After a brief decline, organizations once again are bombarded with ransomware
Ukrainian law enforcement arrest two ransomware operators in October. Image: Ukraine National Police
Adam Janofsky April 13, 2022

After a brief decline, organizations once again are bombarded with ransomware

After a brief decline, organizations once again are bombarded with ransomware

The start of the year brought good news for organizations that have been struggling to secure themselves against cyberattacks.

The number of victims that ransomware actors posted on their extortion sites dropped significantly in January — just 143 victims were recorded that month, compared to 359 in November 2021, when attacks hit record levels.

But according to new data collected by Recorded Future, ransomware attacks have shot up since then. Groups including ALPHV, Conti, and LockBit posted a total of 214 victims in February and 309 victims in March. The limited data available for April attacks appears to continue the upward trend.

Although the number of victims dropped significantly early this year, the trend has since reversed. Image: Recorded Future

Although it’s impossible to know exactly how many ransomware victims there are on any given day, the groups behind the attacks in recent years have maintained extortion sites where they leak victim data to pressure companies and other organizations into paying demands. Recorded Future tracks the information posted on these sites, as well as data from government agencies, news reports, hacking forums, and other sources. The Record is an editorially independent publication owned by Recorded Future.

Cybersecurity experts blame the dip and subsequent spike on multiple factors, including the war in Ukraine, law enforcement crackdowns, and an expected decline in attacks around the winter holiday period.

A destabilizing force

Although ransomware groups know no boundaries, many gangs and their affiliates operate in Eastern Europe. As Russia threatened war with Ukraine at the beginning of the year — and invaded in February — it destabilized many ransomware groups in the region. Hackers who have taken up arms or are evading rocket strikes don’t have time for cybercrime, but they also find it difficult to work with their former peers, according to cybersecurity experts.

“Before the war, all the teams were multi-state — Ukranian, Belarussian, Russian,” said Dmitry Smilyanets, who helps oversee the ransomware tracking project. “Once the conflict started, people had to make choices about who their friends are. Some teams disbanded, because it takes just one spark to start a conflict.”

In the early days of the war, many of these fractured groups turned away from financially-motivated crime, and instead focused on hacking as a political weapon. Dozens of groups declared allegiance to Ukraine or Russia — but as the war dragged on, they have slowly pivoted back to their old ways.

“They still need to make money,” said Smilyanets. “They have to feed their families, so they return back to financially-motivated crime.”

A steep decline

Another factor that contributes to the recent increase in ransomware attacks is that the decline starting in December was unusually sharp. Allan Liska, a ransomware expert at Recorded Future, says it’s typical for attacks to slow down or drop around the winter holidays. But the war in Ukraine extended that dip, as well as multiple takedowns of ransomware groups.

The most active ransomware groups, according to their extortion sites. Image: Recorded Future

In January, Russian authorities arrested members of REvil — one of the most active and notorious ransomware gangs in recent years. The country’s intelligence agency, the FSB, said it charged several members of the group and that the organization had “ceased to exist.”

REvil, which was linked to attacks including ​​JBS Foods and IT provider Kaseya, has not posted victims to its extortion site since October 2021, according to Recorded Future data.

Conti, another prolific ransomware group, faced its own crisis in February, when a member leaked internal communications after leaders posted pro-Russian language on the group’s official site.

The group has since resumed operations, and has taken credit for recent attacks against companies including Panasonic Canada and Snap-On Tools.

One positive takeaway from the data is that companies that used the break in ransomware attacks to strengthen their defenses and focus on prevention are in a better position than they were at the end of 2021. Although attacks have spiked, the groups are using similar tools and techniques as they were in the past.

“We’re not seeing anything new in targeting trends,” said Liska. “No one is going after sensitive targets — it’s the same targets as before. And we’re not seeing any new techniques, just continual improvements on their old way of doing things.”

Adam is the founding editor-in-chief of The Record by Recorded Future. He previously was the cybersecurity and privacy reporter for Protocol, and prior to that covered cybersecurity, AI, and other emerging technology for The Wall Street Journal.