Ransomware Volume Nearly Doubles 2021 Totals in a Single Quarter

Like a hydra, every time one ransomware gang drops out (REvil or Conti), plenty more step up to fill the void (Black Basta).

Image of a keyboard with red glowing skulls on the keys instead of letters
Source: Negro Elkha via Adobe Stock

After a 2021 beleaguered by ransomware, attack volumes continue to balloon in 2022. In fact, a report issued Tuesday indicates that in just the first three months of this year, the volume of ransomware detections almost doubled the total volume reported for all of last year. 

The increasingly high numbers came in spite of what appeared to be the downfall of a major ransomware group at the end of 2021: REvil. This serves as a testament to the persistence of criminal actors in reforming, rebranding, and regrouping their criminal gangs to profit handsomely off of ransomware tactics.

This persistence has been studied most recently by security researchers who have noted the rapid rise of the Black Basta ransomware gang in the past two months, quickly following the emergence of the LAPSUS$ group earlier in the year.

Ransomware 2022 Volumes: Up, Up, Up

The numbers today come by way of the quarterly "Internet Security Report" from WatchGuard Threat Lab, which examines Q1 2022 threat trends. Researchers with the firm report that unique ransomware detections in the first three months of the year were triple the volume of the same time period in 2021. Meantime, Q1 2022 ransomware volume equaled more than 80% of the total volume recorded in all of 2021.

“Based on the early spike in ransomware this year and data from previous quarters, we predict 2022 will break our record for annual ransomware detections,” says WatchGuard chief security officer Corey Nachreiner, noting that the last annual high-water mark for ransomware volume came back in 2018.

LAPSUS$ Steps Up in the Underground Economy

The report from his team explains that even in the face of high-profile arrests and charges made by US and Russian authorities in late 2021 and early 2022 that resulted in the disruption of the prolific REvil ransomware gang, the ransomware hits keep coming. Their analysis shows that REvil’s disruption “opened the door” for LAPSUS$ to emerge in a big way.

“The LAPSUS$ group made global headlines with their double-extortion ransomware techniques that caused cybersecurity decision-makers to take notice,” the report states. “The group was known to hire employees of organizations to steal information from the inside and then use extortion techniques to blackmail victim organizations. Their victim list also put decision makers on notice. Microsoft, Nvidia, Samsung, Ubisoft, Okta, and T-Mobile are all victims of LAPSUS$.”

This kind of resurgence of new groups should dampen security teams' celebrations of the demise of groups like REvil and Conti, which in May were reported to have shut down their operations. Stats from NCC Group show a slight dip in attacks that month, with a warning that other heads of the ransomware gang Hydra were already starting to emerge.

Black Basta: New Kid on the Ransomware Block

Most recently, the Black Basta ransomware gang has surged into the scene. Earlier in the month, two separate reports from Uptycs and NCC Group showed that Black Basta was targeting ESXi-based systems and servers among other victims, and leveraging the Qbot malware family (aka Qakbot) to maintain persistence on networks it goes after. 

"While Black Basta isn't the first to develop capabilities against ESXi (LockBit, Hive, and Cheerscrypt already have demonstrated ESXi capabilities), this shows the relative sophistication of the teams working under Black Basta performing the ransomware operations," said Jake Williams, executive director of cyber threat intelligence at SCYTHE, in a statement provided to Dark Reading. "Use of commodity malware like Qakbot demonstrates that there is no such thing as a 'commodity' malware infection. Organizations must treat every malware detection as an opportunity for a threat actor to deploy ransomware."

Meantime, an advisory report from the Cybereason Nocturnus research team last week offered further details about Black Basta’s tactics, techniques, and procedures. They deemed the threat from the group to be highly severe, as it has victimized more than 50 companies in English-speaking countries worldwide since April. Researchers said the hallmark of the firm is its use of double extortion – i.e., stealing sensitive files and information and using it to extort victims by threatening publication of the details unless a ransom is paid. The amounts asked for are often in the millions.

The sudden rise of Black Basta has some speculating that the group is actually just a regrouping of the two most recently disbanded groups.

“Due to their rapid ascension and the precision of their attacks, Black Basta is likely operated by former members of the defunct Conti and REvil gangs, the two most profitable ransomware gangs in 2021,” says Lior Div, CEO of Cybereason.

About the Author

Ericka Chickowski, Contributing Writer

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights