Abstract Seafoam Grid

Ransomware Volume Drops as a Main Player Exits the Stage

Like all threats in the cyber threat landscape, ransomware will continue to evolve over time. This post builds on our prior research and looks at the changes we observed in the ransomware threat landscape in the first quarter of 2022.

May 5, 2022

Back in January, we published a two-year retrospective on how ransomware has evolved in recent years. In that report, we focused on understanding the characteristics of ransomware victims and the groups behind these attacks.

We found that, like most other cybercrime activity, ransomware attacks are industry-agnostic, since actors are more interested in making quick money than spending time identifying “ideal” victims. We also saw that the perception that ransomware groups prefer to target large enterprises is a myth. Rather, more than half of ransomware victims are small businesses. And finally, our report discussed how the ransomware landscape is highly centralized, with a majority of activity being driven by only a few groups.

Like all threats in the cyber threat landscape, ransomware will continue to evolve over time. This post builds on our prior research and looks at the changes we observed in the ransomware threat landscape in the first quarter of 2022.

Ransomware Volume Comes Back to Earth After a Big Q4

At the end of 2021, we observed a significant increase in ransomware attacks, primarily due to a spike in activity from some of the more prolific groups: Conti, LockBit, and Pysa. In the first three months of 2022, however, the total number of ransomware attacks decreased by 25%, falling to a similar level we saw in the third quarter of last year. This decrease seems to be primarily caused by a big drop in attacks from Conti and, as we’ll talk about in more detail later, the disappearance of one of the top ransomware groups.

Monthly Trend of Ransomware Volume Since 2021

Monthly Trend of Ransomware Volume Since 2021

(Almost) All Industries See Some Relief

Across the board, nearly all industries saw a reprieve in the overall number of ransomware attacks targeting companies in their sector. The industry that felt the most relief in the first quarter was Retail & Wholesale, which saw a 52% decrease in attacks. This decrease means that it’s now the fourth-most targeted industry, a significant shift after spending the last two quarters as the second-most targeted sector.

The Financial Services industry was the one industry that saw the exact opposite trend in attack volume over the last quarter. While the number of attacks for almost every other industry fell, ransomware attacks targeting financial organizations increased by 35%.

Attacks against financial institutions have been on an upward trend over the past year, with the volume of attacks 75% higher than we observed in the first quarter of 2021. The main driver behind this growth appears to be an increased focus on financial institutions by LockBit, primarily on smaller accounting and insurance firms. The only other sector to see an increase in overall attacks was Government, which saw a slight 15% increase compared to the last three months of last year.

Q1 2022 Ransomware Victims by Industry

Q1 2022 Ransomware Victims by Industry

European Companies Becoming a Bigger Target

Historically, a majority of ransomware attacks have impacted organizations in North America, with a primary focus on the United States and Canada. However, In Q1 2022, less than half of ransomware attacks targeted North American companies—for the first time since we began tracking this in January 2020.

As stated in our report, over half of all ransomware attacks impacted organizations in the United States in 2021. But in the first quarter of 2022, the share of American ransomware victims dropped to just 40%.

Q1 2022 Ransomware Victims by Country

Q1 2022 Ransomware Victims by Country

On the other side of the coin, attacks against European targets peaked in the first quarter of the year, with more than a third of all ransomware attacks targeting European institutions—primarily driven by attacks on targets in Western Europe. The most commonly impacted countries in Europe during the quarter were the United Kingdom, Italy, Germany, France, Spain, and Switzerland.

Quarterly Location of Ransomware Victims Since 2020

Quarterly Location of Ransomware Victims Since 2020

Newcomers Join the Ransomware Landscape as Pysa Drops Out

As we’ve discussed previously, the ransomware landscape is highly centralized, with a few main groups driving most of the activity. In fact, nearly half of all ransomware attacks in the first quarter of the year were linked to just two groups: LockBit and Conti. But the number of attacks linked to Conti, which experienced a massive leak of their internal communications in March, dropped by 35% compared to the last three months of 2021.

Q1 20221 Distribution of Ransomware Attacks by Group

Q1 2022 Distribution of Ransomware Attacks by Group

One of the most notable changes to the ransomware landscape in the first three months of the year was the disappearance of the Pysa ransomware group. Throughout 2021, Pysa was the third-most prolific ransomware group; however, the group hasn’t announced any new victims since early December and their dark web blog went offline in February.

In the past, we’ve seen a number of major ransomware groups, like Maze, REvil, or Avaddon, vanish from the ransomware scene. Sometimes these groups re-emerge under a new “brand,” like when Maze rebranded as Egregor or DarkSide renamed itself BlackMatter. Time will tell whether we’ll see Pysa again under a new pseudonym.

