Construction was the most targeted sector overall with critical infrastructure affected in just over half of the attacks

After closely monitoring the most active ransomware groups in 2022, the KrakenLabs team at Outpost24 are sharing their latest report that delves deep into the significant ransomware trends, threat groups, victim profiles, and motives behind these attacks from the past year.

In total, the researchers identified 2,363 disclosed victims by various ransomware groups on Data Leak Sites (DLS) in 2022, with an estimated $450m paid in ransom by victims.

“The recent clampdown of Hive, following REvil, is a positive sign for all however organisations must ensure they keep their guards up against this constant evolving threat by prioritising cyber hygiene through regular vulnerability assessment, security testing and combining detection with threat intelligence to surface risk signals that can help prevent infection,” said Alejandro Villanueva, Threat Intel Analyst at Outpost24 and author of the report. 

The report uncovered the following findings surrounding the evolving ransomware landscape:

  • Most active ransomware groups: Existing entities like LockBit, BlackCat, Hive, and Karakurt have demonstrated exponential growth and have surpassed previous records despite the disappearance of prominent threat groups such as CONTI and the old REvil
  • Most attacked countries: From the 101 different countries that registered victims, 42% of them are from the United States. The UK second on the list followed by Canada, Germany, and France. In fact, 28% of victims were from Europe.
  • Worst offender: Last year, the ransomware group known as LockBit exhibited a significantly higher level of activity compared to other groups. They were responsible for 34% of all recorded attacks in 2022.
  • Sector most at risk: While critical infrastructure sectors accounted for just over half of the attacks perpetrated (51%), construction was the most targeted sector overall.

Further analysis by Outpost24 also revealed time periods in which the tables were turned, and ransomware groups were under DDOS (distributed denial of service) attack.

In week 35 of 2022 LockBit group claimed that they were being attacked as a consequence of leaking stolen data from Entrust, a cybersecurity company that was attacked previously by them.

Outpost24 KrakenLabs detected that not just LockBit, but many other ransomware DLSs were suffering DDOS attacks during this period. It is likely the attackers were aiming to cause disruption for the ransomware groups during the extortion process.