Ransomware Volume Drops as a Main Player Exits the Stage

Back in January, we published a two-year retrospective on how ransomware has evolved in recent years. In that report, we focused on understanding the characteristics of ransomware victims and the groups behind these attacks.

We found that, like most other cybercrime activity, ransomware attacks are industry-agnostic, since actors are more interested in making quick money than spending time identifying “ideal” victims. We also saw that the perception that ransomware groups prefer to target large enterprises is a myth. Rather, more than half of ransomware victims are small businesses. And finally, our report discussed how the ransomware landscape is highly centralized, with a majority of activity being driven by only a few groups.

Like all threats in the cyber threat landscape, ransomware will continue to evolve over time. This post builds on our prior research and looks at the changes we observed in the ransomware threat landscape in the first quarter of 2022.

At the end of 2021, we observed a significant increase in ransomware attacks, primarily due to a spike in activity from some of the more prolific groups: Conti, LockBit, and Pysa. In the first three months of 2022, however, the total number of ransomware attacks decreased by 25%, falling to a similar level we saw in the third quarter of last year. This decrease seems to be primarily caused by a big drop in attacks from Conti and, as we’ll talk about in more detail later, the disappearance of one of the top ransomware groups.

Across the board, nearly all industries saw a reprieve in the overall number of ransomware attacks targeting companies in their sector. The industry that felt the most relief in the first quarter was Retail & Wholesale, which saw a 52% decrease in attacks. This decrease means that it’s now the fourth-most targeted industry, a significant shift after spending the last two quarters as the second-most targeted sector.

The Financial Services industry was the one industry that saw the exact opposite trend in attack volume over the last quarter. While the number of attacks for almost every other industry fell, ransomware attacks targeting financial organizations increased by 35%.

Attacks against financial institutions have been on an upward trend over the past year, with the volume of attacks 75% higher than we observed in the first quarter of 2021. The main driver behind this growth appears to be an increased focus on financial institutions by LockBit, primarily on smaller accounting and insurance firms. The only other sector to see an increase in overall attacks was Government, which saw a slight 15% increase compared to the last three months of last year.

Historically, a majority of ransomware attacks have impacted organizations in North America, with a primary focus on the United States and Canada. However, In Q1 2022, less than half of ransomware attacks targeted North American companies—for the first time since we began tracking this in January 2020.

As stated in our report, over half of all ransomware attacks impacted organizations in the United States in 2021. But in the first quarter of 2022, the share of American ransomware victims dropped to just 40%.

On the other side of the coin, attacks against European targets peaked in the first quarter of the year, with more than a third of all ransomware attacks targeting European institutions—primarily driven by attacks on targets in Western Europe. The most commonly impacted countries in Europe during the quarter were the United Kingdom, Italy, Germany, France, Spain, and Switzerland.

As we’ve discussed previously, the ransomware landscape is highly centralized, with a few main groups driving most of the activity. In fact, nearly half of all ransomware attacks in the first quarter of the year were linked to just two groups: LockBit and Conti. But the number of attacks linked to Conti, which experienced a massive leak of their internal communications in March, dropped by 35% compared to the last three months of 2021.

One of the most notable changes to the ransomware landscape in the first three months of the year was the disappearance of the Pysa ransomware group. Throughout 2021, Pysa was the third-most prolific ransomware group; however, the group hasn’t announced any new victims since early December and their dark web blog went offline in February.

In the past, we’ve seen a number of major ransomware groups, like Maze, REvil, or Avaddon, vanish from the ransomware scene. Sometimes these groups re-emerge under a new “brand,” like when Maze rebranded as Egregor or DarkSide renamed itself BlackMatter. Time will tell whether we’ll see Pysa again under a new pseudonym.

But never fear, ransomware is not going away. The first quarter of 2022 saw the emergence of two new impactful groups to the ransomware scene: ALPHV and Stormous.

ALPHV, which has also been known as BlackCat, initially appeared in December 2021, but really ramped up their operations in the first part of the year. The distribution of ALPHV’s victims is largely representative of global ransomware characteristics; however, the median annual revenue of companies impacted by ALPHV attacks was $57 million, compared to just $31 million for ransomware victims globally. This may indicate ALPHV has a potential preference for exploiting larger enterprise targets.

Stormous emerged in January 2022 and quickly became the fourth-most active ransomware group. Stormous is different from most other ransomware groups in that it primarily announces its victims via a Telegram group rather than a blog on the dark web, though the group did stand up a dark web presence at the end of March.

Rather than explicitly holding the data for ransom, sometimes Stormous offers victim data for sale or simply dumps victim data freely. Combined with the statement on their dark website that references their preference for targeting companies in certain countries, primarily the United States, Ukraine, and India, Stormous may be more appropriately defined as something closer to a hacktivist group rather than a pure ransomware group.

If our research shows anything, it’s that the ransomware landscape has changed significantly in recent years. Rather than ransomware payloads being delivered directly via email, today's ransomware is often deployed using previously established corporate network access. In most cases, this initial foothold is established using other types of malware that are delivered using email.

Once this first payload has been delivered, an adversary can deploy additional malware to gain access to the company network, which they can then exploit to gain access to critical information they can encrypt and hold for ransom. So while email may not be the direct delivery mechanism for ransomware, it is still the first point of attack—and one that your organization needs to defend.

Abnormal protects customers against these first-stage attacks, preventing cybercriminals from gaining that initial foothold inside their corporate network that could result in future ransomware infections. So whether you’re receiving a malicious file or something far more sinister, Abnormal ensures that your organization is protected from all types of attacks.