Power Rankings: 2022 Ransomware Malicious Quartile
Anthony M. Freed
May 10, 2023
According to stats from 2022, 85% of companies were the victim of at least one ransomware attack, and 74% had experienced multiple attacks. Ransomware has fast become the greatest risk to organizations today.
Ransomware groups, known as Ransomware-as-a-Service (RaaS) operators, are implementing novel advanced evasion techniques into their payloads specifically designed to evade or completely circumvent traditional endpoint protection solutions. Ransomware attacks continue to be extremely lucrative, with ransom demands and recovery costs bleeding victim organizations for millions of dollars.
And things change fast in this space – RaaS groups rise and fall with law enforcement takedowns, or disband and reorganize under different brands, so it can all be a little confusing. The Halcyon team of ransomware experts has put together this RaaS power rankings guide for the ransomware threat landscape based on data from throughout 2022.
The 2022 Ransomware Malicious Quartile
The following are the evaluation criteria for placement on the 2022 Ransomware Malicious Quartile. All attack groups evaluated must be a known threat actor group in 2022 with verifiable victims who demanded a ransom payment. Click on the threat actor group name below to see a listing of recent attacks they conducted including targets, industry verticals and other details.
The report is based on available 2022 data. Given the variability between attack groups regarding breadth of targeting, volume of attacks, and overall impact of their attack campaigns, placement on the report is somewhat subjective and based on input from ransomware subject matter experts on the following criteria:
RaaS Platform: Attack groups were evaluated on the relative maturity of the Ransomware-as-a-Service (RaaS) platform to successfully execute an attack, effectiveness in disrupting significant portions of a targeted network, and ability to evade detection until the ransomware payload is executed.
Attack Volume: Attack groups were evaluated on attack campaign volume as well as the percentage of attacks that are known to have been successful.
Ransom Demands: Attack groups were evaluated on the dollar value of their ransom demands as well as an estimation of the income generated from attacks.
RaaS Platform Development: Attack groups were evaluated on evidence of continued development and improvement of the RaaS platform and TTPs.
Targeted Industries: Attack groups were evaluated on effectiveness of target selection for consistently realizing high dollar ransom demands/payments.
Economic Model: Attack groups were evaluated on an assessment of their business model, estimates on R&D and recruiting efforts, and the availability of technical support services for attack affiliates.
RaaS Platform: LockBit has been active since 2019 and is enabled with security tool evasion capabilities and an extremely fast encryption speed. LockBit is noted for using a triple extortion model where the victim may also be asked to purchase their sensitive information in addition to paying the ransom demand for decrypting systems.
Attack Volume: LockBit is considered to have been the most active attack group in 2022 as other high-profile groups became less active.
Ransom Demands: LockBit demanded ransoms in excess of $50 million in 2022.
RaaS Platform Development: The group continues to improve their attack platform and introduced LockBit 3.0 in June of 2022 which bore some similarities to the BlackMatter ransomware. The latest version incorporates advanced anti-analysis features and is a threat to both Windows and Linux systems. LockBit employs a Base64-encoded hash and an RSA public key in its configuration and hashes it with MD5. LockBit also created their own bug bounty program.
Targeted Industries: LockBit tends to target larger enterprises across any industry vertical with the ability to pay high ransom demands, but also tends to favor Healthcare targets.
Economic Model: LockBit a very well-run affiliate program and a great reputation amongst the affiliate (attacker) community for the maturity of the platform as well as for offering high payouts of as much as 75% of the attack proceeds. LockBit is known to employ multiple extortion techniques including data exfiltration to compel payment.
RaaS Platform: First observed in late 2021, BlackCat/ALPHV employs a well-developed RaaS platform that encrypts by way of an AES algorithm where the AES key is encrypted using an RSA public key. BlackCat/ALPHV has the ability to disable security tools and evade analysis.
Attack Volume: BlackCat/ALPHV has rapidly become one of the more active RaaS platforms over the course of 2022.
Ransom Demands: BlackCat/ALPHV typically demands ransoms in the $400,000 to $3 million range but has exceeded $5 million.
RaaS Platform Development: BlackCat/ALPHV is thought to be the first ransomware group using RUST, a secure programming language that offers exceptional performance for concurrent processing. The ransomware also leverages Windows scripting to deploy the payload and to compromise additional hosts. The developers have also been linked to DarkSide/BlackMatter ransomware attacks and may simply be a rebranding of those campaigns.
Targeted Industries: BlackCat/ALPHV has a wide variability in targeting, but most often focuses on the financial, manufacturing, legal and professional services industries.
