Evolving Ransomware Tactics and Trends Observed in Q1 2022

Unauthorized access to network access spikes

• In a Q1 2022 ransomware report, KELA researchers revealed that more than 150 networks were accessed in ransomware attacks carried out by BlackByte, Quantum, and BlackCat. Accesses to these networks were most likely bought by ransomware affiliates. 
• Over 521 offers were made for access to the networks in the last three months, with the cumulative price surpassing $1.1 million. The access was offered by 116 different threat actors, with Naveli, PumpedKicks, and Chiftlocal being the most active of all. 
• While Naveli was selling RDP access, PumpedKicks mainly offered SQL vulnerabilities, login credentials, and VPN access to corporate companies. Chiftlocal sold exploit tools for network access to Australia and U.S.-based companies. 

Ransomware gangs adopt new methods

• A few ransomware groups were observed using relatively new extortion tactics to put more pressure on victims.
• The tactic involves hiding the victims’ names and only describing them by their industry, size, and stolen data. If the victims failed to pay the ransom, the gang would edit the post and disclose their names. 
• KELA observed this tactic adopted by Midas, Lorenz, and Everest threat groups. 
• This tactic is also used by other ransomware gangs, who prepare hidden web pages on their data leak sites and give the URL only to the victim. This is to establish a claim on stolen data without damaging the negotiation process. 

Prominent ransomware groups

• LockBit was one of the most active ransomware groups in Q1.
• The group had added 226 new victims from a wide range of industries, with the highest number of victims from the manufacturing and technology, education, and public sectors. 
• Besides LockBit, the quarter witnessed some high-profile attacks from Conti, BlackCat, Hive, and Karakurt.
• Despite the data leak incident, Conti did not refrain from its activities and formed Karakurt as its sub-group.   
• The notoriety of the relatively new BlackCat ransomware also became a matter of concern after the FBI released Indicators of Compromise (IoCs) to show the ransomware’s connection with BlackMatter and DarkSide.

Multiple groups target the same victim

• KELA observed a trend where some of the prominent groups were attacking each other’s victims over time.
• For example, on January 15, a U.S.-based auto dealer was claimed to be compromised by Conti. However, on March 23, the company’s details were disclosed on the leak site of BlackCat. Moreover, on April 4, AvosLocker added the same company on its site, sharing screenshots identical to BlackCat. 

Conclusion