© 2023 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

Ransomware in 2022: LockBit continues to dominate, Hive targets critical infrastructure


LockBit remained the most prolific ransomware group through 2022, meanwhile Hive is keen to choose targets other actors avoid, a new research of last year’s most active and impactful ransomware groups by TrustWave SpiderLabs shows.

SpiderLabs, Trustwave’s security team of ethical hackers, forensic investigators and researchers, says in the report that ransomware continued to be a major threat in 2022 – the average cost of an attack ranged from $570k to $812k for just the ransom alone.

LockBit, the king

No surprises at the top of the list – LockBit is still the most prominent ransomware group that simply dominates the space.

“They utilize high payments for recruiting experienced malicious actors, purchasing new exploits, and even running their own bug bounty program with high paying bounties, a first for a ransomware group,” the report says.

LockBit’s activity accounted for around 44% of successful ransomware attacks in 2022. What’s more, the group recently developed LockBit 3.0, and it will help them execute even more damaging strikes in 2023.

“The updated version, released June 2022, includes additional features that have the capability to automate permission elevation, disable Windows Defender, a "safe-mode" to bypass installed Antivirus, and the ability to encrypt Windows systems with two different ransomware strains to decrease the chance of decryption from a third party,” SpiderLabs researchers say.

However, there are setbacks. At the end of 2022, Canadian authorities arrested Mikhail Vasiliev, a Russian national suspected of having ties with LockBit – he is awaiting extradition to the US.

Of course, as Cybernews noted, individual arrests are unlikely to shake the foundations of a big ransomware group such as LockBit.

That’s why news from Japan might be even more important: the country’s National Police agency has been successfully decrypting networks attacked with the Lockbit ransomware, and helping companies recover data without paying the attackers.

Black Basta, the newbie

Trustwave SpiderLabs also reports about one of the newest ransomware groups, Black Basta. It allegedly has ties to other groups, such as Conti, Revil, and Fin7.

“With potentially experienced members, the group was able to publish over 20 organizations to its name-and-shame blog within the first two weeks of the group being identified in April 2022,” the report says.

“Since the initial identification of the group, they compromised over 90 organizations as of September 2022 with no sign of slowing down.”

According to SpiderLabs, the Black Basta has had “unprecedented success” for how long they have been around when compared to other ransomware groups. A couple of factors are probably at play.

basta-basta-basta
Black Basta is a new yet very active ransomware group. Image by Shutterstock.

First, the group does not publicly recruit affiliates and only collaborate with actors they have previous experience with – it certainly is possible because, SpiderLabs says, it has been assessed that the Black Basta was formed from members of other successful groups.

“Additionally, the group outsources their capabilities. Utilizing established tools, such as QakBot and Cobalt Strike, or network access brokers, cause the group to have a high success rate once inside a victim's environment,” the report notes.

Black Basta is primarily targeting the industrial, retail, and real-estate sectors across the United States and rich European countries, such as Germany and the Netherlands.

Hive, the immoral one

Hive is another newer ransomware gang, but it is already considered to be one of the top three most active ransomware groups since arriving at the scene around June 2021.

Like LockBit, Hive operates through an affiliate ransomware-as-a-service (RaaS) model which has proven to be effective: the group recorded around 9% of reported ransomware attacks in the third quarter of 2022, according to Intel471.

Hive has been busy attacking, for instance, electric utilities in India, hospitals in America, a major gas station network in Romania. Trustwave SpiderLabs researchers call Hive “a very dangerous group” precisely because of the way the actor chooses targets.

For example, some ransomware groups will avoid attacking critical infrastructure – for moral reasons, or to draw less attention from law enforcement agencies. LockBit has even issued a formal apology for a cyberattack on a children’s hospital in Canada.

LockBit apologized publicly for a cyberattack on a hospital in Canada. Image by Cybernews.
LockBit apologized publicly for a cyberattack on a hospital in Canada. Image by Cybernews.

“Hive on the other hand, does not care. The group has targeted as many as 125 healthcare organizations as of March 2022. This may show that the group intends to just do harm to these organizations, be it through fines for breaching data regulations, disruption of services, or the payment of a ransom,” SpiderLabs researchers claim.

The healthcare, energy, and agricultural sector accounted for 21% of the victims infected with Hive in the third quarter of 2022. Numbers for other similar groups are much lower, and “this shows Hive’s willingness to attack sectors that others may pass”, the report says.

What’s ahead?

SpiderLabs researchers finally repeat the well-known mantra: ransomware groups continue to develop new techniques, just as cybersecurity researchers do on their end. Moreover, “these groups will continue to develop if the attacks continue to be successful” – and they are.

“With an average of 1 out of every 40 organizations being hit by ransomware, it is clear there is a need for proactive identification of potential threats so they can be mitigated properly before costing an organization an average of $4,540,000 in the event of a full-blown ransom,” the report warns.

According to its authors, it’s important to identify a threat as early as possible and mitigate the damage. Being late usually means big losses: on average, it takes 22 days of recovery to bounce back after a ransomware attack.


More from Cybernews:

Cricket-oriented platform ‘drops a dolly’ exposing user data

Amazon to cut 18,000 jobs in biggest wave of tech layoffs so far

LastPass sued over “woefully insufficient” security

Slack admits security breach

Meta fined $400m+ for forcing users to consent to behavioral advertising

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are marked