As ransomware gangs deploy new tactics, Lockbit has become the most active ransomware gang in the first quarter of 2022 and the healthcare industry was the hardest hit in 2021, according to two recent reports.
Lockbit eclipses Conti as most active gang
LockBit disclosed 226 victims in the first quarter. The group’s largest number of victims were in manufacturing (see: Bridgestone Americas confirms ransomware attack), technology, education and the public sectors.
LockBit likes to boast that its malware StealBit, which automates data exfiltration, has the fastest and most efficient encryption among its competition, as noted by TrendMicro. LockBit is also known for aggressive affiliate recruitment and for being one of the most professional organized criminal ransomware gangs.
The most prolific ransomware groups in the first quarter after LockBit and Conti were Alphv, Hive, and Karakurt (a side operation of Conti), with more than 30 victims disclosed by each operation, the report said.
The finance sector made it into to the top 5 targeted sectors in Q1, with an increase of 40% in the number of victims compared to Q4 of 2021, KELA said.
Another trend spotted by KELA: some of the top gangs were seen attacking each other’s victims. “At this point, it is unclear if the…groups are cooperating” or whether something else is happening, the report said.
“Recently, researchers found out that the Conti gang aimed to create smaller autonomous ransomware groups and collaborated with Alphv, AvosLocker, Hive and HelloKitty gangs,” KELA said.
Another notable Ransomware trend: new methods of intimidation.
For example, Midas published new victims on their data leak site as merely “a new company,” carefully not mentioning the company’s name. Then, if the victim did not pay, Midas would threaten to publish the victim's name. Lorenz and Everest ransomware adopted a similar practice.
And Conti exhibited comparable tactics. “Conti’s leaked chats showed that the gang prepared hidden blog posts about victims that can be accessed only via a specific URL. The actors share this hidden blog post with a victim to intimidate them…If a victim agrees to pay, the post is never released; if the negotiation fails, the blog becomes publicly accessible, and the victim’s name is disclosed,” the report said.
These tactics give the ransomware operatives “a more extended opportunity to negotiate the ransom payment in secrecy while still maintaining a level of pressure in the form of a future data leak,” Bleeping Computer noted.
A sliver of hope
But there is some qualified good news. The total number of ransomware victims (698) dropped by 40% in Q1 2022 compared to Q4 2021 (982), KELA said. This follows a significant decrease in attacks among 6 out of 10 top actors in Q4 2021, with the largest decrease represented by Conti (which tempers the good news since Conti has a disproportional impact on the overall numbers).
And another piece of positive news: the Russian-Ukraine war did not trigger a surge in attacks.
“However, tracking ransomware blogs, their negotiation portals, and data leak sites, indicated that the total number of ransomware attacks did not increase due to the war. In fact, the number of ransomware attacks dropped significantly at the beginning of 2022, showing the same pattern of decrease in ransomware victims at the beginning of 2021.”
Healthcare under attack in 2021: most likely to pay ransom
Two thirds (66%) of healthcare organizations were hit by ransomware in 2021, up from 34% in 2020, according to a new report from Sophos (PDF).
“This is a 94% increase over the course of a year, demonstrating that adversaries have become considerably more capable at executing the most significant attacks at scale,” Sophos said.
Healthcare is the sector most likely to pay a ransom, with 61% of respondents whose data was encrypted admitting to paying the ransom compared to the cross-sector average of 46%, according to Sophos. This number is also almost double the 34% in 2020.
Reasons include the fact that the healthcare sector had the highest increase in the volume and complexity of attacks compared to all other sectors and the healthcare’s limited preparedness in dealing with such attacks, the report said.
Other reasons could be the need for healthcare providers to restore normalcy to operations as quickly as possible, Sophos said. Also, the high costs for attack remediation – healthcare is the second highest across sectors at US$1.85M – could be pushing healthcare organizations to pay up rather than spend on remediation costs.
The rise of the ransomware-as-a-service (RaaS) model is also a contributing factor because it “extends the reach of ransomware by reducing the skill level required to create and deploy an attack,” Sophos said.
On a positive note, healthcare saw a 61% encryption rate, better than the global average of 65%, indicating that healthcare was better able to stop data encryption in a ransomware attack, Sophos said.
Despite healthcare being the sector most likely to pay a ransom, the sector paid the least ransom amount. Overall, healthcare had the lowest average ransom payment (around US$197K) of all named sectors, Sophos said. “These low ransom payments are likely driven by the constrained finances of many healthcare organizations, particularly those in the public sector. They simply don’t have more money for the attackers to squeeze out of them,” the report said.