Kaspersky ransomware trends 2022

With ransomware operations continuing to develop despite major shutdowns of most notorious groups, Kaspersky experts keep an eye on their activities. Just in time for Anti-Ransomware Day, Kaspersky released a report covering new ransomware trends spotted in 2022. 

“If last year we said ransomware is flourishing, this year it’s in full bloom. Although major ransomware groups from last year were forced to quit, new actors have popped up with never before seen techniques,” shared Dmitry Galov, senior security researcher at Kaspersky’s Global Research and Analysis Team.

Overuse of ransomware with cross-platform capabilities

First off, among the ransomware trends this 2022 is the prolific use of cross-platform capabilities by ransomware groups. Nowadays, they aim to damage as many systems as possible with the same malware by writing code that can be executed on several operating systems at once. For example, this is what Conti, one of the most active ransomware groups, had done with a newly developed variant that is distributed through selected affiliates and targets Linux. 

Another is BlackCat, a self-proclaimed “next-generation” malware gang that has reportedly attacked more than 60 organizations since December 2021 by writing its malware in Rust. This cross-platform programming language became widespread in late 2021 alongside Golang. In addition, DeadBolt, a group infamous for its attacks on QNAP, used Golang in making its ransomware.

Ransomware groups continues to find ways to advance their business processes

Ransomware groups have also continued activities to facilitate their business processes, including regular rebranding to divert attention from the authorities and updating exfiltration tools throughout late 2021 and early 2022. Lockbit is a remarkable example of a ransomware gang’s evolution. It boasts an array of improvements compared to its rivals, including regular updates and repairs to its infrastructure. It first introduced StealBIT, a custom ransomware exfiltration tool that enables data exfiltration at the highest speeds ever– a sign of its efforts towards malware acceleration processes.

Ransomware groups being responsive to geopolitical situations

The third trend that Kaspersky experts have witnessed is a result of the geopolitical situation. Notably, the conflict in Ukraine has heavily impacted the ransomware landscape. For instance, While attacks are typically associated with APT actors, Kaspersky detected some major activities on cybercrime forums and actions by ransomware groups in response to the situation. Right after the conflict began, ransomware groups took sides in either support of Russia or Ukraine and based their attacks on political motivation. For example, a recently discovered malware during the conflict is Freeud, developed by Ukrainian supporters. This new malware features wiping functionality, in which files are wiped from the system instead of encrypting. 

In light of these recent developments, Kaspersky encourages businesses to follow these best practices that help safeguard against ransomware:

  • Keep software updated on all the devices you use to prevent attackers from exploiting vulnerabilities and infiltrating your network. 
  • Focus your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to outgoing traffic to detect cybercriminals’ connections to your network. Set up offline backups that intruders cannot tamper with. Make sure you can access them quickly when needed or in an emergency. 
  • Enable ransomware protection for all endpoints. A free Kaspersky Anti-Ransomware Tool for Business shields computers and servers from ransomware and other types of malware, prevents exploits and is compatible with already installed security solutions. 
  • Install anti-APT and EDR solutions, enabling capabilities for advanced threat discovery and detection, investigation, and timely remediation of incidents. Provide your SOC team access to the latest threat intelligence and regularly upskill them with professional training. All of the above is available within the Kaspersky Expert Security framework.
  • Provide your SOC team access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for Kaspersky’s TI, providing cyberattack data and insights gathered by our team for over 20 years. To help businesses enable effective defenses in these turbulent times, Kaspersky has announced access to independent, continuously updated, and globally sourced information on ongoing cyberattacks and threats at no charge. Request access to this offer here.

Read more about the ransomware trends 2022 report by Kaspersky on Securelist.

Those interested to learn more are also welcome to join a webinar with Dmitry Galov, a security researcher at Kaspersky’s GReAT, on May 16 at 4 PM CET to discuss the latest trends in the ransomware market, focusing on new ransomware groups, their techniques, and targets. Registration for the webinar is free here: https://kas.pr/mx4e


Please enter your comment!
Please enter your name here