IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Ransomware activity down 11% worldwide in Q3, but rise expected

LockBit increased its share of the landscape even as attacks declined, while new groups have capitalised on the fall of Conti

A CGI render of the Earth, focused on EMEA, surrounded by data points and red padlock symbols

A new report has found that global ransomware activity dropped throughout the third quarter as the order of dominant groups in the landscape shifted, but that businesses should expect a surge by threat actors in Q4 to exploit consumer trends.

Related Resource

How to reduce the risk of phishing and ransomware

Top security concerns and tips for mitigation

Large letter 'O' against a background of a city - whitepaper from MimecastFree download

The number of ransomware attacks in Q3 2022 was down 10.5% on Q2, according to the latest report by cyber security firm Digital Shadows. This was driven in part by the sudden cessation of activity by the Conti group, as well as a reorganisation of leading groups over July and August.

LockBit 3.0, the latest strain by the LockBit group of threat actors, consolidated its lead across the landscape in Q3, accounting for 35.1% of all activity across the period, compared to 32.8% in Q2. The group's rise, even as its overall activity declined, has been matched by the growth of a number of new groups, including Black Basta, Hive Leaks, and Alphv, which account for 9%, 8%, and 7% of activity respectively.

Digital Shadows suggests that these groups have directly taken advantage of the gap in the market left by Conti, which after threatening to overthrow the Costa Rican government in May, apparently shut down in June. The group’s website has disappeared, and a drop off in activity right at the end of Q2 has been linked directly to the group’s apparent cessation of attacks.

Groups that bucked the trend with increased activity across the period include ‘AvosLocker’ (up 50%) and Hive Leaks (up 80.8%). The latter operates the Hive payload, which was singled out by Microsoft in Q3 for its sophisticated functions, and for being written in the programming language Rust, which is becoming a popular programming language for hacker groups.

A graph showing that LockBit made up the vast majority of ransomware attacks in Q3 2022

Some within the cyber security community have suggested that Hive is composed of former Conti actors, or is even a continuation of the same group. Investigative journalist and cyber crime expert Brian Krebs tweeted that attacks on Costa Rica appeared to have been committed by Hive, but that “with Conti apparently in the process of rebranding, it could just as well be the same criminals involved.”

However, Emisoft threat analyst Brett Callow subsequently tweeted a screenshot from Hive’s website that states “we are not related with Conti”. No evidence yet links any emerging group with Conti.

Around 39% of all attacks across Q3 were made against victims within the United States, reflective of the consolidation of wealthy companies within the country. France and Spain followed, with the UK the fourth most targeted in the same period, accounting for 4.8% of victims. This marks a fall from the UK’s third place in Q2, and appears to have been driven by a surge in attacks in France and Spain, including Hive's attack on French telco giant Altice in August.

Indeed, while almost all countries saw decreased ransomware attacks in Q3, France, Spain and Israel saw rises. Spain was an outlier, with a 66% rise in ransomware activity across the quarter tied to a surge by the group ‘Sparta Blog.’

The industrial goods and services sector remained the most targeted sector throughout the period, recording nearly double the attacks of the technology sector, the next most targeted. As the war in Ukraine drags on, attacks on supply chains and critical national infrastructure (CNI) continue to rise, and state-backing of ransomware attacks will continue to increase such action.

Bracing for a rise in Q4

A graph showing ransomware activity decreased in Q3 2022, but increased again in September and is forecast to maintain high activity in Q4

Digital Shadows forecasts a rise in activity in Q4 2022. This is not unusual, as commercial events such as Black Friday and Cyber Monday often coincide with an increase in malicious activity online, while online shopping around Christmas is exploited by threat actors with phishing campaigns.

After falling prey to a distributed denial of service (DDoS) attack in August, which took down its website for several days, the LockBit group vowed to be ‘more aggressive’ and stated that it was recruiting new members. This may be linked to the increase of attacks at the end of Q3, and indeed the LockBit group saw its highest ever share of international ransomware activity at 40%.

Concerns have also been raised due to the alleged leak of a LockBit 3.0 ‘builder’ in September. If legitimate, this would allow rival threat actors to create their own version of LockBit ransomware, and as such the leak could precede a spike in use of the highly-effective malware throughout Q4 and beyond.

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download


Revealed: The top 200 most common passwords of 2022
cyber security

Revealed: The top 200 most common passwords of 2022

17 Nov 2022
Undetectable PowerShell backdoor discovered hiding as Windows update

Undetectable PowerShell backdoor discovered hiding as Windows update

19 Oct 2022
Escape the ransomware maze

Escape the ransomware maze

23 Aug 2022
Twilio account breach result of sophisticated social engineering campaign

Twilio account breach result of sophisticated social engineering campaign

9 Aug 2022

Most Popular

The top 12 password-cracking techniques used by hackers

The top 12 password-cracking techniques used by hackers

14 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
Interpol arrests nearly 1,000 cyber criminals in months-long anti-fraud operation
cyber crime

Interpol arrests nearly 1,000 cyber criminals in months-long anti-fraud operation

25 Nov 2022