LockBit and Black Basta Are the Most Active RaaS Groups as Victim Count Rises Ransomware in Q2 and Q3 2022

LockBit and Black Basta Are the Most Active RaaS Groups as Victim Count Rises: Ransomware in Q2 and Q3 2022

With contributions from Shingo Matsugaya

Our monitoring of ransomware activity for the second and third quarters of 2022 focuses on the four ransomware families that registered the highest numbers of attacks: LockBit, BlackCat, newcomer Black Basta, and Karakurt, deemed as the extortion arm of the Conti ransomware group.

Notably, LockBit and Black Basta consistently occupied the first and third ranks, respectively, for the second and third quarters of 2022, based on the total victim count gathered from their leak sites. These two ransomware actors pulled in the highest number of victims for the second and third quarters combined. Data from their leak sites showed that LockBit tallied a total of 436 victim organizations, while Black Basta had a total of 101 during the six-month period. Karakurt, on the other hand, ranked second in the third quarter, a spot that BlackCat held in the second quarter of the year.

For speed of malware deployment and heftier payouts, ransomware actors continued to favor the ransomware-as-a-service (RaaS) model for the period of April to September 2022, sustaining the trends discussed in our first quarter ransomware report for the year. This report is based on data from RaaS and extortion groups’ leak sites, Trend Micro’s open-source intelligence (OSINT) research, and the Trend Micro™ Smart Protection Network™, collected from April 1 to Sept. 30, 2022.

Ransomware detections in the third quarter rose by 15.2% versus the previous quarter as active RaaS groups increased by 13.3%.

Data from our telemetry showed that in the third quarter, we detected and blocked a total of 4,138,110 ransomware threats across email, URL, and file layers. This is a 15.2% increase in overall ransomware threat detections in the second quarter of 2022, which tallied a total of 3,592,433.

Third-quarter data from the ransomware groups’ leak sites, which published attacks on organizations that were successfully compromised but refused to pay the ransom, reveals that the total number of ransomware victims grew by 109 or an 18.4% growth versus the second quarter of 2022. Likewise, the total number of active RaaS and RaaS-related groups for the third quarter went up by 13.3% from the second quarter of this year.

Figure 1. The number of active RaaS and extortion groups and victim organizations of successful ransomware attacks in the second and third quarters of 2022
Source: RaaS and extortion groups’ leak sites

Prominent ransomware actors top the most active list of RaaS groups in the second and third quarters of 2022

Based on data collected from the ransomware groups’ leak sites, the highest numbers of successful attacks in the six-month period are attributed to well-known RaaS operators: LockBit, BlackCat, Black Basta, and data-extortion group Karakurt.

LockBit kept a steady lead from January to September 2022. It accounted for more than a third of the total number of victim organizations in the first (35.8%), second (34.9%), and third (40.6%) quarters of 2022. A tenth of the attacks in the third quarter belonged to Karakurt at 10.4%, followed by Black Basta at 8.8%. For the second quarter, BlackCat took a 9.2% share, while Black Basta got 8.6% of the total number of successful attacks.

 

Figure 2. The most active ransomware families used in successful RaaS and extortion attacks in terms of victim organizations from April 1 to Sept. 30, 2022
Source: RaaS and extortion groups’ leak sites

Data gathered from our monitoring of ransomware attempts to compromise Trend Micro customers showed that, save for July, LockBit consistently launched a significant number of attacks, but no discernible pattern can be gleaned from the numbers. Meanwhile, the same can also be said of BlackCat with detections peaking in July at 395; we detected none in August, but attempts were once again observed in September at 175 detections.

Black Basta detections began in May and have not stopped since then. August saw the highest number of attack attempts at 84. We had no detections of attack attempts from the Karakurt group in the six-month span.

Figure 3. The number of ransomware file detections of LockBit, BlackCat, and Black Basta in machines per month in the second and third quarters of 2022
Source: Trend Micro™ Smart Protection Network™

LockBit makes headlines for new initiatives and high-profile attacks in the third quarter

LockBit’s ability to frequently upgrade its malware capabilities and its strong affiliate program enable it to intensify its foothold in the RaaS space. The group is also known for using double extortion in its tactics. Double extortion involves encrypting the victims’ data and demanding payment in exchange for restoring access, coupled with a threat to publish the stolen data on the dark web should organizations refuse to pay the ransom.

