The number of ransomware attacks observed over the previous three months declined compared to the previous quarter, according to reports from two threat intelligence companies.
However, the gap left by the Conti gang has been filled by other players, with LockBit cementing itself in the top position and likely to serve as a future source for ransomware spin-offs.
From July to September, security firm Intel 471 counted 455 attacks from 27 ransomware variants, with LockBit 3.0 being responsible for 192 of them (42 per cent). Meanwhile, security firm Digital Shadows tracked around 600 ransomware victims over the same time period, with LockBit accounting for 35 per cent of them.
The US was the most impacted country and the industrial goods and services sector was the most targeted sector, which is concerning giving its importance to critical infrastructure. What’s more, the number of politically motivated data extortion attacks have increased over the previous quarter and some of them are believed to be coordinated by state-sponsored actors.
LockBit capitalises on Conti shutdown
Since its launch in 2019, Conti grew to become the most prolific ransomware gang at the start of 2022.
However, a series of missteps by its operators – publicly supporting Russia’s invasion of Ukraine, launching a major attack on the Costa Rican government that prompted the US State Department to put up a reward of $10 million for information about its leaders, and suffering a major leak of its internal communications and operational details – led to the gang disbanding in May.
Whether Conti is completely gone or just rebranded under different names is still up for debate, with ransomware operation Black Basta and data extortion group Karakurt Hacking Team believed by some researchers to be spin-offs of the gang.
What’s clear is that after Conti shut down its operations in May, its affiliates – the individuals or groups who perform the intrusion and ransomware distribution for a cut of the ransom payments – started joining other players from the ransomware-as-a-service (RaaS) market. The top beneficiary of that migration of cybercriminal talent seems to have been LockBit.
The LockBit RaaS operation has existed for almost as long as Conti, but has been overshadowed by other groups like Maze and Ryuk during its first two years of operation. Over time, its creators have made significant improvements to the code, culminating with the release of version 3.0 of its ransomware and affiliate programs in June.
While LockBit 3.0 has been the leading ransomware strain in the third quarter, it remains to be seen if this will continue to be the case because in September someone leaked internal details about LockBit affiliate program, the builder for the ransomware, and information about its supposed leader.
This was likely done to damage the program’s reputation in cybercrime circles and the leak has indeed sparked conversations on underground forums about the gang’s operational security.
“This incident has the potential to further decrease the amount of LockBit breaches in the fourth quarter of 2022,” Intel 471 researchers said in their report.
“The syndicate likely will need to focus attention on modifying the ransomware’s code and the groups’ tactics, techniques, and procedures (TTPs), as well as implementing more operational security (OPSEC) measures. It is likely actors may use the LockBit source code as foundation to build other ransomware programs.”
Researchers from Digital Shadows agree in their report that regardless of whoever the source of the leak was, the incident could at the very least lead to other groups weaponising the LockBit 3.0 builder.
Conti’s shadow is not far behind
The ransomware strain responsible for the second largest number of victims in Q3 after Conti has been Black Basta with 11 per cent according to Intel 471 and nine per cent according to Digital Shadows. The top five was completed by two ransomware strains called Hive and ALPHV in the telemetry of both companies.
There are rumours that both Black Basta and Hive are related to Conti and while this is not confirmed, the evidence is stronger in Black Basta’s case.
“We previously reported with a low to moderate degree of confidence that the Black Basta RaaS was launched by the actor tramp, a Conti ransomware affiliate,” the Intel 471 researchers said. “The actor likely continued to use Conti’s TTPs to operate the Black Basta ransomware following Conti’s dissolution.”
The Black Basta affiliates usually go for highly profitable organisations and based on Intel 471’s data, the group’s victims were based in eight countries during Q3 compared to 11 in Q2. This could suggest the group is refocusing its efforts on the more developed markets, particularly the US, where two-thirds of Black Basta’s Q3 victims were based.
Hive is even more restricted in its focus, with an alleged Hive operator disclosing in August that the group’s affiliates target primarily organisations from Australia, Canada, the UK, and the US.
“Actors deploying the Hive ransomware often leveraged phishing campaigns to provide initial access and distribute their malware,” the Intel 471 researchers said.
“Most of these phishing campaigns are drafted in the English language, which narrows the target set but allows actors to refine their product and tailor social-engineering campaigns to a focused audience. This likely reduces resource expenditure and increases the chance of success.”
The ALPHV RaaS affiliates seem to instead favor vulnerabilities and exploits to obtain access to large organisations. The alleged leader of the ALPHV RaaS operation claimed in September that the group has targeted airports, fuel pipeline operators, gas stations, oil refineries, and other critical infrastructure since the affiliate program was launched.
This is hard to verify as not all victims of a ransomware operation are public, but based on Intel 471’s data during Q3 the sectors most impacted by ALPHV were real estate, professional services and consulting, consumer and industrial products, and technology.
Other notable ransomware variants responsible for attacks in Q3 include AvosLocker, Vice Society, STORMOUS, Bianlian, Medusa, Ransomhouse, Quantum and LV. Intel 471 researchers have also observed some new RaaS programs appearing and being advertised on underground forums during the last quarter including Monster, Solidbit, and Garyk.
Meanwhile, researchers from Digital Shadows observed 12 new ransomware data-leak sites being launched, including by new groups, raising the number of such sites that the company tracks to 97, of which 44 are active.
However, not all ransomware groups maintain date leak sites or engage in this form of double extortion, which involves the theft of sensitive data and the threat of releasing or selling it on top of encrypting it with ransomware programs. On the other hand, groups like Karakurt – also believed to be related to Conti – exclusively engage in data leak extortion and don’t use ransomware.
“At the end of last quarter, we hypothesised that we would see a rush of new groups led by former Conti members,” the Digital Shadows researchers said. “It is unclear if these new groups have direct leaks to Conti. However, whether these new groups have links to Conti or not, they were likely launched opportunistically to fill the market gap left by Conti."
The top countries targeted by ransomware in Q3 according to Digital Shadows were the US, France, Spain, the UK, Germany, and Italy. According to Intel 471, the top four were the US, France, the UK, and Italy.
The two companies split industry sectors somewhat differently, but among the most targeted ones were industrial goods and services, industrial and consumer products, technology, construction and materials, manufacturing, professional services and consulting, travel and leisure, and public services.