GRIT Ransomware Report – Q3 2022
Usually at this time each month, we’d be publishing a detailed GRIT Ransomware Report covering the previous month’s ransomware trends. However, since last month was also the close of the quarter, September’s ransomware trends are instead included in the Q3 GRIT Ransomware Report. What follows is a brief summary of the report’s contents, for the full details and analysis you can find the complete Q3 GRIT Ransomware Report here.
The Q2 2022 report revealed some interesting activity in the ransomware world. Lockbit’s complete revamp from 2.0 to 3.0–or Lockbit Black–paired with Conti’s closure led to a late-quarter dip in reported attacks. And with the shutdown, Conti’s best developers and affiliates likely shifted to other RaaS operations including Blackbasta, AlphV, and more. The future effects this would have on ransomware attacks and trends was unknown, but a quarter later we may be starting to see some of the impacts of such major shifts.
Compared to Q2, Q3 saw a slight decrease in the total number of publicly posted ransomware victims and a slowdown in the average public postings per day. However, GRIT observed some interesting trends, including Lockbit’s continued dominance among Ransomware-as-a-Service groups, Hive’s (highlighted in the July 2022 monthly ransomware report) 104% increase in publicly posted victims, and eight new ransomware groups that emerged in Q3.
The manufacturing industry (the leading target industry in Q2) saw a sharp decrease in publicly posted victims while the technology industry saw a sharp increase in victims, but despite these large changes, the manufacturing and technology industries tied for the most targeted industries in Q3. The United States continues to be the most impacted country with respect to publicly posted ransomware victims; however, Q3 saw 16 countries that were targeted for the first time this year, with six countries being targeted for the first time altogether.
One of the top 10 targeted countries, Spain, likely has the emergence of the Sparta ransomware group to blame for their move from 9th to 4th most targeted country. Due to their recent emergence and impact on the trends for the quarter, this quarter’s report focuses its threat actor spotlight on Sparta’s tactics and maturity.
GRIT Lead Analyst Drew Schmitt: “For the second quarter in a row, we saw a slight slowdown in ransomware activity, although as many industries are ramping up operations for holiday seasons, we expect to see increased targeting from prolific ransomware groups such as Lockbit, Hive, Blackbasta, and others whose goal is to financially profit from the victims they claim. We will continue to monitor ransomware trends to provide increased awareness so that blue teams can focus their efforts on proactively improving their security postures, implementing core cybersecurity concepts, and ensuring that they are ready in case they need to respond to an event.”