Ransomware, Content, Content

Rebranded Ransomware Crews Spike Number of Hijacking Incidents in Q4 2022

Ransomware activity increased sequentially in Q4 2022, as rebranded ransomware groups increased the number of publicly claimed victims, GuidePoint Security said in its new 2022 Ransomware Report.

Identifying Ransomware Groups

The Herndon, Virginia-based security provider’s analysis is based on data obtained from publicly available resources and includes information from the threat groups. The company said its researchers built a new taxonomy that provides for closer looks into how ransomware groups progress in their operational maturity and the ability to classify and identify potential rebranding activity.

During 2022, GuidePoint said it tracked 2,507 publicly posted victims across 54 threat groups and 40 industry verticals. As Drew Schmitt, GuidePoint’s research lead analyst, explained:

“Based on the trends over the last year, we expect to see an increase in ransomware rebranding. Vulnerabilities, emerging technologies and personal devices will continue to be heavily researched and utilized for initial intrusion into networks, with the time to weaponize vulnerabilities likely decreasing as the year progresses. Additionally, as organizations make gains in improving their security posture, we believe that ransomware groups will shift to single extortion attempts based on data exfiltration where no encryption event occurs.”

More From the Report

The report’s highlights include:

  • The biggest lull in incidents occurred in late June 2022 and early July 2022, most likely attributed to the shift from Lockbit2 to Lockbit3, although challenges in the cryptocurrency market may have also had an impact.
  • Throughout 2022, victim posting rates remained fairly consistent, no quarter saw less than 569 total victims.
  • A strong correlation between victim posting rates and the price of Bitcoin, suggesting that threat groups ramp up/down operations to maximize profits.
  • 54 groups using a double-extortion methodology, many of which are utilizing a Ransomware as a Service (RaaS) model to increase productivity and maximize revenue.
  • Every month in 2022 saw at least one new group emerge with double extortion capabilities.
  • Manufacturing was by far the most targeted industry, followed by technology, construction and healthcare.
  • The U.S. is by far the most targeted country across all ransomware groups, and Western countries made up for the vast majority (77%) of all ransomware attacks.
  • Over the course of 2022, there was at least one new ransomware group each month. The most active ransomware groups were Lockbit, Alphv, Hive, Blackbasta.
  • Despite its early exit in 2022, Conti came in 5th. Lockbit accounted for 33% of all publicly posted ransomware victims. Blackbasta didn’t enter the double extortion game until late April 2022, yet still ended 2022 as the 4th most impactful ransomware group.
  • Vice Society began 2022 with a huge spike in publicly posted victims, posting 25 victims on January 6th, however, a sharp decrease and “low and slow” approach throughout the remainder of the year led them to 6th place overall among ransomware groups.
  • Despite both getting a late start in 2022, BianLian and Royal ended up as the 7th and 8th most impactful ransomware groups of 2022, respectively.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.