In the month after the Conti group closed its operations and shut down all its servers, researchers have observed several other actors taking the prolific group’s place with novice attack tactics and new ransomware versions.
In May, the Conti gang shuttered the admin panel of its website and shut down its servers, including the ones used to negotiate ransom payments with victims. The moves left security analysts wondering how the ransomware landscape would be impacted, as Conti had presented a major threat for almost two years, with the U.S. government in September warning of attacks by Conti affiliates against health care providers, 911 systems and many other critical organizations.
Since the ransomware group’s shutdown, researchers with Digital Shadows that have been tracking ransomware activity over the past quarter said members have likely branched out into other, smaller groups and will continue to launch attacks under rebranded names. For law enforcement, this breakdown makes it more difficult to target operations as one, said Ivan Righi, senior cyber threat intelligence analyst at Digital Shadows.
“It is almost certain that all big ransomware gangs will cease operations sometime in the future and break down into other groups,” said Righi. “Members of the Conti group will likely simply break down into other groups and continue launching attacks. Law enforcement operations have certainly served as a deterrent against ransomware operations. However, due to broken international relations between Russia and other countries, it is unlikely that operators who live in Russia will face legal consequences.”
Overall, researchers with the Digital Shadows Photon Research team on Wednesday said that they observed a “significant and highly active” second quarter in 2022 for ransomware activity, with 705 organizations named to ransomware groups’ data leakage websites, representing a 21.1 percent increase compared to the first quarter.
It’s worth noting that in recent years, the first quarter has typically had low ransomware activity (and this year’s first quarter was no exception, with a 25.3 percent decrease in activity from the previous quarter), so an increase from the first quarter to the second quarter is not entirely surprising. In fact, in 2021, ransomware activity rose by 40 percent between the first and second quarter.
“The large rise in 2021 was likely higher due to the extensive adoption of double-extortion techniques in early 2021,” Righi said. “This trend will likely continue in future years, although the ransomware threat landscape can be volatile and unpredictable.”
Researchers have observed several shifts from both existing and new ransomware groups in the landscape that have added into the second-quarter increase in attacks, with a steady surge in attacks by the LockBit ransomware-as-a-service (RaaS) leading the charge after overtaking Conti in the total number of victims claimed by the group. With nearly 1,000 victims at the time of publication, LockBit is the most active group to date, said researchers.