Full Report
Lockbit is by far this summer’s most prolific ransomware group, trailed by two offshoots of the Conti group.
Analysis Summary
# Incident Report: Resurgence of Prolific Ransomware Groups
## Executive Summary
Following a recent dip, ransomware attacks have seen a significant resurgence, led primarily by established Ransomware-as-a-Service (RaaS) groups such as LockBit, Hiveleaks, and BlackBasta. This increase is correlated with the restructuring observed in the threat landscape following increased US government pressure against the Conti group, whose affiliates and replacements are now highly active. The overall impact centers on widespread successful compromises utilizing these RaaS infrastructures.
## Incident Details
- **Discovery Date:** Analysis based on July 2022 data (Report published August 26, 2022)
- **Incident Date:** Throughout July 2022 and preceding months (Tracking ongoing threat landscape)
- **Affected Organization:** Multiple global organizations impacted by LockBit, Hiveleaks, and BlackBasta campaigns.
- **Sector:** Not specified, general threat analysis.
- **Geography:** Global focus (Implied by RaaS nature).
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing throughout July 2022.
- **Vector:** Exploitation of vulnerabilities, leveraging RaaS affiliate networks.
- **Details:** Attackers are operating through established RaaS frameworks (LockBit 3.0).
### Lateral Movement
- Not explicitly detailed, but implied through the successful execution of campaigns leading to data leaks/extortion.
### Data Exfiltration/Impact
- **Impact:** Successful ransomware campaigns leading to listing on victim leak sites monitored by researchers. LockBit was responsible for 62 attacks in July.
### Detection & Response
- **How it was discovered:** Researchers at NCC Group actively monitored the leak sites utilized by ransomware groups and scraped victim details as they were released.
- **Response actions taken:** Not specified in detail for specific victims, but general context points to significant disruption caused by ransomware activity.
## Attack Methodology
- **Initial Access:** RaaS infrastructure utilization (LockBit 3.0 is most prolific).
- **Persistence:** Implied via established RaaS modules.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Not specified.
- **Credential Access:** Not specified.
- **Discovery:** Not specified.
- **Lateral Movement:** Not specified.
- **Collection:** Data gathering for potential double extortion tactics implied by leak site monitoring.
- **Exfiltration:** Implied through threat actor operation model.
- **Impact:** Encryption and extortion following successful deployment of ransomware strains (LockBit, Hiveleaks, BlackBasta).
## Impact Assessment
- **Financial:** Unquantified, but significant due to increased attack volume (198 successful campaigns in July, up 47% from June).
- **Data Breach:** Confirmed data compromise leading to public listing on leak sites for victims of the top three groups (LockBit leading with 62 documented attacks).
- **Operational:** Severe disruption typical of ransomware events.
- **Reputational:** Impacted organizations listed on major ransomware leak sites.
## Indicators of Compromise
*Focus is on group identification rather than specific IOCs due to the summary nature:*
- **Network indicators:** Operations associated with LockBit, Hiveleaks (Conti offshoot), and BlackBasta (Conti replacement).
- **File indicators:** Ransomware payloads associated with the aforementioned groups.
- **Behavioral indicators:** High volume of extortion activity tracked via public leak sites in July 2022.
## Response Actions
- **Containment:** Not specifically detailed for any single incident.
- **Eradication:** Not specifically detailed.
- **Recovery:** Not specifically detailed.
## Lessons Learned
- The ransomware ecosystem rapidly adapts; when pressure is applied to major groups (like Conti), their operational capacity fragments but often resurfaces quickly under new branding (Hiveleaks, BlackBasta).
- Ransomware-as-a-Service (RaaS) groups like LockBit remain highly effective and scalable threats, demonstrating continuous operational capability.
- Threat actors quickly settled into new modes of operation following disruption in May 2022, leading to a rapid increase in compromises in July.
## Recommendations
- Organizations must prioritize defense readiness against known prolific RaaS strains, especially LockBit 3.0.
- Security teams should maintain heightened vigilance following significant geopolitical or law enforcement actions against major cybercrime entities, anticipating shifts and proliferation of successor groups like Hiveleaks and BlackBasta.
- Robust preventative measures are necessary to counter the established RaaS affiliate network model.