In late June 2022, LockBit launched LockBit 3.0, the latest iteration of the group’s ransomware. Our report notes that LockBit 3.0 possesses an anti-analysis technique to conceal itself. Similar to that of BlackCat, this technique does not need a password to execute.

The group launched LockBit 3.0 concurrently with its bug bounty program, a pioneering initiative in ransomware operations. The bug bounty program encourages cybercriminals to submit vulnerability reports to improve the group’s operations in exchange for remuneration ranging from US$1,000 to US$1 million. With self-preservation in mind, the gang’s crafty reward scheme is designed to incentivize hackers to discover vulnerabilities that can be deemed as consequential red flags that signify risks to the longevity of its operations.

On June 18, 2022, a digital security firm that provides identity management and authentication services to a broad base of high-value clients, including several major US government agencies, fell prey to an attack by LockBit. The breach was only made public on July 21, 2022 when Dominic Alvieri, a security researcher, tweeted a screenshot of the security notice that the firm sent to its customers confirming that its systems were compromised and that data had been stolen.

August saw an interesting case of role reversal when the attacker was victimized by distributed denial-of-service (DDoS) attacks that forced LockBit to shut down its leak sites multiple times. LockBit’s representative, known as LockBitSupp, pinned the blame on the security firm mentioned previously for the attacks. In an apparent act of retaliation, LockBit created a page on its leak site dedicated to the firm and threatened to publish all the stolen information, thus implying that the victim had refused to pay the ransom.

September also proved to be eventful for LockBit as Twitter user @ali_qushji tweeted that his team was able to infiltrate a number of LockBit’s servers and gained possession of the LockBit 3.0 ransomware builder. LockBit denied such claims and said that a disgruntled former developer was responsible for leaking its latest encryptor code, as disclosed by LockBit’s public representative who shared the gang’s version of the story to the research team VX-Underground. The leaked encryptor code, however, might create opportunities for other malicious actors to weaponize it for future campaigns.

Karakurt resurfaces from its lair 

Of the ransomware gangs discussed in this report, Karakurt (aka Karakurt Lair and Karakurt Team) sets itself apart as the group that does away with encryption and instead leverages data exfiltration and data leak for extortion. A joint advisory issued by several US federal agencies that include the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), among others, cautioned the public against the group bent on extorting millions in cryptocurrency from organizations across North America and Europe.

First observed in June 2021, Karakurt was uncovered by security researchers as the extortion arm of the infamous Conti ransomware group. Researchers reportedly gained access to the email accounts of a Conti member and found that this member made a connection to an IP address that researchers had previously identified as the one being used by Karakurt to host its leak site for victims that declined to negotiate. The report also mentioned that the late Vitali Kremez, a security analyst, had asserted that Karakurt was Conti’s wily means to repurpose — and thus monetize — unsuccessful attacks that did not progress to the encryption phase because the target organization’s defenses had blocked the ransomware payload delivery. It’s worth noting that Conti’s ability to pivot from failed ransomware attacks by switching to extortion schemes lays bare its agility and entrepreneurial abilities through Karakurt Team.

The Health Sector Cybersecurity Coordination Center (HC3) published an analyst note warning healthcare and public health organizations about the Karakurt ransomware group. The note states that the extortion group steals information and uses threats to auction off or publish stolen data unless ransom is paid. The warning also mentioned that ransom payments range from US$25,000 to US$13 million in bitcoin, with victims being given a week from first contact to settle the ransom. In addition, HC3 mentioned that Karakurt uses harassment campaigns to shame its victims.

Among its targets, Karakurt preyed on a Texas-based hospital, from which the group stole and leaked personally identifiable information (PII). The number of affected patients remains unknown as of this writing. Investigations into the incident revealed that the hospital’s systems were being accessed illegally by the Russian-speaking gang from May 20 to July 7, 2022.

BlackCat appears well-poised for the long haul

First reported in November 2021 by researchers from the MalwareHunterTeam, BlackCat (aka AlphaVM, AlphaV, and ALPHV) swiftly rose to notoriety in the past half of the year owing to its reputation as the first major professional ransomware family to be written in Rust, a cross-platform language that enables threat actors to easily create bespoke malware for different operating systems like Windows and Linux. BlackCat’s use of triple extortion has also given the group a distinct competitive edge over other RaaS operators. Aside from exposing exfiltrated data, ransomware actors that use triple extortion threaten to launch DDoS attacks on their victims’ infrastructure to coerce them more strongly into paying the ransom.

