The number of ransomware leak victims dropped by over a quarter between the end of 2021 and the first three months of 2022, but new groups proliferated, according to Digital Shadows.
The threat intelligence vendor observed 582 organizations listed on ransomware leak sites in Q1 2022, a decrease of 25.3% compared to Q4 2021.
It claimed the drop was due to reduced activity from some of the more prolific groups. These include Conti, which saw a 32% decrease in the number of victims, and Pysa, which did not name any during the quarter.
In fact, the latter group appears to have disappeared, despite being the third most active in Q4 2021 with a particular focus on the education sector, according to Digital Shadows.
However, its members and/or affiliates will likely disperse to newly branded entities.
“In the first quarter of 2022, Digital Shadows observed the creation of many new ransomware groups and data leak sites. These included Stormous, Night Sky, Zeon, Pandora, Sugar, and x001xs,” the security vendor explained.
“A trend that is typically observed between quarters is that new ransomware groups are created at a similar rate to groups being shut down. This is likely because affiliates frequently move from groups that are no longer active to those that are emerging. Groups also often shut down operations and rebrand, to avoid raising attention from law enforcement agencies.”
As in the previous two quarters, however, LockBit 2.0 and Conti remained the most prolific of the 70 groups tracked by Digital Shadows, accounting for nearly 58% of incidents in Q1 2022.
LockBit had nearly twice as many victims as Conti and is reportedly the only group to have leaked data on more than 200 organizations in a quarter since Q3 2021.
While the first three months of the year were relatively quiet for ransomware groups, things are likely to pick up throughout 2022, with more SMBs targeted and potentially some spillover from the war in Ukraine, Digital Shadows warned.