Lockbit Reigns Supreme as Ransomware Attacks Surge in Summer 2022

Ransomware attacks, after a period of relative calm, have re-emerged with a vengeance this summer, driven by the resurgence of established ransomware-as-a-service (RaaS) operations. Leading this charge is the Lockbit group, which has cemented its position as the most prolific threat actor, accounting for a significant portion of all observed attacks in July. Trailing Lockbit are two prominent offshoots of the now-dismantled Conti ransomware syndicate, highlighting the persistent and adaptive nature of cybercriminal organizations.

According to data meticulously compiled by NCC Group’s Monthly Threat Pulse for July 2022, the digital landscape experienced a notable uptick in ransomware activity. Researchers actively monitored the leak sites of various ransomware gangs, diligently scraping victim details as they were published. This rigorous data collection revealed that Lockbit was unequivocally the most active ransomware gang in July, responsible for 62 documented attacks. This figure represents an increase of ten attacks compared to the preceding month and more than doubles the combined total of the second and third most active groups. The report explicitly states, "Lockbit 3.0 maintains its foothold as the most threatening ransomware group, and one with which all organizations should aim to be aware of."

Following Lockbit in terms of attack volume were Hiveleaks and BlackBasta. Hiveleaks was linked to 27 attacks, while BlackBasta was associated with 24. These numbers, while lower than Lockbit’s, signify dramatic increases for both groups. Hiveleaks, in particular, witnessed an astonishing 440 percent surge in its attack numbers since June, while BlackBasta saw a substantial 50 percent rise over the same period. The close proximity in attack figures and the rapid ascent of these two groups strongly suggest a potential connection to the overall resurgence in ransomware activity.

Ransomware’s Resurgence: A Statistical Snapshot

The NCC Group’s analysis paints a clear picture of a rebounding threat. In July 2022, researchers identified a total of 198 successful ransomware campaigns, marking a significant 47 percent increase from June. While this incline is considerable, it still falls short of the peak activity observed in the spring months of March and April, when nearly 300 ransomware campaigns were recorded each month. This suggests that while the threat has intensified, it has not yet reached its previous zenith, leaving room for further escalation.

The Genesis of the Flux: Dismantling Conti and its Aftermath

The observed shift in the ransomware landscape is intrinsically linked to strategic actions taken by global law enforcement and cybersecurity agencies. A pivotal moment occurred in May 2022 when the United States government intensified its efforts against Russian cybercrime operations. The State Department announced substantial reward offers, up to $15 million, for critical information that could lead to the apprehension of co-conspirators involved in the Conti ransomware variant. At the time, Conti was considered the preeminent ransomware gang globally, and this concerted effort aimed to disrupt its operations significantly.

The report from NCC Group speculates that these actions likely prompted significant structural changes within the threat actor community. "It is likely that the threat actors that were undergoing structural changes," the authors of the report posited, "and have begun settling into their new modes of operating, resulting in their total compromises increasing in conjunction." This period of restructuring and adaptation by cybercriminal groups appears to be a primary driver behind the current surge in ransomware attacks and the rise of specific new entities.

Conti’s Legacy: Hiveleaks and BlackBasta Emerge

The direct consequence of Conti’s disruption is the emergence and rapid growth of Hiveleaks and BlackBasta. The NCC Group report explicitly notes that both groups are "associated with Conti." Hiveleaks is identified as an affiliate of the former Conti operation, meaning it leveraged Conti’s infrastructure and ransomware tools. BlackBasta, on the other hand, is described as a "replacement strain," suggesting it was developed or adopted by former Conti members as a successor to the original ransomware.

"As such, it appears that it has not taken long for Conti’s presence to filter back into the threat landscape, albeit under a new identity," the researchers observed. This indicates a remarkable ability of these sophisticated criminal enterprises to reconstitute themselves, adapt to law enforcement pressure, and continue their malicious activities under new guises. The fragmentation of Conti has not led to its demise but rather to its proliferation through these successor groups, each vying for a share of the lucrative ransomware market.

