The fall of the high and the mighty after the backstabbing of an ally; A crucial decision resulting in changing allegiances; Conspiracy, treachery, and backlashes; New warlords rising after the fall of the sovereign; The murky world of ransomware in 2022 had all the elements of a full-blown Game of Thrones-style costume drama.
Security firms across the world detected more than 2,000 ransomware news attacks of different scales using about 30 popular variants of encryptors. Ransomware gangs targeted the US region the most, and the most attacked sector was industrial goods and services.
In addition, there has been an increase in politically motivated data extortion attacks, some of which are believed to be coordinated by state-sponsored actors. However, what added excitement to all these affairs was the spectacular fall of the mighty Conti ransomware gang, LockBit’s ascension to the top slot, and eventual displacement by others.
Conti falls, LockBit rises
LockBit emerged as the ransomware market leader after the shutdown of the Conti gang following the famous ‘ContiLeaks’.
After Russia invaded Ukraine on February 24, 2022, the Conti operators publicly expressed their support for Russia. However, a few days later, an anonymous Twitter account called “Contileaks” released a collection of internal chat messages from Conti dating back to 2021. The account also published additional internal chats from 2020.
As a result, Conti’s operators began to dismantle their operations. In May 2022, the main Conti platform was shut down and split into several smaller units, which allowed the group to be more agile and evade law enforcement. About a month later, the Conti’s Ransomware-as-a-Service (RaaS) operation ceased its data leaks and negotiation activities.
Conti affiliates, or individuals or groups who perform intrusions and ransomware distribution for a share of ransom payments, joined other players in the ransomware-as-a-service (RaaS) market, with LockBit being the primary beneficiary.
Although LockBit has been active for a similar length of time as Conti, it has been overshadowed by other groups like Maze and Ryuk in its first two years of operation. However, the release of version 3.0 of its ransomware and affiliate programs in June helped it become the leading ransomware strain in the third quarter.
However, the situation changed in September when the internal details about the LockBit affiliate program, builder for the ransomware, and supposed leader were leaked, damaging the group’s reputation. This led to a comparative decrease in LockBit breaches in the third and fourth quarters of 2022.
From the ashes of Conti
Gangs like Black Basta, Hive, ALPHV/BlackCat, and Stormous soon caught up. However, researchers pointed out many similarities between Conti’s operation and that of Black Basta and Hive.
Black Basta affiliates prefer highly profitable organizations across geographies, while Hive seems to have a more restricted focus, with an alleged Hive operator disclosing in August that the group’s affiliates primarily target organizations in Australia, Canada, the UK, and the US.
According to Intel 471 researchers, actors deploying the Hive ransomware often use phishing campaigns to gain initial access and distribute their malware, and that these campaigns are usually written in English, which allows the group to refine its social engineering efforts and tailor them to a specific audience, likely reducing resource expenditure and increasing the chances of success.
The ALPHV RaaS affiliates, on the other hand, seem to prefer exploiting vulnerabilities and exploits to gain access to large organizations. The alleged leader of the ALPHV RaaS operation claimed in September that the group has targeted airports, fuel pipeline operators, gas stations, oil refineries, and other critical infrastructure since the affiliate program was launched.
Other notable ransomware variants that came up include AvosLocker, Vice Society, BianLian, Medusa, Ransomhouse, Quantum, and LV.
Researchers at Cyble noted a clear pattern of Conti techniques in a stream of ransomware in the Q2 and Q3 period. A new strain of ransomware, created from the leaked source of Conti called itself Putin Team in an explicit attempt to appear Russian, according to the Cyble Research and Intelligence Labs (CRIL).
The CRIL report lists the tactics of three other versions: ScareCrow, BlueSky, and Meow.
“BlueSky follows a different encryption scheme, but for rest of the ransomwares resembles to Conti ransomware,” noted a CRIL researcher.
ScareCrow encrypts the files and appends .CROW as an extension and drops a ransom note named “readme.txt”, which contains three Telegram handles to contact the threat actor. Meow ransomware follows the same path but encrypts the victim’s files and append .MEOW as an extension.
However, BlueSky exhibits several traits of Conti as well as Babuk ransomware. The source code of Babuk ransomware was also leaked in 2021.
“Upon execution, the BlueSky Ransomware encrypts files and adds .BLUESKY extension to them. The ransom note dropped by this ransomware is named, “# DECRYPT FILES BLUESKY #.txt” which contains instructions for decrypting the files. This ransomware group uses an onion site to interact with the victims,” said the CRIL report.
More regions, higher scale
According to CRIL, the top countries targeted by ransomware since 2019 were the US, France, Spain, the UK, Germany, and Italy. While the top four are the usual target, Italy’s entry on the list was the direct result of its support for Ukraine against the Russian invasion.
