Security news that informs and inspires

Ransomware Landscape Evolves in a Post-Conti World


In the month after the Conti group closed its operations and shut down all its servers, researchers have observed several other actors taking the prolific group's place with novice attack tactics and new ransomware versions.

In May, the Conti gang shuttered the admin panel of its website and shut down its servers, including the ones used to negotiate ransom payments with victims. The moves left security analysts wondering how the ransomware landscape would be impacted, as Conti had presented a major threat for almost two years, with the U.S. government in September warning of attacks by Conti affiliates against health care providers, 911 systems and many other critical organizations.

Since the ransomware group’s shutdown, researchers with Digital Shadows that have been tracking ransomware activity over the past quarter said members have likely branched out into other, smaller groups and will continue to launch attacks under rebranded names. For law enforcement, this breakdown makes it more difficult to target operations as one, said Ivan Righi, senior cyber threat intelligence analyst at Digital Shadows.

“It is almost certain that all big ransomware gangs will cease operations sometime in the future and break down into other groups,” said Righi. “Members of the Conti group will likely simply break down into other groups and continue launching attacks. Law enforcement operations have certainly served as a deterrent against ransomware operations. However, due to broken international relations between Russia and other countries, it is unlikely that operators who live in Russia will face legal consequences.”

Overall, researchers with the Digital Shadows Photon Research team on Wednesday said that they observed a “significant and highly active” second quarter in 2022 for ransomware activity, with 705 organizations named to ransomware groups’ data leakage websites, representing a 21.1 percent increase compared to the first quarter.

It’s worth noting that in recent years, the first quarter has typically had low ransomware activity (and this year’s first quarter was no exception, with a 25.3 percent decrease in activity from the previous quarter), so an increase from the first quarter to the second quarter is not entirely surprising. In fact, in 2021, ransomware activity rose by 40 percent between the first and second quarter.

“The large rise in 2021 was likely higher due to the extensive adoption of double-extortion techniques in early 2021,” Righi said. “This trend will likely continue in future years, although the ransomware threat landscape can be volatile and unpredictable.”

Researchers have observed several shifts from both existing and new ransomware groups in the landscape that have added into the second-quarter increase in attacks, with a steady surge in attacks by the LockBit ransomware-as-a-service (RaaS) leading the charge after overtaking Conti in the total number of victims claimed by the group. With nearly 1,000 victims at the time of publication, LockBit is the most active group to date, said researchers.

The Emergence of Existing and New Ransomware Groups

LockBit has over the past year targeted various organizations globally, including ones in Chile, Italy and the UK. More recently, this year researchers tracked a variant of LockBit targeting VMware’s ESXi enterprise-class virtual machine platform, as well as multiple LockBit intrusions that were attributed to a threat cluster sharing numerous overlaps with the well-known Evil Corp cybercriminal group.

Adding fuel to the fire, LockBit recently released LockBit 3.0, which attackers have touted as an improved version of the ransomware with new capabilities and features. The latest version of the ransomware comes with a data-leak site allowing anyone to purchase data stolen from victims, and a feature that allows victims to buy an option to extend the time to paying their ransom by 24 hours, or destroy all their data. In another new feature, the ransomware group claimed that it would offer rewards for exploits, personally identifiable information and information on high-value targets; however, Digital Shadows researchers warned to be wary of such claims.

“Digital Shadows observed threads on a Russian-speaking cybercriminal forum discussing LockBit’s new program and users stated that the offering from USD 1,000 was inadequate when compared to rewards offered by other marketplaces,” said researchers. “Some users were also skeptical as to whether LockBit would actually pay for vulnerabilities disclosed, highlighting that the program could not attract many participants.”

Researchers believe that LockBit’s latest variant will play an important role in the ransomware landscape in the coming year, but another major factor is the emergence of several other ransomware groups, including Alphv, which has seen a 117.9 percent increase in activity over the previous quarter, and Vice Society, which increased 100 percent in activity over the previous quarter. Other groups that have started to shape the ransomware landscape in the past few months include the Black Basta ransomware, first discovered in April, and the Industrial Spy data extortion marketplace, which was observed in May launching a ransomware operation.

The ransomware market moves at a rapid pace, and Conti adds to a number of high-profile ransomware operators shutting down or disappearing over the last year, including REvil, DarkSide and Avaddon. While the U.S. government has taken several significant steps to combat ransomware over the past year, authorities are still struggling to crack down on key factors that form the backbone of the ransomware ecosystem, the Institute for Security and Technology’s Ransomware Task Force (RTF) said in a May event, including the safe haven countries that allow ransomware gangs to operate within their border.

“Law enforcement action is effective against countries that have extradition treaties with the US. Affiliates operating within these countries run a higher risk of facing legal action, and we have observed instances of groups ceasing operations in fear of law enforcement operations,” said Righi. “Closure of data-leak sites and other criminal sites has also been helpful, but groups often create new sites fairly quickly.”