A European federal state was one of the group’s high-profile victims in late May 2022. The group reportedly demanded US$5 million in ransom in exchange for software to decrypt the locked computer systems. The attack resulted in a massive disruption of government services as thousands of workstations were compromised.

BlackCat’s launch of its public data leak site is a potential game changer for RaaS operations as leak sites have typically been hosted on Tor sites that limit the visibility of data to victims, threat researchers, and other cybercriminals. BlackCat’s public leak site makes stolen information accessible and searchable by everyone, thus applying more pressure on victims to accede to the malicious actors’ demands.

Another noteworthy point here is that according to the flash alert released by the FBI on April 19, 2022, several developers and money launderers for BlackCat have ties to BlackMatter and DarkSide, suggesting that the gang has considerable experience and vast networks with other RaaS operators.

Black Basta has swiftly become a major threat after successive high-profile attacks 

Black Basta rapidly carved its niche in the RaaS marketplace through its deft use of double-extortion tactics and extensive attack arsenal that includes tools like the QakBot trojan and PrintNightmare exploit. Our report on Black Basta notes that the group is more targeted in choosing its victims. Despite being spotted only in April 2022, the Black Basta operators have demonstrated a firm grasp of the business, evidenced by how they tap into underground networks to obtain access to corporate credentials and the presence of hard-coded unique IDs in every Black Basta build.

In mid-April 2022, a prominent US-based medical association suffered a ransomware attack from Black Basta, forcing it to take multiple systems offline. The gang published the private information of the organization’s members on its leak site 96 hours after the attack happened.

Meanwhile, a German wind farm operator and an American agricultural equipment manufacturer were among Black Basta’s victims in April and May, respectively. Aside from disrupting business operations, the group published the data it stole from both organizations on its leak sites. Black Basta showed no signs of letting up as it deployed a Linux build of its ransomware in June 2022. This version was designed to encrypt VMware ESXi virtual machines (VMs) that researchers found in the wild.

In late June 2022, Black Basta claimed responsibility for the attack on another German-based organization, this time a multinational building and construction materials firm. The attack crippled operations across 150 production sites worldwide and compelled the firm’s IT teams to take their systems offline to contain the infection. The Black Basta operators listed the organization as a victim on their leak site on July 16, two weeks after the breach took place.

Small and midsize businesses were hit the hardest in the second and third quarters

It comes as no surprise that the predatory nature of cybercrime predisposes malicious actors to aim at organizations perceived as highly vulnerable. Ransomware actors know that the entire operation of small and midsize businesses can be put to a grinding halt when faced with cyberattacks, as these businesses have fewer IT security resources to respond to cyberattacks.

Data from LockBit’s leak site showed that it primarily preyed on small organizations (with 200 employees at most) that accounted for 64.6% in the second quarter and 57.8% in the third quarter of successful attacks this year. Midsize businesses (with 201 to 1,000 employees) comprised 18.4% and 12.2% of its attacks in the second and third quarters, respectively, while large enterprises (with more than 1,000 employees) accounted for 12.1% in the second quarter, with numbers going up slightly in the third quarter at 16.1%.

More than half of BlackCat’s successful attacks in the second quarter of 2022 targeted small businesses at 55.6%, followed by midsize companies that had a share of 24.1%. Large enterprises made up a fifth of the total at 20.4%.

Karakurt also showed a clear preference for small and midsize businesses for the third quarter. Combined, the two categories take up 78% of total victim count, while large enterprises got a 16% share of the total.

Small businesses comprised 43.1% of Black Basta’s victims in the second quarter and 40% in the third quarter. On the other hand, midsize organizations got shares of 35.3% and 38% in the second and third quarters, respectively. Large enterprises constituted 21.6% in the second quarter, decreasing to 16% in the third quarter.

Figure 4. The distribution by organization size of LockBit, BlackCat, and Black Basta’s successful attacks in terms of victim organizations in the second and third quarters of 2022
Source: LockBit, BlackCat, and Black Basta’s leak sites and Trend Micro’s OSINT research

Fast-moving consumer goods and healthcare industries were favored targets of attacks in the second quarter, while banking and technology topped the list in the third quarter

From April to May 2022, our telemetry revealed that fast-moving consumer goods (FMCG) and healthcare industries ranked the two highest in terms of ransomware file detections. These were followed by organizations in the manufacturing, government, and retail industries.