“The ever-increasing threat landscape due to the Russia-Ukraine conflict has fundamentally transformed the attack surface due to frequently disclosed vulnerabilities and exposures. Meanwhile, the increasing complexity of tools and techniques adopted by the threat actors has revealed the gaps in the cybersecurity infrastructure of Italian organizations and entities,” said a Cyble advisory about cyber-attacks on Italy.
Australia was another hotbed for ransomware action, with high-profile breaches such as telecom giant Optus and insurance major Medibank.
The sectors that were most frequently targeted by ransomware attacks include industrial goods and services, industrial and consumer products, technology, construction and materials, manufacturing, professional services and consulting, travel and leisure, and public services.
Here are the ransomware cases we saw in 2022, notable for their scale, damage, and sometimes mere quirkiness:
In January, the Lockbit ransomware group claimed to have successfully hacked the French Ministry of Justice, threatening to release the organization’s data on the Dark Web if a ransom was not paid by February 10.
In February, the BlackCat ransomware group launched an attack on German oil company Oiltanking, causing disruptions at gas stations nationwide. Royal Dutch Shell reported that it had to redirect its supply depots due to the incident, and according to Handelsblatt, 233 gas stations in Germany were impacted and had to rely on manual processes. The attack had a widespread effect on the country’s fuel supply chain.
The Hive cybercriminal group In February targeted Syndicat Intercommunal d’Informatique (SII), an IT service provider based in France. SII provides IT services to several municipalities within the Department of Seine-Saint-Denis in the Île-de-France region, and at least three of these municipalities were also affected by the ransomware attack.
Global graphics card major Nvidia Corp was targeted by the Lapus$ ransomware group in March. The company released a statement acknowledging the attack, but did not provide any further details. According to the hackers, Nvidia decided to fight back rather than negotiate, and reportedly exfiltrated 1TB of data from the group. Security researchers shared screenshots from the Lapus$ Telegram channel on Twitter, where the gang claimed that Nvidia had launched a retaliatory strike to prevent the release of stolen data.
In March, the Lapsus$ data extortion group leaked confidential data that they claimed to have obtained from electronics giant Samsung. After the attack, the gang shared a note taunting Samsung and included a snapshot of C/C++ directives in Samsung software, indicating that they had accessed the company’s data.
French video game company Ubisoft confirmed in March that they had suffered a hack at the hands of the Lapus$ gang. In a statement they said, “we can confirm that all our games and services are functioning normally and that at this time there is no evidence any player personal information was accessed or exposed as a by-product of this incident”.
In April, tech company Globant revealed in an SEC filing that it had suffered a data breach after the Lapsus$ ransomware group claimed to have stolen 70GB of the company’s source code.
In April, the Costa Rican Government’s computer systems were hit by a ransomware attack carried out by the Conti group. After the government refused to pay a ransom, the group began publishing stolen information.
The Costa Rican finance ministry was the first to report issues, including disruptions to tax collection, and attacks on the social security agency’s human resources system and the Labour Ministry followed. The pro-Russian Conti Group demanded a $10 million ransom in exchange for not releasing the information stolen from the Ministry of Finance, which could include sensitive data such as citizens’ tax returns and information on companies operating in Costa Rica.
Worsening the crisis the Hive Ransomware Group hit the Costa Rican Social Security Fund on May 31, 2022, forcing the institution to shut down all its critical systems, including the Unique Digital Health File and the Centralized Collection System.
The Rio de Janeiro finance department announced in April that it had suffered a ransomware attack on its systems. The LockBit gang claimed to have stolen 420 GB of data, which they threatened to release if the ransom was not paid.
Stormous ransomware group, a newbie gang, in April claimed to have hacked Coca Cola’s servers and obtained 161 gigabytes of data, including financial information, passwords, and commercial accounts. They are now attempting to sell the data for over $640,000 or more than 16 million in Bitcoin. Coca Cola is investigating the incident.
In May, India’s SpiceJet airlines reported that it had experienced an “attempted ransomware attack,” leading to significant delays and leaving passengers stranded at airports with little communication from staff. The company stated that its IT team was able to contain and resolve the issue but did not provide any further details on the attack or the perpetrators.
In May, Cisco<span data-contrast=”none”> reported that the Yanluowang ransomware group had breached its corporate network and attempted to extort the company by threatening to leak the information it had obtained. Cisco believed that only non-sensitive information had been stolen, and the data was accessed through a Box folder linked to a compromised employee’s account that had been hacked through a personal Google account with synced information. Despite the breach, Cisco did not identify any impact on its business, though 3,100 files (2.75GB) of data related to the incident were later published on the dark web.
