks to an organization, including reputational, regulatory and financial ramifications. But there is a silver lining. The average gap between data theft and ransomware deployment was just over four days, providing a window to stop adversaries in their tracks before they release the malware.

The rise in ransomware attacks over the past several years has placed organizations at heightened risk of losing valuable data to cybercriminals. Even if an organization pays the ransom, there is no guarantee it will receive the decryption key in return — and ransom payments motivate perpetrators to target more victims. To prevent these attacks and mitigate their impact, MSPs need to stay informed about the ransomware landscape and apply that knowledge to enhancing customers’ security operations.

To learn more, download the 2022 Adversary Attack Report for a closer look at today’s cyberthreat landscape and additional insights on the ransomware attacks plaguing organizations.

Scott Barlow is VP, global MSP & cloud alliances at Sophos. Read more Sophos guest blogs here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.