Economic Model: BlackCat/ALPHV also exfiltrates victim data prior to the execution of the ransomware – including from cloud-based deployments - to be leveraged in double extortion schemes to compel payment of the ransom demand. They have one of the more generous RaaS offerings, offering as much as 80-90% cut to affiliates. BlackCat/ALPHV is also noted for putting their leaks website on the public web instead of dark web, bringing increased visibility and pressure on impacted organizations to pay the ransom demand.
RaaS Platform: Black Basta is a more recent RaaS player that first emerged in early 2022 and is assessed by some researchers to be a revival of the Conti and REvil attack groups.
Attack Volume: Considering they just emerged in the spring of 2022, BlackBasta quickly became one of the most prolific attack groups with more than 100 known victims.
Ransom Demands: Ransom demands vary depending on the targeted organization with reports that they can be as high as $2 million dollars.
RaaS Platform Development: Black Basta continues to evolve their RaaS platform, with ransomware payloads that can infect systems running both Windows and Linux systems by exploiting vulnerabilities in VMware ESXi running on enterprise servers and uses both ChaCha20 and RSA-4096 for rapid encryption of the targeted network and on some cases leverages malware strains like Qakbot and exploits like PrintNightmare during the infection process.
Targeted Industries: Black Basta typically targets manufacturing, transportation, construction and related services, telecommunications, the automotive sector, and more.
Economic Model: Black Basta also employs a double extortion scheme and maintains an active leaks website where they post exfiltrated data if an organization declines to pay the ransom demand.
RaaS Platform: REvil, who first emerged in 2019, is assessed to be the successor of the defunct criminal gang GandCrab and to be responsible for some of the biggest attacks on record, including the supply-chain ransomware attack against Kaseya and meat packer JBS. REvil is also assessed to be connected to the now-defunct DarkSide group that disrupted energy giant Colonial Pipeline.
Attack Volume: REvil had been one of the most active attack groups observed until early 2022 when the Russian Federal Security Services claimed to have dismantled REvil and charged several of its members.
Ransom Demands: REvil issued some of the highest ransom demands on record, with some reported to be as steep as $70 million.
RaaS Platform Development: REvil invested a lot into development and improvement of the platform and is known to use several security tool evasion techniques, such as leveraging the anti-rootkit tool GMER to disable security software as well as hard-coded checks to assure the target is not located in a Russian-aligned Commonwealth of Independent States (CIS) country.
Targeted Industries: REvil targeted a wide variety of victims selected for their ability to pay high ransom demands.
Economic Model: REvil is credited with pioneering the double extortion scheme, where exfiltrate sensitive data before encryption and used as leverage to compel a ransom payment.
RaaS Platform: Conti has been active since September of 2020, and may have spawned the more recent Royal ransomware strain. Conti is an advanced RaaS platform with considerable security tool evasion capabilities. Conti is noted for some very high-profile attacks against the governments of Costa Rica and Peru, as well as critical infrastructure providers.
Attack Volume: Conti was one of the most active attack groups going into 2022, but in May the group began shutting down its attack infrastructure and was assumed to be rebranding or splintering into smaller RaaS operations.
Ransom Demands: Conti ransomware has netted hundreds of millions of dollars in ransom payments and leveled a $40 million ransom demand against a Florida school district.
RaaS Platform Development: Conti uses a custom AES-256 for encryption that is assessed to be faster than most other families and can target specific drives and IP addresses and has been observed using the TrickBot and BazarLoader Trojans. Conti actively recruits development talent on legitimate job recruitment and hacker sites.
Targeted Industries: Conti mainly targets the critical infrastructure and manufacturing sectors, but has also targeted law enforcement and emergency services, among others.
Economic Model: Conti had a well-run affiliate program, but the group publicly aligned itself with the Russian government in support of the Ukraine invasion which made ransom payments to the group possibly subject to sanctions, limiting the groups revenue; Conti was known to employ multiple extortion techniques including data exfiltration to compel payment.
RaaS Platform: Hive is a mature RaaS that was first observed in June of 2021. Hive is responsible for some major disruptions that also impacted COVID-19 responses, such as a targeted hospital that was unable to accept new patients following an attack. In July of 2022, the FBI penetrated the Hive network and provided decryption keys to victims worldwide, which has diminished the effectiveness of Hive operations.
Attack Volume: Hive has claimed more than 1,500 victims who were extorted for more than $100 million in ransom payments as of November 2022, according to the FBI, and was one of the most active of all observed attack groups in 2022.
Ransom Demands: Hive ransom demands have ranged from several thousands to millions of dollars, and they have been one of the more successful operations but have diminished.