In May, state-owned airline Tap Air Portugal<span data-contrast=”none”> in Portugal was hit by a ransomware attack claimed by RagnarLocker. The airline claimed that no data was stolen, but the attack affected its website and app. However, RagnarLocker released a screenshot of passenger personal information and suggested that “hundreds of Gigabytes may be compromised.” It is unclear if the group demanded a ransom from the airline.
In June, retail giant Walmart denied reports that it had been hit by the Yanluowang ransomware group, a newly discovered cybercriminal. According to Walmart, its “Information Security team is monitoring our systems 24/7″ and believed the claims to be untrue. A post on a data leak site claimed that the group had breached Walmart and encrypted between 40,000 and 50,000 devices.
In September, the Holiday Inn hotel chain experienced disruptions in their booking channels and other applications due to a cyberattack. The attack was carried out by a couple from Vietnam who accessed the company’s databases with the weak password Qwerty1234. The Intercontinental Hotels Group, which owns Holiday Inn and other hotels, did not report any data loss during the “unauthorized access” to their technology systems. The hackers told the BBC that they carried out the attack “for fun.”
In The Cyber Attack that put Australia on the cybersecurity news, an unidentified ransomware group in September claimed to have obtained data belonging to 11.2 million users of the country’s second-largest telecommunications company Optus. The criminals demanded $1 million in Monero cryptocurrency to prevent the sale of the stolen data. The Australian federal police are currently investigating the incident.
In October, the Everest ransomware group targeted South African state-owned electricity company ESKOM, which supplies more than 90% of the energy to customers in South Africa and the SADC region. The company experienced some server issues during the attack and the ransomware group published a notice announcing the sale of the company’s root access for $125,000 and claimed to have access to all servers with root access to many. ESKOM received a ransom demand of $200,000 for the return of the stolen data and access, but it is unclear if the company plans to pay the ransom.
Medibank, a major medical insurance provider in Australia, experienced temporary outages in October due to a ransomware attack. It has since been revealed that all customer data was accessed during the incident. The company is in communication with the hackers but has not yet confirmed whether it will pay the ransom demanded for the return of the data. In November 2022, the hacker group, allegedly associated with Russian ransomware group REvil, released Medibank customer data on a dark web blog after the company reportedly refused to pay the US$9.7m ransom. By December 1, reports indicated that the hacker group had released all remaining compromised files in their possession.
In the same month, UK car dealership company Pendragon that operates 200 dealerships across the country and oversees multiple brands was targeted by the LockBit group in a ransomware attack. The group demanded a ransom of $60 million, but Pendragon refused to pay and has since obtained a high court injunction against LockBit.
In November, the LockBit ransomware group targeted French defense and technology firm Thales with a ransomware attack. While Thales denied that its systems had been hacked, it did confirm that data had been stolen from a user account. LockBit subsequently leaked 9.5GB of archive files, which are thought to include corporate and technical documents, and claimed that it had also stolen commercial documents, customer files, accounting files, and software from the company.
LockBit ransomware group targeted German multinational automotive group Continental that month, selling stolen files for $50 million on their leak site. Negotiations between the two parties reportedly failed, but the ransom amount requested was not disclosed.
A Costa Rica-like incident repeated in Vanuatu, a small archipelago in the South Pacific, in November. A ransomware attack caused widespread disruption in official government email addresses stopped working and websites for the island’s parliament, police, and prime minister’s offices were disabled. Intranets and online databases for schools and hospitals were also made inaccessible. No group claimed responsibility for the attack.
During the same month, Malaysian low-cost airline AirAsia fell victim to the Daixin Team ransomware group. The group claimed to have obtained personal data for five million unique passengers and all of the company’s employees. Samples of the stolen data, including passenger and employee information, were uploaded to Daixin’s leak site.
In a separate incident, the ALPHV/BlackCat ransomware group targeted Thailand-based low-cost airline Nok Air. The group claimed to have exfiltrated over 500GB of data from the company and posted some of the stolen information on their leak site.
In late November, a suspected ransomware news attack impacted servers at the All India Institute of Medical Science (AIIMS). This caused delays for patients as registration, sample processing, and billing computers went offline. All services were forced to operate manually while the incident was being resolved. An investigation with law enforcement authorities is ongoing, and measures are being taken to prevent further attacks.
The Guardian newspaper faced a “serious IT incident” in late December that affected access to all its offices. Employees were advised to stay home and stay away from VPNs. “There has been a serious incident which has affected our IT network and systems in the last 24 hours. We believe this to be a ransomware attack but are continuing to consider all possibilities,” a Guardian Media spokesperson said in an email to The Cyber Express.