Cyble’s Q4-2022 Ransomware Analysis

A glimpse of our findings on Ransomware activity in the last Quarter

Cyble Research & Intelligence Labs (CRIL) closely monitors, tracks, and analyzes current and emerging ransomware threats across the globe. Our Q4-2022 ransomware report contains our observations around critical ransomware statistics and trends, major attacks, and common Tactics, Techniques, and Procedures (TTPs) observed last quarter.

We observed a net rise in Quarter on Quarter Ransomware activities in Q4-2022. This is in stark contrast to the drop we observed in Q3-2022. Ransomware continues to pose a formidable threat to individuals, organizations, and even governments. Our research indicates a 100 percent increase in high-net-worth companies targeted in Q4, compared to Q3-2022.  

In our Q3-2022 report, we predicted that MSMEs would be a critical target for Ransomware groups in the future. This claim was validated by our observations which indicated that multiple small-medium scale industries fell victim to supply chain attacks executed by ransomware groups. Notable examples of this include:

  • LOCKBIT ransomware group targeting multiple businesses in New Zealand after the exploitation of Mercury IT and posting the details on their leak site.
  • Play ransomware group targeted multiple Swedish entities operating in the Transportation and Logistics sector by attacking their common IT service provider.

In our Q1-2022 ransomware report, the Conti Ransomware group’s source code was leaked, which we predicted would be leveraged by new ransomware groups to carry out their activities. This prediction was also validated in Q4-2022 with the emergence of several new ransomware families, including Putin Team, BlueSky, ScareCrow, and Meow, which are all based on the leaked Conti source code, as we cover in detail in this quarter’s report.

Ransomware Activity – Q4 2022 vs Q4-2021

Prominent ransomware families have increasingly been shifting towards using Rust or GoLang-based binaries, with several new strains such as RansomEXX, Play, and Qilin adopting this trend in Q4-2022. This shift towards cross-platform languages was observed and predicted to become more common in our Q2-2022 Ransomware Report.

Some of the major findings from Q4-2022 that you can read about in our report are:

  • 594 victims were publicly disclosed by ransomware groups, with United States (US) corporations continuing to be the most affected.
  • While Services & Manufacturing sectors were the worst hit, we witnessed a significant increase in attacks on the Education sector. The BFSI sector, meanwhile, appeared more resilient toward ransomware attacks in 2022.
  • Royal ransomware dethroned LOCKBIT to become the most active ransomware group in the United States this quarter. This drop in the victim count of LOCKBIT could be attributed to the recent arrest of one of their affiliates in Canada.
  • LOCKBIT was the second most active ransomware group in the United States this quarter. However, the victim count and stature of the organizations targeted by the ransomware group has declined since July 2021.
  • We monitored several new players on the ransomware scene in Q4-2022 – Royal, Play, Qilin, Putin Team, Mallox, and Nokoyawa.
  • This quarter, multiple ransomware groups were observed adopting intermittent encryption to speed up the encryption process and evade detection.

The United States continued to be the most targeted country this quarter, followed by the UK and Canada, indicating that sophisticated Threat Actors have the capability and willingness to target high-profile organizations to extract a bigger ransom.

LOCKBIT has continued to be the most active ransomware group worldwide, despite a fall in its victim count. We have also observed their tactics shifting to target lower-profile targets such as supply chains instead of going after large organizations or Govt. entities, indicating an increased level of caution in the wake of recent Law Enforcement actions and Regulations against cybercriminal activities.

A lot of new ransomware groups are also stepping into the fore. In our earlier reports, we commented on how other TAs would leverage the leak of the Conti Ransomware group’s source code to create their own ransomware variants. We are seeing this in action now, with new players such as Royal, Putin Team, and Nokosawa also making a name for themselves in the Ransomware community.

This is just a teaser of everything you can find in our Q4-2022 ransomware report. We highly encourage you to download it to get additional, specific, actionable insights such as the geographies targeted, the industries facing disproportionate levels of Ransomware activity, and updated TTPs of known ransomware groups as they adapt to the current threat and cybersecurity landscape.

Download our Q4-2022 Ransomware Report

Scroll to Top