Most active, impactful ransomware groups of 2022, and incoming threats in 2023.

Thursday morning Trustwave SpiderLabs released a roundup report of what they’ve assessed as the most active threat groups within the ransomware space last year.

LockBit.

LockBit is said by the researchers to be the most prominent ransomware group of 2022. The group uses high payments to recruit well-versed malicious actors, purchase exploits, and run a bug bounty program. The newest version of the group’s ransomware, LockBit 3.0, saw its release in June of last year. Additional features added to the update, such as the ability to “automate permission elevation, disable Windows Defender, a "safe mode" to bypass installed Antivirus, and the ability to encrypt Windows systems with two different ransomware strains to decrease the chance of decryption from a third party” has allowed for the group to account for approximately 44% of successful ransomware attacks in 2022, according to a report from Infosecurity Magazine.

Black Basta.

Black Basta, a newer ransomware group with alleged ties to the Conti, REvil, and Fin7 gangs, has seen what Trustwave is calling “unprecedented success” in its short time of activity. “[T]he group was able to publish more than 20 organizations to its name-and-shame blog within the first two weeks of the group being identified in April 2022, according to Intel471,” Trustwave says, continuing on to say that 90 organizations have been compromised by the group as of September 2022. The group’s use of established tools, such as QakBot and Cobalt Strike, as well as its lack of affiliate recruiting, and rather, most likely collaboration with previously associated actors, can be potential factors that drive the group’s success.

Hive.

Another newer ransomware group, Hive, made the list. Coming to light in June 2021, the group uses an affiliate ransomware-as-a-service (RaaS) model, and has accounted for around 9% of reported ransomware attacks in Q3 2022. The group also replaced its ransomware in 2022, changing the language from GoLang to Rust, which provided advantages such as “deep control over low-level resources, variety of cryptographic libraries, and it is more difficult to reverse-engineer.” The group is noted to be dangerous, as it targets sectors not usually targeted by ransomware groups like healthcare, energy, and agriculture, which were found to be the sectors of 21% of the victims infected with Hive ransomware in the third quarter of 2022.

BlackCat/ALPHV.

Making its appearance first in late 2021, ransomware group BlackCat, or ALPHV, rounds out the bottom of the list. Found by Intel 471 to be responsible for about 6.5% of the total reported ransomware cases during Q2 and Q3 2022, the group is smaller than the others listed, but has made a name for itself in development of a search function for indexed stolen data in July 2022. LockBit followed suit, making a lighter version of the tool for themselves. The FBI also reports that the group was the first to successfully utilize Rust for ransomware purposes. “ALPHV’s ability to develop capabilities and functionality that are quickly adopted by other threat actors most likely indicates that its members are most likely ransomware veterans and there are indications the group was linked to the infamous Darkside and BlackMatter gangs,” Trustwave reports.

Added at 1:00 PM ET, January 6th, 2023.

Also on Thursday FortiGuard Labs released their first Ransomware Roundup of 2023, detailing variants that they've observed gaining traction as the year begins.

Monti.

Researchers describe the relatively new ransomware as primarily functioning to encrypt files on Linux systems, though potential variants that impact Windows systems have been reported. The files impacted by the Monti ransomware have a ".puuuk” extension, and drops a Conti-esque “README.txt” ransom note. The malicious actor behind the ransomware is also said to operate two distinct TOR sites; "one for hosting data stolen from victims and another for ransom negotiation," FortiGuard reports. While the data leak site does not list any victims, it has what FortiGuard researchers aptly described as a "provocative message," saying affected victim(s) were "good customer[s]" this year, with the exception of "company from Argentina".

BlackHunt.

New variants of the relatively new BlackHunt ransomware have been observed, and reportedly "access victims’ networks through vulnerable Remote Desktop Protocol (RDP) configurations."

"Files encrypted by BlackHunt ransomware can be identified with the following filename pattern: [unique ID assigned to each compromised machine].[contact email address].Black," FortiGuard says. "The ransomware also deletes shadow copies, which makes file recovery difficult. The ransomware also drops two ransom notes: one is titled '#BlackHunt_ReadMe.hta' and the other is '#BlackHunt_ReadMe.txt'." The dropped notes contain different contact email addresses and victim IDs, with a link to a TOR site that is no longer in operation.

Putin.

Putin ransomware has been seen to encrypt files on the machines of victims, and then make an effort to "extort money for decrypting those files and not leaking stolen data to the public," the roundup says. The encrypted files impacted have a ".PUTIN” extension. The ransomware, like others, drops a “README.txt” ransom note containing threats of no recovery of the files if the ransom is not paid within two days. The ransom note also contains two Telegram channels, "one for negotiating ransom payment with the Putin ransomware gang and another for releasing data stolen from the victims." The date of the posts on the leak channel only go back as far as November of last year, and lists only a company in Singapore and another in Spain.