The State of Ransomware in 2022
Ransomware advice and mitigation
It poses a particular danger to companies that hold sensitive data and house valuable assets, or those that could impact countless other industries and organizations should their critical operations be taken offline. Each of these industries is highly dependent on the privacy of its assets and the availability of its operations and is therefore more likely to pay a heavy ransom to return to ‘business as usual’.
In contrast to this, ransomware is also increasingly used in cyber warfare across the geopolitical landscape. Some nations have allegedly launched ransomware campaigns via state-sponsored threat groups in retaliation to perceived slights against their political agendas, an example of which can be seen in the prolific Toyota attack earlier this year (which we cover later in this article).
Today, ransomware is no longer used only by those with the means to operate it; Ransomware-as-a-Service (RaaS) has gained traction in recent years, allowing almost anyone to purchase the means to launch their own illicit campaigns.
This blog, our annual deep dive into the ongoing threat of ransomware since its sharp rise in sophistication and notoriety in 2020, will look to dissect the most prolific ransomware attacks of the past twelve months, the actors behind them, and the key regions in which they operate.
On February 10, the same day that ransomware-as-a-service gang Avos Locker announced that it had acquired data on some 260,000 patients, Pennsylvania’s Jacksonville Spine Center reported that it had fallen victim to a significant ransomware attack.
Avos Locker first rose to notoriety as the concept of ransomware-as-a-service gained traction in 2021. Since then, it has launched several attacks against critical infrastructure bodies within the US, spanning manufacturing, financial services, and government facilities.
The group’s chosen ransomware comprises a multi-threaded executable, written in C++, that disguises itself as a console application. The application shows a log of all actions performed on its victim’s systems and allows the group to encrypt files across the victim’s servers.
Jacksonville Spine Center had some monitoring software in place and was able to spot the attack and rapidly shut down its servers in response, but it did not act quickly enough to prevent the encryption or exfiltration of its patient’s data.
While no sensitive medical information was stolen, names, addresses, emails, and home and work phone numbers –as well as several social security numbers– were stolen. The exact number of stolen records is unknown. It is also unknown whether the Jacksonville Spine Center paid any ransom, though the organization has insisted that it has not attempted to negotiate with Avos Locker.
Another ransomware-as-a-service gang, BlackByte has launched a tirade of campaigns against US entities across a variety of industries, using its ransomware to encrypt files on victim’s Windows host systems on both physical and virtual servers.
Earlier this year, the group launched such an attack against The San Francisco 49ers over the course of the Super Bowl weekend. News of the attack broke as the 49ers were listed in a Dark Web leak site that claimed they were BlackByte’s latest victim. The same report claimed that the group had exfiltrated over $4.175 billion worth of financial data from the American football team.
Following the attack, the FBI and the Secret Service launched a joint security advisory on the BlackByte ransomware, which is believed to be of Russian origin due to the use of Russian and other post-Soviet languages in its codebase. Neither The San Francisco 49ers nor BlackByte has released any information on ransom demands, or if they were met, at the time of writing.
In August 2021, The Ministry of Economy of the Government of Brazil’s internal network, which supports its National Treasury, was hit by a ransomware attack. Little is known of the attack or the nature of the ransomware. Still, the Brazilian government has insisted that Tesouro Direto, its program for enabling the purchase of Brazilian government bonds by individuals, was not impacted "in any way."
This is the latest in a series of cyberattacks against the Brazilian government. In April 2021, the Rio Grande do Sul State Court of Justice was also hit by a ransomware attack. The attack has been attributed to REvil with a ransom demand of US$5 million to decrypt files and not leak data. In July 2021, just weeks before the attack on the National Treasury network, Brazil announced the creation of its cyberattack response network in response to the uptick in cyberattacks it had suffered in recent years. The network aims to promote faster response times to such threats through better collaboration between individual government bodies.
Brazil’s private sector has also suffered several critical ransomware attacks in recent years, including attacks against aerospace organization Embraer and healthcare firm Grupo Fleury.
