Ransomware crews regrouping as LockBit rise continues

Overall volumes of ransomware activity dropped somewhat during the third quarter of 2022 as the cyber criminal underground regrouped and refocused following the apparent demise of the Conti operation and the subsequent rise of LockBit, but a slight uptick in September may herald new campaigns, according to an assessment of the threat landscape conducted by Digital Shadows.

Digital Shadows’ Riam Kim-McLeod said that overall activity declined 10.5% from the second quarter (Q2), with August the quietest month observed during the period in terms of total victims, coming in at just over 150 named victims compared to a year-high of just over 300 in May. September saw closer to 250 named victims.

As previously observed and reported by others, the LockBit operation was by some margin the most active cartel of ransomware actors during the period, cementing its dominance following Conti’s exit and the launch in June of version 3.0 of their locker.

LockBit increased its overall “market share” from 32.8 to 35.1% of victims in quarter three (Q3), and accounted for 40% of victims in September, despite criticism from its rivals, and even distributed denial of service (DDoS) cyber attacks against its infrastructure.

“LockBit’s success is coming at a price: the group is increasingly inviting resentment from competing threat groups and possibly former members,” wrote Kim-McLeod.

“LockBitSupp [the group’s public spokesperson] frequently – and infamously – gets into public spats with other ransomware representatives, including the representatives of Conti and ‘Alphv’. It is realistically possible that a rival group targeted LockBit under the guise of retaliation for the Entrust breach.

“In mid-September 2022, a leaked LockBit 3.0 builder was posted on Twitter by a user claiming that their team managed to ‘hack several LockBit servers’. LockBit denies the claims: LockBitSupp alleged that the group was not hacked, instead blaming a disgruntled former developer for the leak.

“Regardless of the source, the builder appears to be legitimate, which will likely have consequences in Q4 2022 if other threat actors weaponise the builder for their purposes,” she added.

But LockBit is not the only group in the ascendant following Conti’s highly public fall, with the likes of Black Basta, Hive Leaks and Alphv/BlackCat also making waves – the first two suspected of having links to Conti.

“In Q3 2022, we observed the emergence of 12 new ransomware data-leak sites. Some are from new groups, while others belong to older groups that began conducting double extortion during the quarter,” wrote Kim-McLeod.

“Some of these, including ‘BianLian’ and ‘Medusa Locker’, hit the ground running, immediately surpassing established ransomware groups like ‘BlackByte’ in the number of victims named. 

“At the end of last quarter, we hypothesized that we would see a rush of new groups led by former Conti members. It is unclear if these new groups have direct leaks to Conti. However, whether these new groups have links to Conti or not, they were likely launched opportunistically to fill the market gap left by Conti.”

Other notable trends in ransomware during the quarter included a spate of incidents in which ransomware was used as a tool by nation state-linked advanced persistent threat (APT) actors in the service of furthering the political goals of their paymasters.

These included attacks on government agencies in Albania, attributed to an Iranian APT, which resulted in the severing of diplomatic ties between Albania and Iran, and in Montenegro, attributed to Russia-linked groups.

Looking ahead at the closing months of 2022, Digital Shadows’ researchers expect activity to increase in the run up to the festive period, some of it inevitably linked to the opportunistic distribution of malware via lures linked to shopping opportunities.

The LockBit builder leak is not expected to have a material affect on LockBit’s dominance, but it may spur the rise of new ransomware variants built on its foundations, while the group’s dominance of the underground scene will likely attract the attention both of rivals, and of international law enforcement.