A look at ransomware this quarter.

Digital Shadows has released its report on ransomware for the third quarter (Q3) of 2022. The researchers found that ransomware decreased as a whole in Q3 2022, despite notable attacks on high-profile targets.

LockBit: a major player in the ransomware game.

Overall, LockBit activity decreased this quarter, but the group’s share of total activity increased this quarter from 32.8% to 35.1%. LockBit 3.0 has been a success for the group, despite skepticism from other threat actors. In September 2022, a leaked LockBit 3.0 builder was posted on Twitter that was alleged to come from a hacker, but LockBitSupp claimed the leak was a former developer. However, it is a legitimate builder, and Digital Shadows says this could have consequences for Q4 if other malicious actors get ahold of the builder.

What follows Conti?

Ransomware group Conti closed up its operations in June 2022. Q3 has seen the aftereffects of Conti’s dissolution, which include “competitions over Conti’s market share and a surge in new ransomware groups.” LockBit was the dominant ransomware family, but no clear family emerged to take Conti’s position as #2. Black Basta, Hive Leaks, and Alphv account for 9%, 8%, and 7% of all ransomware victims this quarter, respectively. Twelve new ransomware data leak sites were found to be created in Q3.

Ransomware for political purposes.

Digital Shadows discusses the distinction between a financially and politically motivated threat actor, and how it is becoming more and more challenging to distinguish a motive. The August 2022 ransomware attack on the Montenegrin government is used as an example of the challenge of identifying motives, as Russia was initially blamed for the attacks, when “Cuba” ransomware was the cause. The cyberattacks on Albania’s government systems, however, were attributed with high confidence to Iran’s Ministry of Intelligence and Security (MOIS), and were political in nature.