LockBit gang leads the way for ransomware

New research from Malwarebytes shows LockBit is far and away the most prolific ransomware gang, with hundreds of confirmed attacks across the globe in recent months.

LockBit is currently the most prolific ransomware strain in the world.

That's according to Malwarebytes' Threat Intelligence Team, which reported that from March to August, the LockBit ransomware crew amassed more confirmed infections -- 430 -- than its next four closest competitors combined.

In a blog post on Thursday, the antimalware vendor estimated that LockBit has established a steady pace of attacks, bringing in around 70 victims monthly. By comparison, the number two ransomware strain, Conti, only pulled in 127 total infections between March and the end of August, which represents less than two months of normal LockBit operation.

Malwarebytes attributed this prolific activity in part to the way LockBit approaches its ransomware attacks. Rather than try to make a name for themselves by boasting about high-profile infections against large targets, the LockBit crew has opted to remain relatively under the radar.

Without the headlines and bold claims that would put them in the spotlight, Malwarebytes believes that LockBit has avoided unwanted police and government attention that other ransomware crews draw.

As LockBit garners more attention, however, its days of moving in the shadows could be numbered. The ransomware group has claimed responsibility for some noteworthy attacks, including the recent breach at digital certificate vendor Entrust. The company has not commented on LockBit's claim and has not responded to requests for comment.

"We cannot help wondering how long that will last though," the Malwarebytes Threat Intelligence Team said of LockBit's relative anonymity. "LockBit has been the most active ransomware threat for all of 2022 and it is impossible to imagine there isn't a team of FBI agents somewhere plotting its demise."

Who needs encryption anyway?

Among the most surprising trends in the report was the start of a possible migration away from the use of data encryption by cybercriminals. Malwarebytes pointed to the rise of ransomware groups that forego the encryption process and simply extort their victims on the threat of data disclosure, suggesting that locking data away from the owner may eventually become obsolete.

"Since ransomware gangs started adopting 'big game' tactics about five years ago, the skills required for a successful attack have changed," the researchers explained.

"In a 'big game' attack the encrypting malware is a commodity -- the expertise that determines an attacker's likely success are their ability to find a target, understand its value, and then break into its network and operate undetected."

Russia's invasion of Ukraine also had significant impact on how ransomware operators are doing business. Malwarebytes noted that its researchers have seen many groups rethinking their approach to cybercrime, particularly when it comes to collecting their payouts.

"If encrypting ransomware ceases to generate significant revenue, its operators will simply pivot to other forms of attack. The pressure to do that started with improved backups triggering the switch to 'double extortion', and has increased as a result of Russia's war in Ukraine," the security vendor explained.

"Since the start of the war, ransomware gangs have found it harder to get paid because of the threat of sanctions, and one of the most high-profile gangs hasdisappeared completelyas a direct result."

In other cases, security experts may be seeing political motivations where there are none. For example, the U.S. remains the single most popular target for ransomware attacks over recent months.

While some may attribute this to the ongoing tensions between the U.S. and Russia, the Malwarebytes Threat Intelligence Team argued there are more practical reasons for cybercrime crews to look to the U.S.

"The USA continues to bear the brunt of ransomware attacks, although its preeminence likely reflects the size of its service economy and the large number of potential [victims] rather than a deliberate targeting," Malwarebytes said. "Few countries escape attention and the 175 known attacks in August spread across 43 countries as diverse as Luxembourg, Qatar and Gabon."

Dig Deeper on Threat detection and response