But never fear, ransomware is not going away. The first quarter of 2022 saw the emergence of two new impactful groups to the ransomware scene: ALPHV and Stormous.

ALPHV, which has also been known as BlackCat, initially appeared in December 2021, but really ramped up their operations in the first part of the year. The distribution of ALPHV’s victims is largely representative of global ransomware characteristics; however, the median annual revenue of companies impacted by ALPHV attacks was $57 million, compared to just $31 million for ransomware victims globally. This may indicate ALPHV has a potential preference for exploiting larger enterprise targets.

ALPHV Dark Web Blog Homepage

ALPHV Dark Web Blog Homepage

Stormous emerged in January 2022 and quickly became the fourth-most active ransomware group. Stormous is different from most other ransomware groups in that it primarily announces its victims via a Telegram group rather than a blog on the dark web, though the group did stand up a dark web presence at the end of March.

Rather than explicitly holding the data for ransom, sometimes Stormous offers victim data for sale or simply dumps victim data freely. Combined with the statement on their dark website that references their preference for targeting companies in certain countries, primarily the United States, Ukraine, and India, Stormous may be more appropriately defined as something closer to a hacktivist group rather than a pure ransomware group.

Stormous Description from Dark Web Homepage

Stormous Description from Dark Web Homepage

Defending Against Ransomware Attacks

If our research shows anything, it’s that the ransomware landscape has changed significantly in recent years. Rather than ransomware payloads being delivered directly via email, today's ransomware is often deployed using previously established corporate network access. In most cases, this initial foothold is established using other types of malware that are delivered using email.

Once this first payload has been delivered, an adversary can deploy additional malware to gain access to the company network, which they can then exploit to gain access to critical information they can encrypt and hold for ransom. So while email may not be the direct delivery mechanism for ransomware, it is still the first point of attack—and one that your organization needs to defend.

Abnormal protects customers against these first-stage attacks, preventing cybercriminals from gaining that initial foothold inside their corporate network that could result in future ransomware infections. So whether you’re receiving a malicious file or something far more sinister, Abnormal ensures that your organization is protected from all types of attacks.

To learn more about how Abnormal prevents ransomware attacks, request a demo of the platform today.

Image

Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 05 11 22 Scaling Out Redis
As we’ve scaled our customer base, the size of our datasets has also grown. With our rapid expansion, we were on track to hit the data storage limit of our Redis server in two months, so we needed to figure out a way to scale beyond this—and fast!
Read More
B 05 17 22 Impersonation Attack
See how threat actors used a single mailbox compromise and spoofed domains to subtly impersonate individuals and businesses to coerce victims to pay fraudulent vendor invoices.
Read More
B 05 14 22 Best Workplace
We are over the moon to announce Abnormal has been named one of Inc. Magazine's Best Workplaces of 2022! Learn more about our commitment to our workforce.
Read More
B 05 13 22 Spring Product Release
This quarter, the team at Abnormal launched new features to improve lateral attack detection, role-based access control (RBAC), and explainable AI. Take a deep dive into all of the latest product enhancements.
Read More
B 05 11 22 Champion Finalist
Abnormal has been selected as a Security Customer Champion finalist in the Microsoft Security Excellence Awards! Here’s a look at why.
Read More
Blog series c cover
When we raised our Series B funding 18 months ago, I promised our customers greater value, more capabilities, and better customer support. We’ve delivered on each of those promises and as we receive an even larger investment, I’m excited about how we can continue to further deliver on each of them.
Read More
B 05 09 22 Partner Community
It’s an honor to be named one of CRN’s 2022 Women of the Channel. Here’s why I appreciate the award and what I love about being a Channel Account Manager at Abnormal.
Read More
B 05 05 22 Fast Facts
Watch this short video to learn current trends and key issues in cloud email security, including how to protect your organization against modern threats.
Read More
B 05 03 22
Like all threats in the cyber threat landscape, ransomware will continue to evolve over time. This post builds on our prior research and looks at the changes we observed in the ransomware threat landscape in the first quarter of 2022.
Read More
B 04 28 22 8 Key Differences
At Abnormal, we pride ourselves on our excellent machine learning engineering team. Here are some patterns we use to distinguish between effective and ineffective ML engineers.
Read More
B 04 26 22 Webinar Re Replacing Your SEG
Learn how Microsoft 365 and Abnormal work together to provide comprehensive defense-in-depth protection in part two of our webinar recap.
Read More
Blog mitigate threats cover
Learn about the most common socially-engineered attacks and why these tactics are still so successful—despite a growing awareness from employees.
Read More