Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

2022 Year in Review: Ransomware

With 2022 having just ended, let's take a look back at the year in ransomware. With the average cost of an attack ranging from $570,00 to $812,360 for just the ransom, according to Cloudally, it should be no surprise that it continued to be one of the most prominent attacks utilized by malicious groups. We'll be doing a quick overview of a few of the most active groups within the space over the past year, and any developments that those groups have made in the past 12 months. 


LockBit has continued its reign as the most prominent ransomware group in 2022. For those that don't closely follow these groups, LockBit is and continues to be, the group that dominates the ransomware space. They utilize high payments for recruiting experienced malicious actors, purchasing new exploits, and even run a bug bounty program that offers high-paying bounties - a first for a ransomware group[1]to identity of one of its users. With all these programs and the continued effectiveness of the group, it is forecasted that it will remain the most active and effective group for the foreseeable future.  

As for developments, the group has developed LockBit 3.0, the newest iteration of the ransomware. The updated version, released in June 2022, and includes additional features that can automate permission elevation, disable Windows Defender, a "safe mode" to bypass installed Antivirus, and the ability to encrypt Windows systems with two different ransomware strains to decrease the chance of decryption from a third party. With these new features, the group has been able to conduct successful attacks, accounting for roughly 44% of successful ransomware attacks so far in 2022 according to Infosecurity Magazine.

On a law enforcement note, a member of the LockBit group was recently arrested in Canada and is awaiting extradition to the United States. A dual Russian and Canadian national has allegedly participated within the LockBit campaign and has been charged with conspiracy to intentionally damage protected computers and to transmit ransom demands. The charges carry a maximum of five years in prison. 

Black Basta

One of the newest ransomware groups is Black Basta. The group has had alleged ties to other gangs, such as Conti, REvil, and Fin7 (aka Carbanak). These ties come in the form of possible former members/affiliates, in the case of Conti, or custom tools, which are potentially linked to Fin7. With potentially experienced members, the group was able to publish more than 20 organizations to its name-and-shame blog within the first two weeks of the group being identified in April 2022, according to Intel471. Since the initial identification of the group, they have compromised over 90 organizations as of September 2022 with no sign of slowing down.

The group has had unprecedented success for the short period that they have been active. This success can be linked to a couple of factors. First, Black Basta does not publicly recruit affiliates and most likely only collaborates with actors with whom it has worked with previously. This collaborative methodology is possible because it has been assessed that the Black Basta was formed from members of other successful ransomware groups, so they know other actors. Additionally, the group outsources its capabilities utilizing established tools, such as QakBot and Cobalt Strike, or network access brokers, allowing the group to have a high success rate once inside a victim's environment.


Keeping with the trend of newer ransomware groups that had an impressive year is Hive. The group has been cited by Spiceworks as one of the top three most active ransomware groups since coming on the scene around June 2021. Like LockBit, Hive uses an affiliate ransomware-as-a-service (RaaS) model. This model has proven effective, as the group recorded roughly 9% of reported ransomware attacks in the third quarter of 2022, according to Intel471.

In 2022, Hive replaced its original ransomware. The original ransomware was written in GoLang but this was switched to Rust, researchers have found. This change in languages provides the ransomware with a multitude of new advantages, such as deep control over low-level resources, variety of cryptographic libraries, and it is more difficult to reverse-engineer. In addition to the language change, the ransom note has been updated and the method of encryption has improved.

While Hive isn't the most prolific group in the ransomware space, it is still very dangerous, particularly due to the way it groups targets. Some ransomware groups try not to attack critical infrastructure or essential services, whether for moral reasons or to draw less attention from law enforcement agencies. Hive, on the other hand, does not care. The group has targeted 125 healthcare organizations as of March 2022. Intel471 reported, the healthcare, energy, and agricultural sectors accounted for 21% of the victims infected with Hive ransomware in the third quarter of 2022. As compared to LockBit and ALPHV which accounted for 8% and under 6% of attacks, respectively, over the same period on the same type of targets. This certainly proves Hive is willing to attack sectors that others may bypass.


Wrapping up our ransomware roundup is the group BlackCat/ALPHV, which first appeared in late 2021. This ransomware group was the fourth most active in the second quarter of 2022 and third most active in the third quarter 2022. Intel471 reported the group was responsible for about 6.5% of the total reported ransomware cases during this period. While the amount is smaller compared to LockBit or Black Basta, newcomer BlackCat has managed to stand out from the crowd. The group developed a search function in July 2022 for indexed stolen data that had not been seen previously. The group claimed this was done to aid other cybercriminals in finding confidential information which can be used to add pressure to victim organizations forcing them to pay the ransom. This idea was quickly copied with LockBit adding its own, lighter version to its toolset.

ALPHV has also set other trends. According to the FBI, ALPHV was the first group to successfully utilize Rust to ransom a victim, well before Hive made the switch. ALPHV’s ability to develop capabilities and functionality that are quickly adopted by other threat actors most likely indicates that its members are most likely ransomware veterans and there are indications the group was linked to the infamous Darkside and BlackMatter gangs.

Moving Forward

Just as security researchers continue to develop new methodologies and techniques to keep adversarial groups at bay, ransomware groups continue to do the same. These groups will continue to develop if the attacks continue to be successful. With an average of 1 out of every 40 organizations being hit by ransomware, it is clear there is a need for proactive identification of potential threats so they can be mitigated properly before costing an organization an average of $4,540,000 in the event of a full-blown ransom. Early identification of a threat can be the difference between taking a single host offline for a few hours to remediate or taking the average of 22 days of recovery to bounce back after a ransomware attack, potentially from one of the groups outlined above.