LockBit Dominates Summer Ransomware Landscape Amidst Conti Offshoot Resurgence

Ransomware attacks have surged this summer, with the LockBit group emerging as the most prolific threat actor, relentlessly targeting organizations worldwide. Trailing closely behind are two splinter groups originating from the now-dismantled Conti ransomware syndicate, indicating a strategic shift and persistent threat within the cybercriminal underworld. This resurgence follows a period of relative calm, underscoring the dynamic and adaptable nature of ransomware operations.

Data compiled by NCC Group’s Monthly Threat Pulse for July 2022 reveals a significant uptick in ransomware activity, with a total of 198 successful campaigns recorded for the month. This represents a substantial 47 percent increase compared to June, though it still falls short of the peak activity observed in March and April, when nearly 300 campaigns were documented each month. The analysis, derived from actively monitoring ransomware groups’ leak sites and cataloging victim disclosures, paints a stark picture of escalating cyber threats.

LockBit, a ransomware-as-a-service (RaaS) operation known for its sophisticated operations and aggressive tactics, stands out as the primary driver of this recent surge. In July alone, LockBit was attributed to an alarming 62 attacks, an increase of ten compared to the preceding month. This figure alone more than doubles the combined total of the second and third most active groups, highlighting LockBit’s dominant position in the current threat landscape. Researchers from NCC Group explicitly noted, "LockBit 3.0 maintains its foothold as the most threatening ransomware group, and one with which all organizations should aim to be aware of." The group’s continued activity, particularly with its "3.0" iteration, suggests a robust infrastructure and a persistent ability to evade detection and disruption.

The second and third most prolific ransomware groups in July were Hiveleaks, responsible for 27 attacks, and BlackBasta, with 24 attacks. These numbers signify dramatic increases for both entities. Hiveleaks experienced an astonishing 440 percent rise in its attack volume since June, while BlackBasta saw a 50 percent increase over the same period. The close proximity of these two groups in the rankings, and their shared lineage to Conti, strongly suggests an interconnected evolution within the ransomware ecosystem.

The Conti Fallout and the Rise of Offshoots

The current ransomware landscape is intrinsically linked to the fragmentation and restructuring of the Conti ransomware group, once considered the most powerful and destructive cybercriminal syndicate globally. In May 2022, the United States government intensified its efforts against Russian-linked cybercrime by offering substantial rewards, up to $15 million, for actionable intelligence that could lead to the apprehension of Conti co-conspirators. This concerted pressure, coupled with internal dynamics within the group, appears to have catalyzed a significant shift.

The NCC Group report speculates that threat actors within Conti were undergoing structural changes, leading to their eventual dissolution and the emergence of new, rebranded operations. "It is likely that the threat actors that were undergoing structural changes," the authors wrote, "and have begun settling into their new modes of operating, resulting in their total compromises increasing in conjunction." This theory posits that the disruption caused by law enforcement actions and internal realignments has led to a dispersal of talent and resources, which are now manifesting in the rise of these successor groups.

Hiveleaks and BlackBasta are identified as direct beneficiaries of this Conti fallout. Hiveleaks is described as an affiliate that has migrated from the Conti network, while BlackBasta is characterized as a replacement strain, effectively inheriting Conti’s operational infrastructure and potentially its customer base. This indicates that while the Conti brand may have been retired, its operational capabilities and malicious intent have not disappeared but rather have been absorbed and re-energized under new banners.

A Chronology of Resurgence and Restructuring

The period from late spring to summer 2022 marks a critical juncture in the ransomware threat landscape.

