Q2 2022: Ransomware Landscape Continues Its Decline as Another Major Group Shuts Down

The number of ransomware attacks continued its downward trend in Q2 2022. Learn why and discover more about ransomware threat actors and targets.
August 15, 2022

At the start of 2022, we published a report examining the key ways the ransomware landscape has evolved over the past two years. The retrospective offered an in-depth analysis of both the types of organizations being targeted by ransomware attacks as well as insight into the attackers themselves.

In May, we shared an update about the changes we observed in the ransomware threat ecosystem in the first quarter of 2022—in particular, the sharp decline in the number of ransomware attacks. This post explores the continuation of this trend, as well as a few other notable data points from Q2 2022.

Ransomware Volume Continues Its Downward Trajectory

After spiking in the last quarter of 2021, we observed a downturn in ransomware volume over the first quarter of 2022. This trend continued during the second quarter of the year, with ransomware attacks decreasing month-over-month throughout the quarter. In June 2022, we observed the smallest number of ransomware victims since January 2021.

Much of the drop in volume in the first quarter of 2022 could be attributed to the disappearance of Pysa, one of the most prolific ransomware groups over the past few years. Similarly, the drop in Q2 ransomware attacks was mainly caused by the exit of another major group from the ransomware landscape: Conti.

Monthly Trend of Ransomware Volume Jan 21 Jun 22

Monthly Trend of Ransomware Volume Since 2021

Attacks Against Healthcare and Transportation Targets Rise

Similar to what we saw in Q1, most industries continued to see relief from ransomware attacks in the second quarter, as overall volume compared to the previous quarter was lower.

This included the Financial Services sector, which was the only industry to see a significant net increase in ransomware attacks during the first three months of the year. In Q2 2022, however, the number of ransomware attacks targeting financial institutions dropped by 40%, falling to the lowest quarterly volume since Q1 2021.

That being said, a few notable industries experienced the opposite trends, with increases in ransomware victims compared to the first quarter.

The Transportation industry saw the largest growth in ransomware victims, increasing 73% from the first three months of the year. Much of the increase in ransomware attacks against transportation companies was due to LockBit’s focus on the sector during the quarter. LockBit was linked to nearly half of all ransomware attacks targeting the transportation sector in Q2, while the remaining attacks were attributed to 12 other groups.

The Healthcare industry, which has long been a concerning target of ransomware attacks, also experienced a significant increase in attacks in the second quarter, growing 53% compared to Q1. Unlike the transportation industry, where the volume increase could be linked to one primary group, the rise in healthcare-targeted attacks was distributed across 18 different groups. Nearly half of these attacks were linked to one of three groups: LockBit, Karakurt, and Vice Society.

Q2 2022 Ransomware Victims by Industry

Q2 2022 Ransomware Victims by Industry

Attacks Against APAC Targets on the Rise

Almost all global regions saw a net decrease in the number of ransomware victims identified in those regions. The one exception was the Asia-Pacific (APAC) region, which saw a 31% overall increase in ransomware victims in the second quarter.

Interestingly, the increase of attacks in the APAC region wasn’t caused by a spike in activity against companies in a single country. Rather, the number of ransomware victims increased in numerous countries in the region—most notably in Australia, Thailand, Japan, and Taiwan.

In the rest of the world, ransomware volume remained steady. However, as we discussed in our Q1 ransomware trends post, fewer than half of ransomware victims continued to be located in North America, the historical source of a majority of organizations impacted by ransomware attacks before 2022.

The share of ransomware attacks targeting American companies also dropped below 40% for the first time. While more than half of ransomware attacks impacted organizations in the United States in 2021, attackers seem to have shifted focus to targets elsewhere in the first half of 2022.

Q2 2022 Ransomware Victims by Country

Q2 2022 Ransomware Victims by Country

Conti Becomes the Latest Major Group to Exit

Prior to Q2, Conti had been the second-most prolific ransomware group in the world, only trailing LockBit in number of victims. The group’s activity had already been decreasing earlier this year, dropping by 35% in the first quarter after the group experienced a massive leak of their internal communications in March, until finally shutting down in mid-May.

Q2 2022 Distribution of Ransomware Attacks by Group

Q2 2022 Distribution of Ransomware Attacks by Group

With Conti’s disappearance, the ransomware landscape has become even more centralized than it already was. A single group–LockBit–is now responsible for a large plurality of the day-to-day activity that’s impacting organizations around the world.

The new #2 in the ransomware scene is now ALPHV (aka BlackCat), which first appeared in December 2021, but really ramped up its operations in the first quarter of 2022. The number of attacks attributed to ALPHV, however, has not been anywhere near the volume previously seen from Conti and only comprised 9% of all attacks in the second quarter.

Moving into the third quarter, the remaining ransomware ecosystem is made up of a patchwork of relatively low-volume groups whose attacks are generally announced sporadically.

In total, we observed attacks from 29 different ransomware groups in the second quarter, which is down from 33 groups linked to attacks in Q1. This indicates that there aren’t very many new up-and-comers entering the ransomware space to replace those major groups that have left. The more notable new groups seen in Q2 included Black Basta and Quantum. Still, attacks from these groups only made up 8% and 4% of all ransomware attacks, respectively, in a dwindling landscape.

Trend of Active Ransomware Groups Per Quarter

Trend of Active Ransomware Groups Per Quarter

Securing Your Email to Prevent Ransomware Attacks

With the departure of Pysa in the first quarter of the year and now Conti in Q2 2022, it may start to feel as if organizations can relax a bit. But while ransomware attack volume has steadily declined over the first half of the year, it still remains a serious threat. Now is certainly not the time to let your guard down—especially when it comes to email security.

Malware delivered via email continues to be the initial foothold for ransomware. After the malware has enabled threat actors to compromise a corporate network, they can gain access to sensitive information that they can encrypt and hold for ransom. In short, even though it may not be the direct delivery mechanism, email is still the first point of attack—which makes securing it a business-critical initiative.

For more insight into the mechanics of ransomware and how to protect your organization, download our CISO Guide to Ransomware. And to see how Abnormal prevents ransomware attacks, request a demo of the platform today.

Q2 2022: Ransomware Landscape Continues Its Decline as Another Major Group Shuts Down

See Abnormal in Action

Schedule a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

See a Demo
Integrates Insights Reporting 09 08 22

Related Posts

BC 5 31 23 Vendor Risks
Learn the biggest risks associated with your vendor relationships and how to protect your organization from Vendor Email Compromise (VEC) attacks.
Read More
B 5 30 23 Teams
See how Abnormal's advanced security solutions protect Microsoft Teams workspace from malicious attacks and account takeovers.
Read More
Zoom BC
Discover how Abnormal protects your Zoom messages and prevents attackers from using the application to breach your business.
Read More
B 5 22 23 SOC
Discover how Abnormal simplifies detection, enhances investigation, and automates remediation, increasing threat investigation efficacy at the SOC level.
Read More
B Phishing
Knowing what to do after receiving a phishing attack is essential for preventing costly consequences. Learn how to respond to Phishing attacks.
Read More
B 5 15 23 Israel BEC
Abnormal research into an advanced Israel-based threat group puts a spotlight on the continuing rise of BEC attacks.
Read More