Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

2022 Year in Review: Ransomware

With 2022 having just ended, let's take a look back at the year in ransomware. With the average cost of an attack ranging from $570,00 to $812,360 for just the ransom, according to Cloudally, it should be no surprise that it continued to be one of the most prominent attacks utilized by malicious groups. We'll be doing a quick overview of a few of the most active groups within the space over the past year, and any developments that those groups have made in the past 12 months. 


LockBit has continued its reign as the most prominent ransomware group in 2022. For those that don't closely follow these groups, LockBit is and continues to be, the group that dominates the ransomware space. They utilize high payments for recruiting experienced malicious actors, purchasing new exploits, and even run a bug bounty program that offers high-paying bounties - a first for a ransomware group[1]to identity of one of its users. With all these programs and the continued effectiveness of the group, it is forecasted that it will remain the most active and effective group for the foreseeable future.  

As for developments, the group has developed LockBit 3.0, the newest iteration of the ransomware. The updated version, released in June 2022, and includes additional features that can automate permission elevation, disable Windows Defender, a "safe mode" to bypass installed Antivirus, and the ability to encrypt Windows systems with two different ransomware strains to decrease the chance of decryption from a third party. With these new features, the group has been able to conduct successful attacks, accounting for roughly 44% of successful ransomware attacks so far in 2022 according to Infosecurity Magazine.

On a law enforcement note, a member of the LockBit group was recently arrested in Canada and is awaiting extradition to the United States. A dual Russian and Canadian national has allegedly participated within the LockBit campaign and has been charged with conspiracy to intentionally damage protected computers and to transmit ransom demands. The charges carry a maximum of five years in prison. 

Black Basta

One of the newest ransomware groups is Black Basta. The group has had alleged ties to other gangs, such as Conti, REvil, and Fin7 (aka Carbanak). These ties come in the form of possible former members/affiliates, in the case of Conti, or custom tools, which are potentially linked to Fin7. With potentially experienced members, the group was able to publish more than 20 organizations to its name-and-shame blog within the first two weeks of the group being identified in April 2022, according to Intel471. Since the initial identification of the group, they have compromised over 90 organizations as of September 2022 with no sign of slowing down.

The group has had unprecedented success for the short period that they have been active. This success can be linked to a couple of factors. First, Black Basta does not publicly recruit affiliates and most likely only collaborates with actors with whom it has worked with previously. This collaborative methodology is possible because it has been assessed that the Black Basta was formed from members of other successful ransomware groups, so they know other actors. Additionally, the group outsources its capabilities utilizing established tools, such as QakBot and Cobalt Strike, or network access brokers, allowing the group to have a high success rate once inside a victim's environment.


Keeping with the trend of newer ransomware groups that had an impressive year is Hive. The group has been cited by Spiceworks as one of the top three most active ransomware groups since coming on the scene around June 2021. Like LockBit, Hive uses an affiliate ransomware-as-a-service (RaaS) model. This model has proven effective, as the group recorded roughly 9% of reported ransomware attacks in the third quarter of 2022, according to Intel471.

In 2022, Hive replaced its original ransomware. The original ransomware was written in GoLang but this was switched to Rust, researchers have found. This change in languages provides the ransomware with a multitude of new advantages, such as deep control over low-level resources, variety of cryptographic libraries, and it is more difficult to reverse-engineer. In addition to the language change, the ransom note has been updated and the method of encryption has improved.

While Hive isn't the most prolific group in the ransomware space, it is still very dangerous, particularly due to the way it groups targets. Some ransomware groups try not to attack critical infrastructure or essential services, whether for moral reasons or to draw less attention from law enforcement agencies. Hive, on the other hand, does not care. The group has targeted 125 healthcare organizations as of March 2022. Intel471 reported, the healthcare, energy, and agricultural sectors accounted for 21% of the victims infected with Hive ransomware in the third quarter of 2022. As compared to LockBit and ALPHV which accounted for 8% and under 6% of attacks, respectively, over the same period on the same type of targets. This certainly proves Hive is willing to attack sectors that others may bypass.


Wrapping up our ransomware roundup is the group BlackCat/ALPHV, which first appeared in late 2021. This ransomware group was the fourth most active in the second quarter of 2022 and third most active in the third quarter 2022. Intel471 reported the group was responsible for about 6.5% of the total reported ransomware cases during this period. While the amount is smaller compared to LockBit or Black Basta, newcomer BlackCat has managed to stand out from the crowd. The group developed a search function in July 2022 for indexed stolen data that had not been seen previously. The group claimed this was done to aid other cybercriminals in finding confidential information which can be used to add pressure to victim organizations forcing them to pay the ransom. This idea was quickly copied with LockBit adding its own, lighter version to its toolset.

ALPHV has also set other trends. According to the FBI, ALPHV was the first group to successfully utilize Rust to ransom a victim, well before Hive made the switch. ALPHV’s ability to develop capabilities and functionality that are quickly adopted by other threat actors most likely indicates that its members are most likely ransomware veterans and there are indications the group was linked to the infamous Darkside and BlackMatter gangs.

Moving Forward

Just as security researchers continue to develop new methodologies and techniques to keep adversarial groups at bay, ransomware groups continue to do the same. These groups will continue to develop if the attacks continue to be successful. With an average of 1 out of every 40 organizations being hit by ransomware, it is clear there is a need for proactive identification of potential threats so they can be mitigated properly before costing an organization an average of $4,540,000 in the event of a full-blown ransom. Early identification of a threat can be the difference between taking a single host offline for a few hours to remediate or taking the average of 22 days of recovery to bounce back after a ransomware attack, potentially from one of the groups outlined above.

Latest SpiderLabs Blogs

Important Security Defenses to Help Your CISO Sleep at Night

This is Part 13 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More

2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies

Trustwave SpiderLabs’ 2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies report details the security issues facing public sector security teams as...

Read More

How to Create the Asset Inventory You Probably Don't Have

This is Part 12 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More