Close this search box.

2022 in Review: The Year of Ransomware

2022 Year In Review

Ransomware had a big year in 2022, with attackers pummeling organizations of all sizes and across all sectors. While this threat has dominated for several years, it now outranks data breaches as the top cyber exposure concern globally – and 80% of surveyed security leaders believe ransomware is a growing and evolving threat to public safety.

Considering the increasing magnitude and sophistication of ransomware, it’s understandable why it keeps security leaders up at night. The 2022 SpyCloud Ransomware Defense Report found that 50% of organizations were hit with ransomware two to five times in the past year, compared to 34% the year before. Additionally, only 10% didn’t experience an attack in the past year, vs. 28% the previous year.

This threat is not only more destructive but also costlier than data breaches. The average ransomware attack costs an estimated $4.5 million (compared to $4.35 million for a data breach), and that’s even before ransom costs are added in.

To help understand what may be in store for 2023, we take a look at some of the 2022 ransomware trends.

The More Things Change, the More They Stay the Same: Ongoing Ransomware Evolution

The biggest theme of 2022 will sound familiar: ransomware tactics continue to evolve. This has been the ransomware gangs’ de facto operating mode for several years – why stop now?

Take double extortion schemes as an example. Only one ransomware group was using this tactic in 2019. By the first quarter of 2021, as many as 77% of attacks included a threat to release data.

In 2022, tactics evolved to weaponize ransomware in a physical conflict, as we saw Russia do as part of its war on Ukraine. Multiple attacks on strategic Ukrainian targets were linked to the Russian military, including an October attack on transportation and logistics companies in Ukraine and Poland. Russian hacktivists also got busy, using tactics such as tricking employees to download malicious software and infecting various companies across Ukraine.

To keep things interesting, certain ransomware gangs, most notably Lapsus$, reinvented themselves. Lapsus$, which was blamed for attacking Nvidia and Samsung, among other technology companies, deleted files and virtual machines rather than encrypting data. While their actions were described as chaotic, the havoc they’ve wreaked has been just as disruptive.

Ransomware Gangs Prove Resilient

An emerging theme of 2022 is the growing resilience of ransomware operators. This trend shows how deeply rooted the gangs’ infrastructure is; like any legitimate business that wants to ensure longevity, ransomware groups make certain they can endure setbacks. We saw this with Raccoon and REvil this year, and expect to see other gangs work on their hardiness.

Raccoon, an infostealer that sold on the dark web for about $200 a month, was disrupted when the U.S. government indicted the group’s mastermind and began dismantling its infrastructure. Undeterred, the gang resurfaced recently with Raccoon 2.0, advertising it as an improved version of the ransomware with expanded capabilities.

Likewise, the notorious REvil group – responsible for high-profile attacks like the one on the U.S. meat processor JBS Foods – had been purportedly disbanded by the Russian government, with several members arrested. However, at least one recent double extortion ransomware attack on Australia’s major health insurer Medibank was linked to REvil.

Ransomware-as-a-Service Economy Is Booming

One of the reasons why ransomware operators can easily bounce back and continue to evolve is the prolific underground economy. The ransomware-as-a-service (RaaS) market has emerged as a lucrative gig for a range of specialists who offer everything a nefarious actor needs to easily launch an attack, greatly lowering the barrier to entry. Ransomware gangs don’t even bother to figure out how to get a foothold into a targeted organization – they outsource the work to specialized groups called initial access brokers.

One RaaS group that’s been very active in the past year is Hive, which has victimized more than 1,300 organizations globally, according to a recent alert from the FBI and the Cybersecurity & Infrastructure Security Agency (CISA). Hive raked in an estimated $100 million in ransomware payments and targets various sectors from government and critical infrastructure to information technology and healthcare.

Every Industry Is An Attractive Target

The Hive gang is not alone in casting a wide net across a variety of sectors. One other theme we noted in 2022 is another repeat of previous years: no industry is immune to ransomware attacks. Some of the notable attacks of the year included:
The Costa Rica government, which declared a state of emergency after ransomware crippled networks across several government agencies, interrupting tax collection services and exposing citizen data, among other things
A Toyota supplier, resulting in the automaker shutting down 14 factories in Japan for 24 hours
A large hospital chain, causing delayed surgeries and canceled appointments at facilities in several states
Although some sectors seem to be in the spotlight more than others, in truth, malicious actors don’t discriminate. They’re looking for easy targets, and there are plenty of those, given that all attackers need to infiltrate an organization is stolen employee data. And that data is abundant on the criminal underground. It’s no wonder SpyCloud’s survey found that more organizations are activating “plan B,” such as opening bitcoin accounts and retaining third-party ransomware brokers – they are feeling a lot more pessimistic about their prospects of avoiding a successful ransomware attack.

What to Expect in 2023

The use of infostealers like Raccoon, RedLine Stealer, and numerous others has become very popular among cybercriminals. The data these infostealers siphon, such as employee credentials, device information, and web session cookies, enable attackers to masquerade as employees and easily infiltrate an organization to launch a ransomware attack.

Freshly harvested right from the employee’s device, this data is highly accurate, which means the ransomware attackers’ success rate is much higher. This stolen data creates a vicious circle that perpetuates ransomware crimes. So we expect to see the frequency of attacks to grow again in 2023, and the RaaS business model serving to attract even more newcomers enticed by the idea of an easy payout.

One of the biggest reasons organizations fall farther behind the attackers is an incomplete understanding of ransomware risks. The typical remediation process stops at wiping a device clean after it’s been infected with malware. But the data siphoned by the infostealers is long gone by then, putting the organization at risk of ransomware for a long time.

Shifting Your Approach to Post-Infection Remediation

Infostealers only take seconds to siphon data, but your organization can be at risk of ransomware for years to come. To be effective against ransomware, your post-infection remediation needs to address the risks of the data stolen from an employee’s malware-infected device.

Knowing exactly what data was stolen and is circulating on the darknet enables you to understand the scope of the threat and take quick steps to remediate all the compromised information. Gaining visibility into each exposed user, device, and application is the best way to gain ground on the ransomware problem.

Learn how to disrupt cybercrime and prevent ransomware attacks with darknet data.
Recent Posts

Check Your Company's Exposure

See your real-time exposure details powered by SpyCloud.

[What’s New] Check Your Exposure has been expanded with more recaptured data. See Your Results Now

Close this search box.