• March-April 2022: Ransomware attacks reached a peak, with nearly 300 campaigns recorded each month. Conti was a dominant force during this period, consistently ranking among the top threat actors.
• May 2022: The U.S. government announced significant reward offers for information on Conti, signaling a heightened focus on dismantling the syndicate. This period also saw initial reports of internal strife and potential restructuring within Conti.
• June 2022: A dip in ransomware attack numbers was observed, potentially indicating a period of transition for some groups. However, LockBit maintained a strong presence.
• July 2022: A sharp resurgence in ransomware attacks was documented, with a 47% increase from June. LockBit emerged as the most prolific group, and the significant rise of Hiveleaks and BlackBasta was noted, both linked to Conti’s restructuring.
• August 2022 (Anticipated): Analysts anticipate further increases in ransomware activity as the newly formed groups solidify their operations and potentially expand their reach.

This timeline illustrates a pattern of disruption followed by adaptation. The pressure exerted on Conti, while seemingly effective in dismantling the main operation, has inadvertently led to the proliferation of its components into new, potentially more agile and harder-to-track entities.

Supporting Data and Victimology

The methodology employed by NCC Group in tracking ransomware activity provides a robust foundation for their findings. By actively monitoring the leak sites used by ransomware groups—platforms where victims’ stolen data is often posted to extort payment—and scraping victim details as they are released, researchers gain a direct insight into the scale and scope of these attacks. This method allows for a granular understanding of which groups are most active and the types of organizations they are targeting.

While the NCC Group report does not detail specific victim industries or geographical locations for July’s attacks, historical trends and the nature of LockBit, Hiveleaks, and BlackBasta suggest a broad range of targets. These groups typically do not discriminate, impacting organizations across sectors including healthcare, finance, manufacturing, government, and education. Their modus operandi often involves exploiting unpatched vulnerabilities, weak credentials, or phishing campaigns to gain initial access, then deploying their ransomware to encrypt critical data.

The sheer volume of attacks attributed to LockBit (62 in July) implies a highly efficient and scalable operation. This could involve a large network of affiliates who are provided with LockBit’s ransomware tools and infrastructure in exchange for a cut of the ransom payments. The "ransomware-as-a-service" model lowers the barrier to entry for aspiring cybercriminals, contributing to the overall volume of attacks.

Broader Impact and Implications

The resurgence of ransomware, particularly driven by groups with roots in Conti, carries significant implications for cybersecurity strategies worldwide.

• Increased Sophistication and Resilience: The ability of Conti affiliates to quickly reconstitute into new, active groups like Hiveleaks and BlackBasta demonstrates a high degree of technical proficiency and adaptability. These new entities are likely to learn from Conti’s past successes and failures, potentially developing even more evasive tactics and robust operational frameworks.
• Evolving Threat Landscape: The fragmentation of large ransomware syndicates, while seemingly a success for law enforcement, can lead to a more decentralized and thus harder-to-track threat landscape. Instead of a single, large target, security professionals must now contend with multiple, independent entities, each with its own attack vectors and methodologies.
• The Persistence of RaaS: The continued dominance of RaaS models, as exemplified by LockBit, underscores the economic viability of ransomware for cybercriminals. This business model ensures a steady supply of new ransomware variants and a continuous influx of actors willing to participate in attacks.
• Urgency for Proactive Defense: The data serves as a critical reminder for organizations to bolster their defenses. This includes implementing robust patch management, strengthening access controls, deploying advanced endpoint detection and response (EDR) solutions, and conducting regular security awareness training for employees to mitigate the risk of phishing attacks.
• International Cooperation Remains Crucial: The transnational nature of these cybercriminal organizations necessitates continued and enhanced international cooperation between law enforcement agencies, cybersecurity firms, and governments. Sharing intelligence, coordinating investigations, and pursuing joint disruption operations are vital to combating this persistent global threat.

The authors of the NCC Group report conclude with a sobering prediction: "Now that Conti’s properly split in two, the authors speculated, ‘it would not be surprising to see these figures further increase as we move into August.’" This outlook suggests that the current trend of increasing ransomware activity is likely to persist, making vigilance and preparedness paramount for organizations of all sizes. The summer of 2022 has unequivocally demonstrated that while old threats may evolve and new ones may emerge, the overarching danger of ransomware remains a clear and present challenge to digital security.