While the Brazilian government believes that the attack was contained and dealt with in "a timely manner and with due transparency," little information has been provided on the ultimate fallout of the attack, the group(s) behind it, and their motivations.
On January 12, 2022, "Vice Society" encrypted the Argentine Senate (Senado Argentina) systems with ransomware. Just two days later, the affected organization disclosed the ransomware attack on Twitter, claiming the attackers only stole publicly available information.
Two months later, Vice Society listed the Argentine Senate as a victim on their leak site, highly likely after the victim declined to pay the ransom or negotiations failed. According to the Clarín newspaper, the ransomware gang published more than 30,000 stolen files containing several bills, opinions and legal documents, plain-text passwords, employee databases, personally identifiable information (PII) of different officials and visitors to the Senate, including scans of passports, visas, identity documents, tax information, fingerprints.
Furthermore, the journalist Fernando Bruzzoni interviewed a representative of Vice Society for the newspaper rosario3, providing insights on the attack and the modus operandi. Vice Society stated the attack was easy and it allegedly took them only "6 hours to access every IT system and 6 hours to attack". For initial access, the attackers said they used phishing without explaining more details.
Global aerospace organization Thales Group, based in France, suffered a ransomware attack at the hands of the threat group LockBit at the beginning of 2022. When Thales announced in a statement that it “had not received any direct ransom notification,” LockBit responded by disclosing a portion of the data it had exfiltrated.
Since then, Thales Group has revealed no further details about the severity of this attack. That being the case, it is highly likely that the attack impacted Thales’ core infrastructure, allowing LockBit to access sensitive data relating to security, transport, military, manufacturing or one of the other many areas Thales Groups operates in.
At the same time as the ransomware attack against Thales Group, the French government announced that it was investigating claims that LockBit had also stolen data from the French Ministry of Justice, which the group hastily threatened to leak. What has motivated LockBit to target France, both in the public and private sectors, remains unknown.
Like many modern ransomware gangs, LockBit favors the ransomware-as-a-service model, opting for double extortion methods to put even more pressure on its victims in a bid to push them to pay any extortionate demands. LockBit is credited with creating and using the StealBit malware, a tool that automates data exfiltration. The latest iteration, dubbed LockBit 2.0, is claimed by LockBit to be faster and more efficient than other ransomware currently available on the black market.
On January 29, 2022, the German oil company Oiltanking GmbH detected that a ransomware attack compromised their systems. A spokesperson stated they were investigating the incident, applying their contingency plans, and collaborating with the relevant authorities. Furthermore, they reported that "the terminals are operating with limited capacity and have declared force majeure". Another company belonging to the same parent business Mabanaft Deutschland GmbH & Co. KG was also affected by the incident, declaring force majeure for its supply activities in Germany.
The newspaper Handelsblatt had access to internal documentation about the incident confirming the company systems were encrypted with the BlackCat ransomware through a previously unknown gateway. They also informed that 233 German gas stations had to implement some manual processes temporarily.
On the morning of February 03, 2022, the aviation services company Swissport was made aware that part of their IT infrastructure was hit by a ransomware attack. The attack, later claimed by the "BlackCat" ransomware group, disrupted flight operations of the victim company, which caused flight delays in the Zurich Airport.
The ransomware group not only encrypted data from the company's network, but also exfiltrated 1.6TB of sensitive data, which was put on sale on their leak site. Leaked data include Swissport's business documents, tax declarations, images of passports, and ID cards of individuals, besides personal information of job candidates - which encompasses the name, passport number, nationality, religion, email, phone number, job role, interview scores, and more.
A contractor payroll service provider, Brookson Group, declared that it had suffered an “extremely aggressive” attack in correspondence with the UK’s National Cyber Security Centre in January 2022. The infamous BlackCat group quickly revealed that it was behind this attack, as well as a similar attack against another umbrella company, Parasol, which suffered a systems outage that prevented it from being able to pay contractors.
Months later, the UK’s contractors are still impacted by these attacks against the two companies, with many still waiting to receive delayed payments of up to thousands of pounds as a result of the disrupted systems.
