The ransomware industry had some downs during the 2nd quarter of 2022, but even the fall of Conti, one of the most nefarious gangs out there, was not a setback for threat actor groups.
“Even with a war raging in Ukraine – the biggest global cyber threat we still face is ransomware,” Lindy Cameron, the CEO of the National Cyber Security Center, said during her speech at Tel Aviv Cyber week.
Increase or a decline?
A recent report by cybersecurity company Cyberint showed an approximate 10% decrease in attacks across all ransomware groups compared to the 1st quarter.
However, threat intelligence firm Digital Shadows stated that the attack count increased by 21%.
While the results differ, senior analysts of both companies recorded a similar number of attacks during the quarter. Cyberint identified 709 victims, while Digital Shadows – 705.
In fact, Cyberint is far from being the first one to report a decline in ransomware. In May, Rob Joyce, the director of cybersecurity at the National Security Agency (NSA), said that the number of ransomware attacks plummeted due to sanctions against Russia.
Needless to say, the industry is not backing down, especially with veteran gangs upgrading and new groups joining.
The fall of Conti
The highlight of this quarter was the fall of Conti and its last kicks. “The most significant ransomware incident was performed by the Conti ransomware group. The attack took place in Costa Rica, started in April, and lasted for several weeks,” the senior analysts of Cyberint told Cybernews. They also noted that this was the first time a ransomware group disrupted and affected residents and the government daily for a few months.
However, after Conti made the headlines back in February when its files were leaked to the public by a Ukrainian researcher, it took a toll on the ransomware group’s activities.
“After a significant Q1, being only second to LockBit while infecting 127 victims, the group dropped to fourth place in victim count as they had only 45 victims in Q2, as the last victim was in May,” Cyberint’s senior analysts revealed.
Conti shut down its operations at the end of May and its data leak site at the end of June. Cyberint’s analysts say it may not be over: “Ransomware groups work as agile units and keep rotating every once in a while; the death of Conti could only be the rebirth of multiple new sub-groups, which will deploy new techniques and procedures for gaining new victims.”
While Conti retires, one of its biggest competitors, LockBit, introduces a revamped operation called “LockBit 3.0” that involves a bug bounty program. As the Cyberint report notes, although the group did not have as many victims as seen in the 1st quarter of 2022, it is still the ransomware market-leading gang.
Second after LockBit in terms of ransomware activities is BlackCat – a ransomware gang that is a rebrand of the DarkSide/BlackMatter groups. The execution of their attacks differs based on the gang members that deploy it, but the end goal to extort data is the same. The history of DarkSide/BlackMatter and their shutdowns after attacking critical infrastructures gives food for thought about whether history is going to repeat itself.
Additionally, the Karakurt ransomware group launched an onion-based leaking platform. Cyberint’s data revealed that it currently holds 34 victims. The report states that if the gang’s activities continue at the same rate as during this quarter, they may become “one of the rising threats” of the upcoming quarter.
Although the 2nd quarter showed a small decrease in ransomware gang attacks, it is not a pass to let guards down. The market is also introducing newcomers, such as Black Basta, which attacked at least 26 victims within one month of its emergence. Industry Spy also introduced a data extortion marketplace and later launched its ransomware operations.
While the fall of Conti is significant, considering they were the 4th most active group during this period according to Cyberint’s data, the comeback of Karakurt and LockBit’s upgrade does not signify a next quarter attack decrease.
Cyberint researchers do not believe that the ransomware gang era is nearing the end. It is more likely that groups spent this quarter developing their infrastructure, making the 2nd quarter of this year only a pre-storm period.
More from Cybernews:
Subscribe to our newsletter