Q2 2022: Ransomware Landscape Continues Its Decline as Another Major Group Shuts Down

At the start of 2022, we published a report examining the key ways the ransomware landscape has evolved over the past two years. The retrospective offered an in-depth analysis of both the types of organizations being targeted by ransomware attacks as well as insight into the attackers themselves.

In May, we shared an update about the changes we observed in the ransomware threat ecosystem in the first quarter of 2022—in particular, the sharp decline in the number of ransomware attacks. This post explores the continuation of this trend, as well as a few other notable data points from Q2 2022.

After spiking in the last quarter of 2021, we observed a downturn in ransomware volume over the first quarter of 2022. This trend continued during the second quarter of the year, with ransomware attacks decreasing month-over-month throughout the quarter. In June 2022, we observed the smallest number of ransomware victims since January 2021.

Much of the drop in volume in the first quarter of 2022 could be attributed to the disappearance of Pysa, one of the most prolific ransomware groups over the past few years. Similarly, the drop in Q2 ransomware attacks was mainly caused by the exit of another major group from the ransomware landscape: Conti.

Similar to what we saw in Q1, most industries continued to see relief from ransomware attacks in the second quarter, as overall volume compared to the previous quarter was lower.

This included the Financial Services sector, which was the only industry to see a significant net increase in ransomware attacks during the first three months of the year. In Q2 2022, however, the number of ransomware attacks targeting financial institutions dropped by 40%, falling to the lowest quarterly volume since Q1 2021.

That being said, a few notable industries experienced the opposite trends, with increases in ransomware victims compared to the first quarter.

The Transportation industry saw the largest growth in ransomware victims, increasing 73% from the first three months of the year. Much of the increase in ransomware attacks against transportation companies was due to LockBit’s focus on the sector during the quarter. LockBit was linked to nearly half of all ransomware attacks targeting the transportation sector in Q2, while the remaining attacks were attributed to 12 other groups.

The Healthcare industry, which has long been a concerning target of ransomware attacks, also experienced a significant increase in attacks in the second quarter, growing 53% compared to Q1. Unlike the transportation industry, where the volume increase could be linked to one primary group, the rise in healthcare-targeted attacks was distributed across 18 different groups. Nearly half of these attacks were linked to one of three groups: LockBit, Karakurt, and Vice Society.

Almost all global regions saw a net decrease in the number of ransomware victims identified in those regions. The one exception was the Asia-Pacific (APAC) region, which saw a 31% overall increase in ransomware victims in the second quarter.

Interestingly, the increase of attacks in the APAC region wasn’t caused by a spike in activity against companies in a single country. Rather, the number of ransomware victims increased in numerous countries in the region—most notably in Australia, Thailand, Japan, and Taiwan.

In the rest of the world, ransomware volume remained steady. However, as we discussed in our Q1 ransomware trends post, fewer than half of ransomware victims continued to be located in North America, the historical source of a majority of organizations impacted by ransomware attacks before 2022.

The share of ransomware attacks targeting American companies also dropped below 40% for the first time. While more than half of ransomware attacks impacted organizations in the United States in 2021, attackers seem to have shifted focus to targets elsewhere in the first half of 2022.

Prior to Q2, Conti had been the second-most prolific ransomware group in the world, only trailing LockBit in number of victims. The group’s activity had already been decreasing earlier this year, dropping by 35% in the first quarter after the group experienced a massive leak of their internal communications in March, until finally shutting down in mid-May.

With Conti’s disappearance, the ransomware landscape has become even more centralized than it already was. A single group–LockBit–is now responsible for a large plurality of the day-to-day activity that’s impacting organizations around the world.

The new #2 in the ransomware scene is now ALPHV (aka BlackCat), which first appeared in December 2021, but really ramped up its operations in the first quarter of 2022. The number of attacks attributed to ALPHV, however, has not been anywhere near the volume previously seen from Conti and only comprised 9% of all attacks in the second quarter.

Moving into the third quarter, the remaining ransomware ecosystem is made up of a patchwork of relatively low-volume groups whose attacks are generally announced sporadically.

In total, we observed attacks from 29 different ransomware groups in the second quarter, which is down from 33 groups linked to attacks in Q1. This indicates that there aren’t very many new up-and-comers entering the ransomware space to replace those major groups that have left. The more notable new groups seen in Q2 included Black Basta and Quantum. Still, attacks from these groups only made up 8% and 4% of all ransomware attacks, respectively, in a dwindling landscape.

With the departure of Pysa in the first quarter of the year and now Conti in Q2 2022, it may start to feel as if organizations can relax a bit. But while ransomware attack volume has steadily declined over the first half of the year, it still remains a serious threat. Now is certainly not the time to let your guard down—especially when it comes to email security.

Malware delivered via email continues to be the initial foothold for ransomware. After the malware has enabled threat actors to compromise a corporate network, they can gain access to sensitive information that they can encrypt and hold for ransom. In short, even though it may not be the direct delivery mechanism, email is still the first point of attack—which makes securing it a business-critical initiative.

For more insight into the mechanics of ransomware and how to protect your organization, download our CISO Guide to Ransomware. And to see how Abnormal prevents ransomware attacks, request a demo of the platform today.