April – June 2022
The second quarter of 2022 demonstrated some interesting activity in the ransomware world. We saw a complete revamp of Lockbit, the most prolific Ransomware-as-a-Service (RaaS), from 2.0 to 3.0, or Lockbit Black, and Conti closed shop, with their best developers and affiliates likely shifting to other RaaS operations including Blackbasta, AlphV, and more.
Overall, April through June saw a decrease in activity, with 574 claimed victims. Compared to 868 victims from the previous quarter, this 34% decrease in victims is significant compared to previous quarters. The dissolution of Conti as an actively operating ransomware group in Q2 meant the group only claimed 41 victims, compared to 103 in Q1 2022 which contributed to the decrease in total victims for the quarter. GRIT also observed a steep decrease in claimed victims from the Clop ransomware group, with only 11 posts this quarter, compared to 173 throughout the first quarter of 2022. Lockbit’s transition from version 2.0 to 3.0 led to a significant slump in June, which equates to approximately 40 less victims than expected based on their average claimed victim rate throughout 2022.
Manufacturing and Construction were among the top 3 industries victimized this quarter, accounting for 18.3% of all claimed victims, combined. These two industries are primary targets for Blackbasta, according to most ransomware reporting. This is validated by Blackbasta being the second-highest ransomware group with claimed victims in these industries, second only to Lockbit.
