Threat analysts have observed an unusual trend in ransomware group tactics, reporting that initial phases of victim extortion are becoming less open to the public as the actors tend to use hidden or anonymous entries.
By not disclosing the victim’s name immediately, the ransomware operatives give their targets a more extended opportunity to negotiate the ransom payment in secrecy while still maintaining a level of pressure in the form of a future data leak.
KELA, an Israeli cyber-intelligence specialist, has published its Q1 2022 ransomware report that illustrates this trend and highlights various changes in the field.
Top actors and targets
In the first quarter of 2022, the total number of ransomware victims dropped by a significant 40%, from 982 in Q4 2021 down to 698.
That was partly due to Conti’s gradual decline and eventual exodus and also due to the newer groups not producing the same attack volumes as those that departed in the previous quarter.
The crown for this period goes to LockBit, the most prolific and prominent ransomware threat, disclosing 226 victims, almost the same as in the previous quarter.
Of the new threat actors, Alphv accounted for 8% and Karakurt for 5% of the published victims, which are significant but anywhere near LockBit’s 32% or even Conti’s 18%.
The finance sector recorded a quarter-to-quarter increase of 40% in the number of victims, while professional services, healthcare, manufacturing, and technology remained stable in the top five most targeted sectors.
Finally, the United States topped the list of the most targeted countries with 40%, followed by the UK, Italy, Germany, and Canada. France, which was in the top five previously, wasn’t as targeted in recent months.
Initial access brokers remain a crucial link in the ransomware attack chain, and KELA has spotted 116 sellers of this kind in Q1 2022, which is an increase of 15% compared to the previous quarter.
Some access brokers like “Novelli” have been active in cybercrime forums since 2019, mainly selling RDP access, while others like “Chiftlocal” appeared in the field for the first time in March 2022.
Another important seller seen by KELA’s threat analysts is “Pumpedkicks,” also known as “Mont4ana,” who offers SQL flaws and login credentials to corporate networks. Recently, that actor also added VPN access to US firms and government entities.
Do multiple gangs attack the same victim?
KELA has also seen a trend where some groups, such as Conti, Hive, AlphV, and AvosLocker publish data for the same victims.
While these different ransomware operations claim to have conducted the attack, BleepingComputer believes that these attacks are from the same affiliate that is working with multiple ransomware gangs.
Furthermore, a recent report explains how the Conti ransomware gang has shut down, with its members switching to different Ransomware-as-a-Service operations.
It is possible that the same threat actors have now moved to different operations and continue to exploit the victims of previous attacks.
Hiding victim names
The somewhat weird trend that unfolded in Q1 2022 is ransomware gangs hiding their victims’ names and only describing them by their industry, size, and stolen data.
KELA observed this tactic by Midas, Lorenz, and Everest, who threatened the victim that they would add their brand name to the extortion Tor site if they didn’t pay the ransom.
This tactic is also used by other ransomware gangs, who prepare hidden web pages on their data leaks sites and give the URL only to the victim. This was to show proof of the stolen data without damaging their negotiating position.
When a ransomware group immediately publishes their victim’s name, they often destroy any chance of reaching a successful negotiation outcome and receiving any money. By exposing the incident to the authorities, they make informal reception of large sums impossible.
Through practice, some adversaries may have found that it’s preferable to follow a more careful and protected approach, at least in the first stage of the extortion.