Ransomware trends for 2022

As the year is coming to a close, it’s time to take a look at the evolution of the ransomware landscape in 2022. Security experts believe that the level of sophistication and scale of cyberattacks will continue to increase, causing record-breaking financial losses.

Ransomware will become more aggressive and widespread, while threat actors behind major ransomware operations will attempt to extend their operations targeting mobile and IoT devices.

To stay ahead of threats, end-users and businesses must be aware of the tactics, techniques, and procedures associated with the major ransomware operators. As such, individuals and organizations alike must protect their attack surface.

Needless to say, the extortion practice through ransomware will continue to grow, despite the efforts of government organizations and law enforcement agencies to curb this criminal phenomenon.

Ransomware gangs will continue to target large organizations that can afford to pay a ransom, but they will also benefit from penetration tools to carry out a dragnet offensive against SMEs. At the same time, financial services and healthcare organizations will experience a surge in ransomware attacks in the next months.

The year of Ransomware-a-as-Service

In 2022, we will also observe a growing number of ransomware gangs that will spread ransomware provided by multiple Ransomware-a-as-Service (RaaS) affiliates.

Recently, the French CERT published a report on the activity of a new ransomware gang named Lockean that is responsible for a long list of attacks against French companies over the past two years.

The Lockean group used different ransomware strains over the last two years, such as DoppelPaymer, Egregor, Maze, REvil, and ProLock, a circumstance that suggests the group was an affiliate for these RaaS services.

Over the next months, RaaS cartels will use even more affiliated groups to increase the efficiency of their operations, which will make it even harder to investigate their activities.

The affiliate model will allow these gangs to conduct operations that are resilient to takeover by law enforcement against a single ransomware group.

In 2022, the RaaS business model and the double extortion model will continue to fuel the threat landscape for ransomware attacks. A growing number of criminal organizations, even without specific technical skills, will decide to launch their own operations.

The rise of remote access markets

In the next months, we will see the consolidation of another model in the cybercrime ecosystem, dubbed Access-as-a-Service.

Remote access markets are automated stores that allow threat actors to sell and exchange access credentials to compromised websites and services.

Remote access markets have an essential role in the cybercrime underground, especially for RaaS operators.

Threat actors could buy access to an organization to rapidly gain access to its infrastructure and deploy their ransomware.

Growing pressure to fight back

To analyze the evolution of ransomware operations in the next months, we must also consider the response of government and law enforcement agencies.

Ransomware attacks represent a serious threat to critical infrastructure and global supply chains. For this reason, the US Government held a global meeting in October to curb cybercriminal activities and fight ransomware. Unfortunately, Russia was not invited to the meeting, as it is widely known that most ransomware gangs are operating from the country, and with tacit support from the Russian government.

Following the global ransomware summit, law enforcement agencies worldwide intensified their actions against ransomware gangs: recently, Europol and Interpol conducted multiple successful investigations that allowed to dismantle prominent ransomware operations, such as the REvil operation.

This means that pressure from governments to fight ransomware worldwide will have a significant impact on the ransomware landscape in 2022.

As an example of the growing pressure to act against ransomware gangs, the US Government announced sanctions for ransomware negotiation firms that will support victims of cybercriminal organizations, such as the Evil Corp group, in the ransom payments. Due to these sanctions, Evil Corp launched several ransomware operations that employed different strains of ransomware, such as WastedLocker, Hades, Phoenix Locker, and PayloadBin.

China: a new safe haven for ransomware gangs?

In the next months, the actions of the authorities, sanctions from governments, and the dissolution of some groups will likely lead to the rebranding of many operations and to the emergence of new ransomware gangs.

Moreover, with the pressure from other governments increasing, we cannot exclude that Russia will no longer tolerate ransomware operations on its soil, a decision that could force major ransomware organizations to migrate to other states.

The Groove ransomware gang is already calling on other ransomware groups to attack US public sector, after a law enforcement operation shut down the infrastructure of the REvil gang.

Recently, Groove published a message in Russian on its leak site:

Message in Russian published by Groove on its leak site
Figure 1 – Call to Action published on Groove leak site

The message also asks other ransomware gangs to avoid targeting Chinese companies, because China could represent a safe place for ransomware gangs in case Russia will stop tolerating ransomware operations.

“In our difficult and troubled time when the US government is trying to fight us, I call on all partner programs to stop competing, unite and start fucking up the US public sector,” states the message.

“I urge not to attack Chinese companies, because where do we pinch if our homeland suddenly turns away from us, only to our good neighbours – the Chinese!”

– Groove ransomware message

State-sponsored ransomware

Let’s close the forecast on ransomware trends in 2022 by evaluating the impact of nation-state hacking on the ransomware landscape.

In the next months, rogue governments could use ransomware operations for fundraising and escape sanctions from other states.

Targeted ransomware and nation-state attacks will be very dangerous due to the cyber capabilities of APT groups and the large ransom demanded by these groups.

One thing is almost entirely certain: ransomware groups will cause huge financial losses in the next months, and we can only hope that their cyberattacks will not deal irreparable damage to critical infrastructure worldwide.