Following these and similarly extreme attacks against more than 60 global organizations, the FBI cited the BlackCat gang as one of the top ransomware threats in a statement in April 2022. The BlackCat gang is believed to be a rebrand of the BlackMatter ransomware gang, which supposedly disbanded its operations in November 2021.
More activity from LockBit; in August 2021, the ransomware gang hit Bangkok Air with a sophisticated ransomware attack that saw the group gain access to credit card details and other sensitive personal and financial information.
In a post on a Dark Web leak site, LockBit claimed ownership of the attack, stating that it had stolen more than 200GB of data. The victim airline revealed that it was looking into the attack but that it “was not interested in negotiating with the criminal gang,” according to The Register.
Following this, LockBit claimed that it would release up to 103GB of the stolen data by the end of August, though the group has been known to extend threat deadlines in the past. It is unknown whether a ransom was paid behind closed doors or if the group monetized the data by selling it via underground forums. Bangkok Air has since strengthened its security systems–while this is advised, the airline should have taken the approach of preparing for the eventuality of an attack instead of bolstering its systems after the fact.
Japanese global automotive manufacturer Toyota was forced to stop production across all its Japan-based plants after a ransomware attack against a key supplier, which affected not only Toyota’s operations but the operations of its subsidiary companies Hino Motors and Daihatsu Motor.
The attack, which took place in March 2022, was launched just days after Japan imposed strict sanctions against Russia, alongside many Western nations, as a response to its invasion of Ukraine. A week before the attack and Japan’s announced stance against Russia, the Russian ambassador to Japan Mikhail Yurlevich Galuzin warned that “should Japan impose sanctions on Russia, there would be consequences.”
Japan has announced that it is actively investigating the attack, which it believes to be at the hands of Russia as punishment for its support of Ukraine, though no other information has been revealed at the time of writing.
On November 27, 2021, the Queensland government-owned energy generator CS Energy in Australia suffered a ransomware attack. According to the company statement, the incident did not impact the electricity generation at Callide and Kogan Creek power stations, so they were able to continue generating and dispatching electricity into the National Electricity Market.
Although the Sydney's Daily Telegraph initially speculated the attack was perpetrated by a Chinese state-sponsored threat actor, CS Energy said there was no indication of a state-based attack.
The same day of the incident, the Conti ransomware gang uploaded CS Energy to the list of targeted organizations published on their leak site.
On May 18, 2021, the Vice Society encrypted the Waikato District Health Board systems in New Zealand with ransomware, stealing confidential patient notes, staff details, and financial information before encryption. According to the Herald newspaper, the incident impacted "some surgeries and clinics at the DHB's five hospitals have been postponed and people are being asked to stay away from emergency departments unless it is an emergency while experts try to get the system up and running again, something that is unlikely to happen this week". Vice Society requested a ransom payment of US$20 million in Bitcoin to decrypt the files, but the organization decided to not pay the ransom.
In an interview with DataBreaches, Vice Society stated it took them "2 days for preparing and 1 day for attack, 20 minutes for escalation and 2 days to prepare attack."
Ransomware advice and mitigation
It’s evident that the threat of ransomware, which has evolved considerably over the course of the COVID-19 pandemic, continues to pose new and varied threats to public and private organizations globally. Whether it be traditional ransomware, ransomware-as-a-service at the hands of one of the many emerging groups that favor the tool, or an inadvertent attack that ripples through the supply chain, organizations must prioritize their security hygiene perimeter–now more than ever.
One such method for protecting against the threat of ransomware and the eventual loss of sensitive data is our Blueliv Credentials module, a threat intelligence tool for detecting stolen credentials, data, and other information in real-time.
Threat Context is another vital tool for reducing the risk of such attacks, allowing users to run red-teaming exercises, radically reducing the effectiveness of incoming social engineering attacks. Utilizing such tools, organizations can harness invaluable threat intelligence and use it to better prioritize vulnerabilities that are most likely to be exploited based on real world threats.
To find out how to use threat intelligence to protect your organization from the inevitable threat of ransomware