Despite LockBit rebound, ransomware attacks down in 2022

LockBit cybercriminals are back in action with new ransomware attacks and publicity pushes. But many other new groups saw lower levels in activity in Q3, according to Cyberint.

The resurfacing of the LockBit ransomware operation boosted attacks but couldn't keep overall activity from decreasing this year, according to new research.

Israeli cybersecurity vendor Cyberint analyzed attacks during the third quarter and found that new groups are failing to reach the attack levels of their predecessors. In the company's "Q3 Ransomware Landscape Report" earlier this month, researchers noted that the apparent closure of infamous groups like Conti contributed to the overall decline in attacks.

"During 2022, so far we have seen a consistent decline in the number of ransomware campaigns from quarter to quarter," Cyberint wrote in the report. "The reason for this decline is the disappearance of the experienced groups such as Conti, REvil and PYSA, and the birth of new, inconsistent or immature groups that are still building their own legacy and foundation.

Overall, the number of documented ransomware victims was down 15% since the second quarter and by 30% since Q1, according to Cyberint. Other security vendors have tracked similar declines in attacks this year.

Lockbit 3.0 reigns supreme

A resurgent Lockbit ransomware group dominated the threat landscape on the quarter, accounting for 37% of all attacks, up 5% from the previous quarter.

Researchers credit this to the ramping of activities from the Lockbit 3.0 operators. They were not only more active in attacking and extorting victims but also on a publicity tear to increase the group's visibility.

Along with seeking out media interviews, members of the LockBit 3.0 crew attempted a viral publicity stunt by offering followers a $1,000 reward to get the group's logo tattooed on their bodies. The campaign was reportedly so successful, administrators had to stop accepting submissions.

"Lockbit3.0 is not just a ransomware group, they want to remind all of us that they are 'the' ransomware group," Cyberint wrote in its report.

"In order to do so, they believe that being the number one group is not enough. So they also invested in becoming somewhat of a celebrity in the underground community, with PR and other gimmicks that their followers were more than happy to be part of."

Despite LockBit's best efforts to put itself front and center, overall malware levels were down. The researchers believe that this is due a gap in activity between departed ransomware crews, such as Conti, and the new crop of ransomware groups that have emerged in their place.

Cyberint noted that even with 85 ransomware variants identified, overall victim numbers continue to drop. Among the newcomers are Bianlan, IceFire and Sparta. While some of the new crews have impressed, the researchers noted that becoming established can take time, and many of the new crews are bound to fail.

"Given the competitive and sophisticated skills threat groups require in order to succeed in this field, obviously not all of them will become the next Lockbit3.0," Cyberint said.

Cyberint had not responded to inquiries from TechTarget Editorial at press time.

Dig Deeper on Threat detection and response

Enterprise Desktop
Cloud Computing