{"id":18960,"date":"2022-05-06T01:10:08","date_gmt":"2022-05-06T09:10:08","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/05\/06\/news-12693\/"},"modified":"2022-05-06T01:10:08","modified_gmt":"2022-05-06T09:10:08","slug":"news-12693","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/05\/06\/news-12693\/","title":{"rendered":"Ransomware: April 2022 review"},"content":{"rendered":"

Credit to Author: Threat Intelligence Team| Date: Fri, 06 May 2022 08:59:41 +0000<\/strong><\/p>\n

The Malwarebytes Threat Intelligence team monitors the threat landscape continuously and produces monthly ransomware reports based on a mixture of proprietary and open-source intelligence.<\/p>\n

April 2022 was most notable for the emergence of three new ransomware-as-a-service (RaaS<\/a>) groups\u2014Onyx<\/strong>, Mindware<\/strong>, and Black Basta<\/strong>\u2014as well as the unwelcome return of REvil<\/strong>, one of the world\u2019s most notorious and dangerous ransomware operations.<\/p>\n

An old enemy returns<\/h2>\n

REvil<\/strong> (aka Sodinokibi) first appeared in May 2020 and has been responsible for numerous high-profile ransomware attacks, including arguably the biggest ransomware attack of all time\u2014a supply-chain attack on Kaseya VSA<\/a> in July 2021 that is thought to have affected over 1,000 businesses.<\/p>\n

REvil disappeared shortly after the Kaseya attack, only to emerge again a few months later, before being forced offline<\/a> on October 21, 2021, by a multi-country operation. A string of arrests<\/a> followed, and then in January\u2014in an act of unprecedented co-operation\u2014Russia\u2019s Federal Security Service (FSB) announced that it had dismantled the REvil group and charged its members, thanks to the information provided by the USA.<\/p>\n

REvil now seems to have returned to the fray with new payloads, and a new leak blog displaying a mixture of new victims and old victims known to have been attacked by REvil.<\/p>\n

New gangs emerge<\/h2>\n

Black Basta<\/strong> made a name for itself very <\/strong>quickly by coming out of nowhere and carrying out at least eleven successful breaches in April 2022. That ability to perform so many attacks so quickly has led some to speculate that Black Basta is a re-brand of an existing group that already has affiliates.<\/p>\n

Onyx<\/strong> is a new ransomware gang based on the old Chaos builder. At first, some suspected that Onyx may be a wiper<\/a> rather than ransomware because it destroyed files larger than 2MB instead of encrypting them. It seems likely that this behavior is the result of a bug in the notoriously poorly-written ransomware builder though.<\/p>\n

Another newly-emerged gang is Mindware<\/strong>, which appears to have started operations in mid-March using a well-known ransomware strain called SFile2 (aka Escal)\u2014but it was not until April that it began to practice “double extortion”, where data is stolen before it’s encrypted so that victims are faced with the twin threats of data they can’t decrypt, and leaks of sensitive information.<\/p>\n

Ransomware attacks in April 2022<\/strong><\/h2>\n

Malwarebytes Threat Intelligence builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their Dark Web leak sites. This information represents victims who were successfully attacked but opted not to pay a ransom.<\/p>\n

Attacks by ransomware type<\/strong><\/h3>\n

Despite its rapid start, the activities of Black Basta and the other newly-emerged types of ransomware were dwarfed in April by three established threats: LockBit, Conti, and AlphV, which made up 60 percent of all the known breaches in our analysis.<\/p>\n

\n
\"Ransomware<\/a>
Known ransomware attacks in April 2022 by type of ransomware<\/figcaption><\/figure>\n<\/div>\n
\n
\"Known<\/a>
Known ransomware attacks in April 2022 by country<\/figcaption><\/figure>\n<\/div>\n
\n
\"\"<\/a>
Known ransomware attacks in April 2022 by industry<\/figcaption><\/figure>\n<\/div>\n

Ransomware mitigations<\/strong><\/h2>\n

Source: IC3.gov<\/a><\/p>\n