Q3 2022: Ransomware Activity Levels Off, but the Landscape is More Centralized Than Ever

At the start of 2022, we published a report examining the key ways the ransomware landscape has evolved over the past two years. The retrospective offered an in-depth analysis of both the types of organizations being targeted by ransomware attacks as well as insight into the attackers themselves.

In May, we shared an update about the changes we observed in the ransomware threat ecosystem in the first quarter of 2022—in particular, the sharp decline in the number of ransomware attacks. This post explores the continuation of this trend, as well as a few other notable data points from Q3 2022.

After falling to 18-month lows at the end of Q2, ransomware activity leveled off in the third quarter, with the number of ransomware victims decreasing just two percent compared to the previous quarter. The number of ransomware victims has decreased each quarter throughout 2022 and the volume observed in Q3 was five percent lower than what we saw in the same quarter a year earlier.

We saw a moderate increase in volume to close out the quarter, which was primarily attributed to a significant rise in activity from the LockBit ransomware group. However, this increase was counterbalanced by a decrease in attacks from other primary groups, such as Karakurt, Hive, ALPHV, and Black Basta, which helped tamp down what would have otherwise been a more substantial spike.

At the end of 2021, three ransomware groups–Conti, LockBit, and Pysa–were responsible for nearly two-thirds of all the ransomware attacks around the world. So far in 2022, Pysa exited the ransomware scene in Q1, and Conti disappeared a few months later in the middle of the second quarter. Now, LockBit is the sole primary player remaining in the ransomware space, accounting for more than a third of all ransomware activity observed in Q3.

The silver lining to this top-heavy ecosystem is that disruptive actions against one of these primary groups, such as law enforcement takedowns, can have a significant impact on the overall landscape. This is different from a threat like business email compromise (BEC), where targeted disruptive actions are generally less impactful to overall attack volume due to the decentralized structure of the threat landscape.

Filling the void left by the major groups that have exited the ransomware space recently has been a revolving door of smaller groups trying to establish a foothold of their own. Of the 33 groups we observed in Q3, 10 of them (30%) were new groups that weren’t active the previous quarter. Conversely, a quarter of the groups we saw in Q2 were no longer active in the third quarter, which demonstrates the highly volatile nature of the ransomware ecosystem.

The most impactful of the new groups observed in Q3 was BianLian, a variant of ransomware written in the Go programming language. The group had the seventh-highest number of victims in the third quarter, making up 4% of the overall victim pool. BianLian’s victims have almost all been from English-speaking countries, with 91% of victims being located in the United States, Australia, the United Kingdom, or Canada.

Notably, the median annual revenue of BianLian’s victims was just $17 million, with 65% of victims making less than $25 million a year, indicating the group may have a penchant for targeting smaller organizations or their malware may only be effective against smaller organizations that aren’t able to invest in more robust cybersecurity measures.

Historically, the top target of ransomware attacks has consistently been the Manufacturing industry, peaking in Q1 of 2022 with a target share of 25%. While manufacturing organizations were still the number one victim of ransomware attacks in Q3, the overall number of manufacturing victims dropped substantially, falling 30% compared to the previous quarter.

Other industries saw similar declines in attack volume. Ransomware attacks on the Transportation sector, which experienced a significant spike in Q2, dropped by 34% in the third quarter. Similarly, attacks against Healthcare industry targets jumped substantially in Q2 but fell 12% in Q3. And finally, attacks on government institutions, which had been gradually increasing quarter over quarter, saw the first quarterly decrease in a year, with ransomware volume dropping 25% compared to the second quarter.

On the opposite side of the spectrum, a few sectors experienced notable increases in ransomware victims during the third quarter. Since the end of 2021, the Leisure & Hospitality industry saw consecutive, large decreases in ransomware attacks, but rebounded in Q3, growing 60% compared to the previous quarter. This increase was primarily driven by a notable rise in LockBit targeting hospitality companies in September.

Another industry that experienced a notable increase in attacks in the third quarter was Energy & Natural Resources, which saw the number of victims grow by 29% in the quarter, equalling the highest number of sector-specific victims we’ve seen over the past two years. The growth of Energy & Natural Resources victims wasn’t due to increased targeting by a single group. Rather, attacks were relatively evenly distributed across 16 different groups.

Other industries that had significant growth in ransomware attacks included the Business Services industry, which saw a 15% increase in new victims, and the Construction sector, which saw a 25% increase in attacks. These two sectors were the second and fourth most impacted industries in the third quarter, respectively, and both reached the highest number of victims observed since Q4 2021.

Organizations in a few European countries saw a notable increase in attacks in the third quarter. Attacks on Spanish companies increased by 88% in Q3, primarily driven by attacks from a new ransomware group, Sparta, which emerged in September and has only victimized organizations in Spain. France became the second-most common country for ransomware victims in Q3, with attack volume growing 38% compared to the previous three months.

On the flip side, a few European countries experienced a reprieve in ransomware activity. Attacks targeting German companies, which had the second-highest number of victims in Q2, fell 38% in the third quarter, and attacks on organizations in Italy dropped by 25%. Outside of Europe, Canada also saw a notable decrease in ransomware activity, with the number of victims falling by 27%.

Elsewhere, ransomware volume remained steady compared to Q2. The share of attacks targeting American companies remained historically low, staying under 40% after initially breaking that barrier in Q2.

Although the ransomware landscape seems to have stalled and is increasingly becoming more centralized, these attacks should still be considered a serious threat to any organization.

Malware delivered via email continues to be the initial foothold for ransomware. After the malware has enabled threat actors to compromise a corporate network, they can gain access to sensitive information that they can encrypt and hold for ransom. In short, even though it may not be the direct delivery mechanism, email is still the first point of attack—which makes securing it a business-critical initiative.

For more insight into the mechanics of ransomware and how to protect your organization, download our CISO Guide to Ransomware.