Five Most Common Ransomware Strains
Even as cybercriminals get more sophisticated and try new methods, they’re not moving away from what’s tried and true. According to FortiGuard Labs’ analysis, 82% of financially motivated cybercrimes in 2022 included ransomware or malicious scripts. This demonstrates that the ransomware menace is still present globally and shows no signs of slowing down. Not only that but there are certain ransomware strains that remain the top choice of attackers. In fact, in the second half of 2022, just five ransomware families accounted for 37% of all ransomware activity.
Let’s take a look at those five families and the context surrounding their prevalence and consider next steps for cybersecurity teams.
Ransomware on the Rise
Ransomware volume increased 16% from the first half of 2022–even with some significant variation month-to-month. The bulk of this increase appears to be the result of an influx in July and August 2022.
A previous pattern is evident in the slow rise in average volume and the swift readjustment after August. In 2022, the same game of whack-a-mole was happening where some ransomware groups willfully stopped operations while new ones popped up to take their place.
Five Dominant Ransomware Groups
Of the seemingly endless varieties of ransomware and cybercriminal groups, these five ransomware strains rose to the top.
At number one in terms of prevalence was GandCrab, a ransomware-as-a-service (RaaS) malware that emerged in 2018; it accounted for 11% of all ransomware activity in the second half of 2022. The criminals behind it made over $2 billion before announcing their retirement in the middle of 2019. It’s thought that these actors split up before reforming as REvil and Sodinokibi. The Colonial Pipeline and JBS Foods attacks, to name a few, were attributed to REvil. Also, while authorities temporarily shut down REvil in Russia with several arrests in 2022, it appears that the organization has since come back together and is still operating.
Rounding out the top five were:
- Locky, which was first spotted in 2016. It’s delivered by email and releases an encryption Trojan. It accounted for 7.5% of all ransomware activity in the second half of 2022.
- Sodinokibi, which has connections to both GandCrab and REvil but is more advanced, was close behind at 7.2%
- Cerber accounted for 5.9% of all activity.
- LockBit continues to make a name for itself, accounting for 5.7% of all ransomware activity. It’s been in the wild since December 2019, targeting both Windows and Linux. Ransomware operators develop LockBit ransomware and all the necessary tools and infrastructure to support it. They also offer other services like ransom negotiation for affiliates.
Taking Back Control
It’s possible that part of the reason these same ransomware families are still being seen is that, even if the originators have retired or moved on, others have used the code as a foundation, built upon it, evolved it and re-released it.
This highlights the value of international collaboration between all kinds of organizations to end cybercriminal operations for good. It takes a global team effort of strong, trustworthy relationships and collaboration among those with the most to lose across public and commercial organizations and sectors to effectively disrupt cybercriminal supply chains.
Organizations need to plug any holes in their security stack, as well. This includes implementing a wide range of robust tools such as next-generation firewalls (NGFW), digital risk protection (DRP), network telemetry and analytics, endpoint detection and response (EDR), extended detection and response (XDR), security information and event management (SIEM) and more. These tools offer cutting-edge capabilities for threat detection and prevention, enabling enterprises to quickly identify and address security problems across their full attack surface.
Patch management is still a problem that affects enterprises around the world and contributes to breaches. Unpatched systems were frequently known to victims in the incidents we investigated, but they “hadn’t gotten around” to applying the necessary patches. Under these circumstances, critical patches should always take precedence over other tasks that the security team has been assigned.
In addition, to make sure they can spot intrusions at all points along the adversary kill chain, enterprises should routinely evaluate their network visibility. Organizations can accomplish this by examining the data sources provided by their current technologies and contrasting them with the data sources necessary to identify threats to their environment.
Vigilance Brings Victory
Even as malware and ransomware strains continue to proliferate, just five ransomware families are responsible for a significant amount of ransomware attacks. Bad actors are showing their fondness for reusing existing code to create variations on a successful theme. Knowing the top five ransomware variants will help enterprises know what to look out for and what measures and tools need to be in place to keep their networks secure. Revisit the best practices noted above and consider adding any missing pieces to create a comprehensive defense against this modern plague.