RaaS Platform Development: Hive offered an easy-to-use interface for attack affiliates that incorporates tools like Cobalt Strike, Mimikatz and Pass-the-Hash for lateral movement and privilege escalation in the targeted network.
Targeted Industries: Hive targets a wide range of businesses and critical infrastructure sectors, including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health (HPH).
Economic Model: Hive also uses the double-extortion scheme after exfiltrating sensitive data to compel payment of the ransom demand, and have been known to reinfect the networks of victims who restored systems without making a ransom payment
RaaS Platform: Royal has been active since September 2022 but has quickly become one of the more concerning ransomware operations. Royal is somewhat unique in that they prefer only partial encryption for larger files to evade detection before they choose to reveal the attack.
Attack Volume: Royal increased attack activity in late 2022 (and early 2023) prompting CISA and the FBI to issue alerts to critical infrastructure providers like the healthcare, communications, and education sectors.
Ransom Demands: According to CISA, Royal ransom demands range between $1 million and $11 million dollars.
RaaS Platform Development: Royal uses its own custom-made file encryption program and leverages tools like Cobalt Strike or malware like Ursnif/Gozi. Evidence indicates they continue to invest heavily in development, expanding their operations and capabilities. The RaaS platform includes advanced security evasion and anti-analysis capabilities that can hinder both detection and investigation in emulated environments.
Targeted Industries: Royal tends to target critical infrastructure sectors including the Manufacturing, Communications, Healthcare, and Education sectors.
Economic Model: Royal typically does not include a specific ransom demand in the post-infection ransom note, but instead requires victims to directly negotiate terms through an Onion URL via the Tor browser.
RaaS Platform: Vice Society is a RaaS threat group that first emerged in 2021 and has used a variety of ransomware strains including Hello Kitty/Five Hands and Zeppelin before developing a custom ransomware strain. Tactics include attempts to compromise data backup solutions and clearing security logs on compromised systems to evade detection.
Attack Volume: Vice Society is a more recent arrival on the ransomware scene and has been scaling their operations significantly, including a disruptive attack on the second largest school district in the US.
Ransom Demands: Vice Society typically issues ransom demands of more than $1 million dollars, but evidence suggests they are willing to negotiate for a lower ransom amount.
RaaS Platform Development: Vice Society has advanced evasion capabilities and can disable security tools like Windows Defender and evade sandbox analysis. The group is known to exploit vulnerabilities in public-facing applications and websites, exploits like PrintNightmare, or though compromised RDP credentials. Vice Society is known to use DLL side-loading techniques and abuse tools like Cobalt Strike, Mimikatz, SystemBC and PowerShell.
Targeted Industries: Vice Society tends to target the education, healthcare, and manufacturing sectors.
Economic Model: Vice society uses a double extortion model to compel payment of the ransom demand.
RaaS Platform: The Medusa gang made its debut in the summer of 2021 and has evolved to be one of the more active RaaS platforms in late 2022. The attackers restart infected machines in safe mode to avoid detection by security software as well preventing recovery by deleting local backups, disabling startup recovery options, and deleting shadow copies.
Attack Volume: Medusa ramped up attacks in the latter part of 2022 and have been one of the most active groups in the first quarter of 2023.
Ransom Demands: Medusa typically demands ransoms in the millions of dollars which can vary depending on the target organization’s ability to pay.
RaaS Platform Development: The Medusa ransomware gang (not to be confused with the operators of the earlier MedusaLocker) ransomware typically compromise victim networks through malicious email attachments (macros), torrent websites, or through malicious ad libraries. Medusa can terminate over 280 Windows services and processes without command line arguments.
Targeted Industries: Medusa targets multiple industry verticals, especially healthcare and pharmaceutical companies, and organizations in the public sector.
Economic Model: Medusa also employs a double extortion scheme where some data is exfiltrated prior to encryption, and they are not as generous with their affiliate attackers, only offering as much as 60% of the ransom if paid.
RaaS Platform: Play ransomware (aka PlayCrypt) is a newer ransomware group that emerged in the summer of 2022 with high-profile attacks on the City of Oakland, Argentina's Judiciary and German hotel chain H-Hotels. Play has similarities to Hive ransomware and is known to leverage tools like Cobalt Strike for post-compromise lateral movement and SystemBC RAT for persistence, as well as Mimikatz and living-off-the-land binaries (LOLBins) techniques.
Attack Volume: Play continued to increase attacks through the end of 2022 and into 2023.