Figure 5. The top three industries in terms of ransomware file detections in machines per month in the second quarter of 2022
Source: Trend Micro Smart Protection Network

Interestingly, the third quarter paints a different picture with the rise of detections from the banking and technology industries. The number of detections from FMCG placed it in the topmost spot in July and in the second spot in August. Banking ranked first in August and September, while technology had the second and third highest number of detections in July and August, respectively.

Figure 6. The top three industries in terms of ransomware file detections in machines per month in the third quarter of 2022
Source: Trend Micro Smart Protection Network

Organizations in the IT, finance, healthcare, construction, and professional services industries have made it to the top five list in the second and third quarters of 2022 in terms of the number of file detections. These industries have also been consistently targeted by RaaS and extortion groups from January to September 2022.

Even before the pandemic happened, industries in the top five list of the hardest-hit mentioned earlier were already seen by malicious actors as big-game targets because of inherent business characteristics that endow them with a wide attack surface, such as the number of their offices worldwide, the significant number of on-site and remote workers that are dispersed locally and overseas, and the layers and breadth of services they provide the public, among others. Given this context, RaaS operators reckon that the likelihood of bigger payouts from these industries is higher. Indeed, the need to protect their customers’ data and resume normal business operations as soon as possible provides compelling reasons for them to settle the ransom.

Figure 7. The top 10 industries affected by successful RaaS and extortion attacks in the second and third quarters of 2022
Source: RaaS and extortion groups’ leak sites and Trend Micro’s OSINT research

Data from the LockBit ransomware group’s leak site in the second and third quarters of 2022 shows that the construction, healthcare, IT, manufacturing, food and staples, and professional services industries consistently made it to the top 10 list of LockBit’s victims.

Table 1. The top industries affected by LockBit’s successful attacks in terms of victim organizations in the second and third quarters of 2022
Source: LockBit’s leak site and Trend Micro’s OSINT research

Of BlackCat’s successful attacks, 16.7% belonged to the finance industry, followed by legal services at 13%. These industries are the same ones we saw for LockBit in the first quarter of 2022.  

Table 2. The top industries affected by BlackCat’s successful attacks in terms of victim organizations in the second quarter of 2022
Source: BlackCat’s leak site and Trend Micro’s OSINT research

Karakurt’s target industries for the third quarter of 2022 mirrored those in the top five of the aggregate list shown in Figure 7. Its leak site victim tally showed that six organizations belonged to the professional services industry, while healthcare, IT, finance, and construction each had five organizations.

Table 3. The top industries affected by Karakurt’s successful attacks in terms of victim organizations in the third quarter of 2022
Source: Karakurt’s leak site and Trend Micro’s OSINT research

As Black Basta sprang into action in the second quarter of the year, organizations from the construction industry were among the group’s victims, accounting for 16.7% of the total number of detections. The victim tally on its leak site in the third quarter of 2022 shows that, except for transportation, the four other industries in its most recent list were the same ones the group targeted in the second quarter of the year.

In addition, reports of Black Basta’s Linux build (released in June 2022 as an attempt to compromise VMware ESXi VMs) suggest the gang’s inclination to target enterprises. As organizations migrate to VMs for ease of device management and efficiency of resource utilization, the malicious actors’ shift to enterprise targeting makes good business sense since doing so allows them to encrypt multiple servers with minimal effort.

Table 4. The top industries affected by Black Basta’s successful attacks in terms of victim organizations in the second and third quarters of 2022
Source: Black Basta’s leak site and Trend Micro’s OSINT research

Organizations in North America and Europe top the list of hardest-hit regions

As we delved into the RaaS and extortion groups’ leak sites, we found that overall, organizations based in the US were at the receiving end of ransomware attacks from April to September 2022, accounting for 54.9% of the total victim count in the second quarter and 52.8% in the third quarter. Ransomware attacks also took their toll on a significant number of European countries for the same period.

Figure 8. The top 10 countries affected by successful RaaS and extortion attacks in the second and third quarters of 2022
Source: RaaS and extortion groups’ leak sites and Trend Micro’s OSINT research

Organizations in North America and Europe dominated LockBit’s victim list from April to September 2022 as these regions alternately occupied the first and second spots in the second and third quarters of the year. An obvious pattern from the leak site data is that the US and Europe each account for a third of the total number of LockBit’s victims for the given period.

