Ransomware attacks slowing as 2022 wears on

Total ransomware attacks for the second quarter of 2022 totaled 574, representing a 34% slowdown compared to the first quarter of the year, according to a report released Thursday by GuidePoint Research.

The most impacted industries were manufacturing and construction, GuidePoint’s report said, accounting for 18.3% of all claimed attacks during the quarter. The tech sector was also heavily targeted, as were government agencies. The US was the most-attacked country, according to the report, representing nearly a quarter of all global ransomware victims.

The most active ransomware group in the second quarter was Lockbit, a ransomware-as-a-service operation that offers its software to affiliates who actually compromise the target’s systems and share any profits. Lockbit has made several technical advances of late, according to CSO Online, including the introduction of its own data theft toolkit and the ability to more speedily deploy their ransomware after a target network is compromised.

A total of 208 attacks using Lockbit were recorded during the study’s time frame. Lockbit, the report said, runs on a fairly professional basis, with a bug bounty program, a set percentage of proceeds from an attack payable to the group as a use fee, and restrictions on using its software against organizations like critical infrastructure providers where encryption could cause deaths.

A new group, as well, emerged during the second quarter, dubbed Blackbasta, which heavily targeted industrial and manufacturing companies. The Conti ransomware group, by contrast, was shut down in May, substantially limiting the number of attacks made under its banner in the quarter, which were nevertheless good for second place behind Lockbit2, with 41 victims.

Conti was known for its aggressive approach and—unusually for a prominent ransomware group—its habit of failing to follow through on promises to decrypt compromised data, even when ransoms were paid. However, while the Conti brand is effectively shuttered, the people behind it are likely still active. According to Drew Schmitt, operations lead at GuidePoint, Lockbit is likely to continue leading the way for the ransomware industry in the immediate future, as the reorganization of threat actors continues. “We expect to see an uptick of Lockbit 3.0 activity and potentially other restructuring and consolidation in affiliate-based ransomware operations,” he said in a statement.