© 2023 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

Most dangerous ransomware groups of 2022

Over the last year, gangs have dissolved and reformed, but one thing's for certain – they keep coming back.

Despite all efforts, the problem of ransomware continues to grow, with a recent report from cloud security firm Zscaler recording an 80% increase in ransomware attacks year-on-year.

Major trends included double extortion, supply chain attacks, ransomware-as-a-service, ransomware rebranding, and geopolitically-motivated attacks.

And while the notorious ransomware group Conti finally bowed out this year, its members have only moved on, with new gangs forming and reforming.

So which groups are the ones to watch out for in 2023? We take a look at some of the most significant players.


LockBit has been around since 2019, operating as a ransomware-as-a-service (RaaS); and, according to GuidePoint Security, it's by far the most prolific ransomware group, accounting for more than four in ten of all publicly posted ransomware victims. It's believed to be headquartered in Russia.

The latest variant, LockBit 3.0, launched in June and hit 41 countries this quarter, according to Intel 471, mainly targeting professional services and consulting and manufacturing, consumer and industrial products, along with the real estate sector.

It features new encryptors built on the BlackMatter source code, along with new extortion strategies.

And meanwhile, in an extraordinary move, LockBit has launched its own bug bounty program, offering up to $1 million for the discovery of vulnerabilities in its malware, victim-shaming sites, Tor network, or messaging service.

Black Basta

Black Basta made its first appearance in spring this year, and hit at least 20 companies in its first two weeks. The group's believed to be made up of members of the now-defunct Conti and REvil gangs.

It's currently engaged in a campaign using QakBot malware, a banking trojan used to steal victims’ financial data, including browser information, keystrokes, and credentials.

Black Basta is believed to have hit around 50 organizations in the US during the last quarter, including the American Dental Association (ADA) and Canadian food retail company Sobeys. More than half its targets have been in the US.


The third most active ransomware group this year, Hive focuses on the industrial sector, along with healthcare, energy and agricultural organizations. According to the FBI, it's hit 1,300 companies worldwide, particularly in the healthcare sector, netting around $100 million in ransom payments.

In recent weeks, the group has claimed responsibility for an attack on Tata Power, which ended with the company's data leaked online, as well as several colleges in the US.

Another very professional outfit, Hive is believed to collaborate with other ransomware groups and runs its own customer service, help desk, and sales departments. It also goes in for so-called triple extortion, stealing data, threatening to leak it, and blackmailing victims.


One of the more sophisticated and flexible ransomware packages, based on the Rust programming language, ALPHV/BlackCat has been around for about a year. The group is believed to be made up of ex-members of the REvil gang, and to be connected to the BlackMatter and DarkSide groups.

Another RaaS operator, its main tactic is to exploit known security flaws or vulnerable account credentials and then launch DDoS attacks to pressure the victim to pay up. It exposes stolen data through its own search engine.

Targets have included critical infrastructure organizations, including airports, fuel pipeline operators, and oil refineries – as well as the US Department of Defense.

Ransom demands run into the millions – and, even when the victim pays up, the group doesn't always hand over the promised decryption tools.


Another relatively new player, BianLian has targeted organizations in Australia, North America, and the UK. It is rapidly bringing new command-and-control (C&C) servers online – indicating, says cybersecurity firm Redacted, that it may be planning a big increase in activity.

Like many other ransomware programs, BianLian is based on the Go language, giving it high flexibility.

According to Redacted, the group appears to be made up of relatively inexperienced players, with signs that they're new to the practical business aspects of ransomware and associated logistics. The group's wide range of targets indicates that it's motivated by money rather than any political considerations.

Other new groups

The world of ransomware is constantly in flux, and several groups have rebranded – DarkSide is now BlackMatter, DoppelPaymer has become Grief, and Rook has rebranded as Pandora.

Meanwhile, new groups that have emerged over the last year include Mindware, Cheers, RansomHouse, and DarkAngels.

And, worryingly, there are signs that REvil may be set for a return, with Australian private health insurer Medibank recently hacked by the Russian-linked group.

More from Cybernews:

Best ad blockers for 2023

FBI urges using ad blockers against malicious search engine ads

MailChimp, Mailgun, and Sendgrid API leak endangered over 54m users

Inside FIN7 gang: death threats and Colonial Pipeline links

Reaching for the sky: FCC proposes record $300m fine against robocall campaign

Okta acknowledges breach of company’s code repositories

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are marked