Asia-Pacific and Latin America ranked third and fourth in the second and third quarters, maintaining the shares that they had for both quarters. Asia-Pacific accounted for 17.5% and 17.8% in the second and third quarters, respectively, while Latin America got 8.7% and 8.3% of the total for the same periods.

Figure 9. The top regions affected by LockBit’s successful attacks in terms of victim organizations in the second and third quarters of 2022
Source: LockBit’s leak site and Trend Micro’s OSINT research

The majority of BlackCat’s victims are in North America, making up 59.3% of the total number of successful attacks for the second quarter of 2022. This figure indicates an upward trend from the first quarter of 2022, as half of BlackCat’s attacks during that period also belonged to US-based organizations. European enterprises account for 24.1% of total victim count, with a few scattered in Asia-Pacific, the Middle East, and Latin America.

Figure 10. The top regions affected by BlackCat’s successful attacks in terms of victim organizations in the second quarter of 2022
Source: LockBit’s leak site and Trend Micro’s OSINT research

Data from Karakurt’s leak site confirms that the ransomware actor focused its attacks on organizations based in North America, which comprised 72.9% of the total victim count for the third quarter of 2022. Europe ranks far second at 13.6% of the total number of victims. The group’s connection to an established RaaS operator like Conti implies that more attacks can be expected from it as it functions to monetize Conti’s failed attempts to encrypt the files from the systems that it has compromised.

Figure 11. The top regions affected by Karakurt’s successful attacks in terms of victim organizations in the third quarter of 2022
Source: Karakurt’s leak site and Trend Micro’s OSINT research

“Black Basta’s victims in North America increased in the third quarter. From 28 in the second quarter, this went up to 32, equivalent to 64% of the total victim count of 50. Black Basta also cast its net over European territories, which logged in a third of the total victim count in the third quarter, from 43.1% of the total victim count in the second quarter.

Figure 12. The top regions affected by Black Basta’s successful attacks in terms of victim organizations in the second and third quarters of 2022
Source: LockBit’s leak site and Trend Micro’s OSINT research

Shield organizations from ransomware attacks by adopting security practices and solutions early on

Regardless of size, organizations are vulnerable to modern ransomware attacks, deemed as one of the significant threats to business health now and in the foreseeable future. Malicious actors have every motive to constantly upgrade their malware arsenal, devise more stealthy schemes to outdo competition, and grab a bigger share of the bounty. A proactive mindset for mitigating the risks of ransomware attacks is therefore key. We recommend adopting the following security best practices:

  • Enable multifactor authentication (MFA). Organizations should implement policies that require employees who access or store company data on their devices to enable MFA as an added layer of protection to prevent unauthorized access to sensitive information.
  • Always back up your data. Organizations should follow the “3-2-1 rule” to safeguard their important files: Create at least three backup copies in two different file formats, with one of those copies stored off-site.
  • Keep systems up to date. Organizations should update all their applications, operating systems, and other software as soon as vendors and developers release patches. Doing so minimizes the opportunities for ransomware actors to exploit vulnerabilities that enable system breaches.
  • Verify emails before opening them. Malicious actors rely on means such as using embedded links or executable downloads attached in emails sent to employees to install malware. Organizations should therefore train their employees to be aware of such methods in order to avoid them.
  • Follow established security frameworks. There’s no need to reinvent the proverbial wheel. Organizations can craft cybersecurity strategies based on the security frameworks created by the Center of Internet Security (CIS) and the National Institute of Standards and Technology (NIST). The security measures and best practices outlined in these frameworks can guide members of an organization’s security team in developing their own threat mitigation plans.

Organizations can strengthen their cybersecurity infrastructure through multilayered detection and response solutions that can anticipate and respond to ransomware movements before operators can launch an attack. Trend Micro Vision One™ is equipped with extended detection and response (XDR) capabilities that gather and automatically correlate data across multiple security layers — including email, endpoints, servers, cloud workloads, and networks — to prevent ransomware attack attempts.

Organizations can also benefit from solutions with network detection and response (NDR) capabilities, which can give them broader visibility over their network traffic. Trend Micro Network One™ provides security teams with the critical network telemetry they need to form a more definitive picture of their environment, accelerate their response, and avert future attacks.

The supplementary data sheet for this report, including data from RaaS and extortion groups’ leak sites, Trend Micro’s OSINT research, and the Trend Micro Smart Protection Network, can be downloaded here.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.