Broader Implications and the Road Ahead

The implications of this trend are far-reaching and underscore the persistent and evolving nature of cyber threats. The continued dominance of established RaaS models signifies a mature and profitable criminal ecosystem. These models allow even less technically adept individuals to participate in ransomware attacks by renting the necessary tools and infrastructure, thus broadening the attack surface.

The rise of Conti offshoots like Hiveleaks and BlackBasta highlights the resilience of organized cybercrime. Even when a prominent group is targeted, its members often disperse, taking their expertise and networks with them to form new operations. This makes complete eradication of such threats exceptionally challenging. The fact that these groups are rapidly increasing their attack volume suggests they have successfully established new operational frameworks and are actively seeking victims.

The NCC Group’s analysis further suggests that this trend is likely to continue. "Now that Conti’s properly split in two," the authors speculated, "it would not be surprising to see these figures further increase as we move into August." This forecast serves as a stark warning to organizations worldwide, emphasizing the critical need for robust cybersecurity defenses.

Key Trends and Analysis

• RaaS Dominance: The continued reliance on RaaS models by leading ransomware groups indicates a well-established and profitable business model for cybercriminals. This model lowers the barrier to entry for aspiring attackers and ensures a steady stream of revenue for the RaaS operators.
• Adaptability of Threat Actors: The emergence of Hiveleaks and BlackBasta from the ashes of Conti demonstrates the remarkable adaptability of cybercriminal organizations. They are capable of restructuring, rebranding, and continuing their operations even under intense pressure from law enforcement.
• Geopolitical Factors: The US government’s aggressive stance against Russian-linked cybercrime groups, exemplified by the Conti rewards, has had a direct impact on the threat landscape. However, this has not eliminated the threat but rather forced its evolution.
• The Importance of Vigilance: The rise of Lockbit and its continued prolificacy, coupled with the rapid ascent of Conti’s successors, underscores the ongoing need for organizations to maintain a high level of cybersecurity vigilance. This includes robust security measures, regular patching, employee training, and comprehensive incident response plans.

Chronology of Events (Summer 2022)

• Spring 2022: Ransomware attacks reach a high-water mark, with nearly 300 campaigns in March and April.
• May 2022: The US government offers significant rewards for information on Conti, intensifying efforts against Russian cybercrime. This action is believed to have prompted structural changes within Conti and other related groups.
• June 2022: A relative dip in ransomware activity is observed following the intensified pressure on major ransomware operations.
• July 2022: Ransomware attacks experience a significant resurgence, with a 47 percent increase from June. Lockbit emerges as the most prolific group, followed by Conti offshoots Hiveleaks and BlackBasta. Hiveleaks shows a dramatic 440 percent increase in attacks.
• August 2022 (Projected): Analysts predict a continued increase in ransomware attacks as restructured groups solidify their operations.

Recommendations for Organizations

In light of these evolving threats, cybersecurity experts universally recommend a multi-layered approach to defense. This includes:

• Robust Endpoint Protection: Implementing advanced endpoint detection and response (EDR) solutions to identify and neutralize malicious activities in real-time.
• Regular Backups and Disaster Recovery: Maintaining frequent, tested, and air-gapped backups to ensure data can be restored in the event of a ransomware attack.
• Security Awareness Training: Educating employees about phishing, social engineering, and other common attack vectors to reduce the likelihood of initial compromise.
• Network Segmentation: Dividing networks into smaller, isolated segments to limit the lateral movement of attackers should a breach occur.
• Vulnerability Management: Regularly scanning for and patching vulnerabilities in software and systems to close potential entry points for attackers.
• Incident Response Planning: Developing and practicing a comprehensive incident response plan to ensure a swift and effective reaction to security incidents.

The summer of 2022 has served as a stark reminder that the threat of ransomware remains potent and dynamic. The continued dominance of groups like Lockbit and the emergence of new entities from the ruins of older operations highlight the persistent need for proactive and adaptive cybersecurity strategies to protect against these ever-evolving digital adversaries.