LockBit Dominates Ransomware Campaigns in 2022: Deep Instinct

The LockBit Ransomware-as-a-Service (RaaS) group accounted for 44% of all ransomware campaigns in 2022, followed by Conti (23%), Hive (21%), Black Cat (7%) and Conti Splinters (5%), the latter group comprising threat actors from Quantum, BlackBasta and BlackByte.

The figures come from the 2022 Interim Cyber Threat Report by Deep Instinct, which the company has shared with Infosecurity.

“2022 has been another record year for cyber-criminals and ransomware gangs,” commented Mark Vaitzman, threat lab team leader at Deep Instinct. “It’s no secret that these threat actors are constantly upping their game with new and improved tactics designed to evade traditional cyber defenses.”

The report also examined the significant changes to Agent Tesla, NanoCore and other threat groups, such as Emotet, starting to use highly obfuscated Visual Basic for Applications (VBA) macros to avoid detection.

More generally, the Deep Instinct research has showed that as Microsoft started disabling macros by default in Microsoft Office files, the use of documents for malware decreased as the number one attack vector, replaced by LNK (Windows shortcut files), HTML and archive email attachments.

Further, the report mentioned that vulnerabilities like SpoolFool, Follina and DirtyPipe highlighted the exploitability of both Windows and Linux systems, suggesting that the number of exploited in-the-wild flaws spikes every three to four months.

Another trend spotted by Deep Instinct relates to threat actor groups utilizing data exfiltration within their attack flows to demand ransom for leaked data.

In cases where sensitive data is exfiltrated, there are fewer remediation options. So, several threat actors also demand ransoms from third-party companies if the leaked data contains their sensitive information.

The Deep Instinct report has also provided three predictions for the future, the first of which has suggested that threat actors will continue to look for the weakest link to initiate their attacks, whether represented by a vulnerable system or an employee willing to be paid to sell data access.

The second prediction related to the rise of ‘protestware,’ the practice of self-sabotaging one’s software and weaponizing it with malware capabilities, and the third one related to threat actors exploiting more unpatched vulnerabilities by the end of the year.

“Defenders must continue to be vigilant and find new approaches to prevent these attacks from happening,” Vaitzman concluded.

The Deep Instinct report comes days after Ivanti published a separate document suggesting ransomware has grown by 466% since 2019 and is increasingly being used as a precursor to physical war.

What’s Hot on Infosecurity Magazine?