Q2 2022: Ransomware Landscape Continues Its Decline as Another Major Group Shuts Down

The number of ransomware attacks continued its downward trend in Q2 2022. Learn why and discover more about ransomware threat actors and targets.
August 15, 2022

At the start of 2022, we published a report examining the key ways the ransomware landscape has evolved over the past two years. The retrospective offered an in-depth analysis of both the types of organizations being targeted by ransomware attacks as well as insight into the attackers themselves.

In May, we shared an update about the changes we observed in the ransomware threat ecosystem in the first quarter of 2022—in particular, the sharp decline in the number of ransomware attacks. This post explores the continuation of this trend, as well as a few other notable data points from Q2 2022.

Ransomware Volume Continues Its Downward Trajectory

After spiking in the last quarter of 2021, we observed a downturn in ransomware volume over the first quarter of 2022. This trend continued during the second quarter of the year, with ransomware attacks decreasing month-over-month throughout the quarter. In June 2022, we observed the smallest number of ransomware victims since January 2021.

Much of the drop in volume in the first quarter of 2022 could be attributed to the disappearance of Pysa, one of the most prolific ransomware groups over the past few years. Similarly, the drop in Q2 ransomware attacks was mainly caused by the exit of another major group from the ransomware landscape: Conti.

Monthly Trend of Ransomware Volume Jan 21 Jun 22

Monthly Trend of Ransomware Volume Since 2021

Attacks Against Healthcare and Transportation Targets Rise

Similar to what we saw in Q1, most industries continued to see relief from ransomware attacks in the second quarter, as overall volume compared to the previous quarter was lower.

This included the Financial Services sector, which was the only industry to see a significant net increase in ransomware attacks during the first three months of the year. In Q2 2022, however, the number of ransomware attacks targeting financial institutions dropped by 40%, falling to the lowest quarterly volume since Q1 2021.

That being said, a few notable industries experienced the opposite trends, with increases in ransomware victims compared to the first quarter.

The Transportation industry saw the largest growth in ransomware victims, increasing 73% from the first three months of the year. Much of the increase in ransomware attacks against transportation companies was due to LockBit’s focus on the sector during the quarter. LockBit was linked to nearly half of all ransomware attacks targeting the transportation sector in Q2, while the remaining attacks were attributed to 12 other groups.

The Healthcare industry, which has long been a concerning target of ransomware attacks, also experienced a significant increase in attacks in the second quarter, growing 53% compared to Q1. Unlike the transportation industry, where the volume increase could be linked to one primary group, the rise in healthcare-targeted attacks was distributed across 18 different groups. Nearly half of these attacks were linked to one of three groups: LockBit, Karakurt, and Vice Society.

Q2 2022 Ransomware Victims by Industry

Q2 2022 Ransomware Victims by Industry

Attacks Against APAC Targets on the Rise

Almost all global regions saw a net decrease in the number of ransomware victims identified in those regions. The one exception was the Asia-Pacific (APAC) region, which saw a 31% overall increase in ransomware victims in the second quarter.

Interestingly, the increase of attacks in the APAC region wasn’t caused by a spike in activity against companies in a single country. Rather, the number of ransomware victims increased in numerous countries in the region—most notably in Australia, Thailand, Japan, and Taiwan.

In the rest of the world, ransomware volume remained steady. However, as we discussed in our Q1 ransomware trends post, fewer than half of ransomware victims continued to be located in North America, the historical source of a majority of organizations impacted by ransomware attacks before 2022.

The share of ransomware attacks targeting American companies also dropped below 40% for the first time. While more than half of ransomware attacks impacted organizations in the United States in 2021, attackers seem to have shifted focus to targets elsewhere in the first half of 2022.

Q2 2022 Ransomware Victims by Country

Q2 2022 Ransomware Victims by Country

Conti Becomes the Latest Major Group to Exit

Prior to Q2, Conti had been the second-most prolific ransomware group in the world, only trailing LockBit in number of victims. The group’s activity had already been decreasing earlier this year, dropping by 35% in the first quarter after the group experienced a massive leak of their internal communications in March, until finally shutting down in mid-May.

Q2 2022 Distribution of Ransomware Attacks by Group

Q2 2022 Distribution of Ransomware Attacks by Group

With Conti’s disappearance, the ransomware landscape has become even more centralized than it already was. A single group–LockBit–is now responsible for a large plurality of the day-to-day activity that’s impacting organizations around the world.

The new #2 in the ransomware scene is now ALPHV (aka BlackCat), which first appeared in December 2021, but really ramped up its operations in the first quarter of 2022. The number of attacks attributed to ALPHV, however, has not been anywhere near the volume previously seen from Conti and only comprised 9% of all attacks in the second quarter.

Moving into the third quarter, the remaining ransomware ecosystem is made up of a patchwork of relatively low-volume groups whose attacks are generally announced sporadically.

In total, we observed attacks from 29 different ransomware groups in the second quarter, which is down from 33 groups linked to attacks in Q1. This indicates that there aren’t very many new up-and-comers entering the ransomware space to replace those major groups that have left. The more notable new groups seen in Q2 included Black Basta and Quantum. Still, attacks from these groups only made up 8% and 4% of all ransomware attacks, respectively, in a dwindling landscape.

Trend of Active Ransomware Groups Per Quarter

Trend of Active Ransomware Groups Per Quarter

Securing Your Email to Prevent Ransomware Attacks

With the departure of Pysa in the first quarter of the year and now Conti in Q2 2022, it may start to feel as if organizations can relax a bit. But while ransomware attack volume has steadily declined over the first half of the year, it still remains a serious threat. Now is certainly not the time to let your guard down—especially when it comes to email security.

Malware delivered via email continues to be the initial foothold for ransomware. After the malware has enabled threat actors to compromise a corporate network, they can gain access to sensitive information that they can encrypt and hold for ransom. In short, even though it may not be the direct delivery mechanism, email is still the first point of attack—which makes securing it a business-critical initiative.

For more insight into the mechanics of ransomware and how to protect your organization, download our CISO Guide to Ransomware. And to see how Abnormal prevents ransomware attacks, request a demo of the platform today.

Q2 2022: Ransomware Landscape Continues Its Decline as Another Major Group Shuts Down

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B 07 22 24 MKT624 Images for Paris Olympics Blog
Threat actors are targeting French businesses ahead of the Paris 2024 Olympics. Learn how they're capitalizing on the event and how to protect your organization.
Read More
B Cross Platform ATO
Cross-platform account takeover is an attack where one compromised account is used to access other accounts. Learn about four real-world examples: compromised email passwords, hijacked GitHub accounts, stolen AWS credentials, and leaked Slack logins.
Read More
B Why MFA Alone Will No Longer Suffice
Explore why account takeover attacks pose a major threat to enterprises and why multi-factor authentication (MFA) alone isn't enough to prevent them.
Read More
Learn how Abnormal uses natural language processing or NLP to protect organizations from phishing, account takeovers, and more.
Read More
B DK Compromise 7 11 24
Discover the top five ways hackers compromise accounts, from exploiting leaked API credentials to SIM swapping partnerships, and more. Learn how these techniques enable account takeover (ATO) and pose risks to enterprises.
Read More
B Sans Recap 7 11 24
Discover trends among modern SOC teams, including misaligned budgets, increased automation, unsatisfactory AI tools, staffing issues, and more.
Read More