Ransom Demands: There is little information on how much Play demands for a ransom, but they have made good on their threats to leak the data of those who refuse payment.
RaaS Platform Development: Play is an evolving RaaS platform known to exploit a known Exchange vulnerability (CVE-2022-41080 - patched by Microsoft in November of 2022) that allows them to leverage a second vulnerability with a ProxyNotShell exploit (CVE-2022-41082) even if a patch had been applied, which then allows the attackers to execute code on the systems remotely. Play leverages PowerTool to disable antivirus tools and security monitoring solutions.
Targeted Industries: Play ransomware gang has mainly focused attacks in Latin America, especially Brazil, but have attack outside of that region.
Economic Model: Play employs tactics similar to both Hive and Nokoyawa ransomware, and also attempts double extortion by first exfiltrating victim data with the threat to post it on their leaks website.
RaaS Platform: DoppelPaymer (aka Grief) is a RaaS that first emerged in 2019 in attacks against critical infrastructure providers. The code has similarities to BitPaymer ransomware the Dridex malware family and is often seen in intrusions linked to Emotet malware.
Attack Volume: DoppelPaymer activity has varied since the group emerged but was one of the more active groups observed in the latter half of 2022.
Ransom Demands: DoppelPaymer ransom demands typically range from $25,000 to more than $1 million depending on the targeted organization.
RaaS Platform Development: DoppelPaymer has unique capabilities that can terminate security protections on the targeted network and evade detection by sandbox analysis and forensic examination. DoppelPaymer attacks also leverage tools like PowerShell, Mimikatz, Cobalt Strike and PSExec. Developers have increased the 2048-bit RSA + 256-bit AES encryption speeds significantly by employing a threaded file encryption process.
Targeted Industries: DoppelPaymer primarily targets the healthcare, emergency services, and education sectors.
Economic Model: DoppelPaymer also employs a double extortion scheme and launched a leaks website in early 2020.
RaaS Platform: Karakurt practices a unique style of the ransomware model in that they do not encrypt compromised machines or files but instead focus on data exfiltration and demanding a ransom payment with the threat to leak or sell the stolen data.
Attack Volume: While Karakurt had a lower volume of attacks in 2022 than some of their peers, the attacks were extremely effective and yielded high ransom payments.
Ransom Demands: Karakurt ransom demands have ranged widely from $25,000 to a whopping $10,000,000+ with strict payment deadlines.
RaaS Platform Development: Karakurt does not maintain a RaaS platform but has been assessed to be closely related with the defunct Conti ransomware syndicate. They have been observed deploying or abusing tools like Cobalt Strike, Mimikatz, AnyDesk and other tools to elevate privileges and move laterally within a network.
Targeted Industries: Karakurt is opportunistic and does not target specific sectors, industries, or types of victims and has likely automated some target selection based on ease of compromise by way of vulnerability exploits like Log4Shell, outdated VPN appliances, or through stolen VPN and RDP credentials.
Economic Model: Karakurt threat actors attempt to exfiltrate massive quantities of sensitive data and send victims a TOR link and access code where victims negotiate directly with Karakurt actors. Some victims reported Karakurt did not honor the agreement to delete victim information even after a ransom was paid.
RaaS Platform: Cl0p is a major Ransomware-as-service (RaaS) platform first observed in 2019. Cl0p is a dangerous ransomware family because it has advanced anti-analysis capabilities and anti-virtual machine analysis to prevent investigations in an emulated environment like those commonly used by security tools.
Attack Volume: Cl0p may not be the biggest ransomware operation out there, but they are currently the one of the most active threats to the healthcare sector despite six members affiliated with Cl0p having been arrested by Ukrainian authorities in June of 2021.
Ransom Demands: Ransom demands vary depending on the target, but some reports estimate Cl0p ransom demands average around $3 million dollars.
RaaS Platform Development: Cl0p is one of just a handful of threat actors that have developed a Linux version. While Linux has a tiny footprint in desktop computing, it runs ~80% of web servers and a substantial portion of embedded devices used in the healthcare field – and this means that Cl0p is likely actively recruiting new talent to help improve their platform and expand the scope of what and whom they can attack.
Targeted Industries: Cl0p almost exclusively targets the healthcare sector, where three-quarter of their attacks (nearly 1000) in 2021 were against healthcare providers.
Economic Model: Cl0p also exfiltrates data to be leveraged in double extortion schemes and has recently claimed responsibility for attacks against over 130 organizations – some outside the of healthcare sector - using a zero-day vulnerability in secure file transfer software GoAnywhere MFT.
RaaS Platform: Pysa (Protect Your System Amigo) is assessed to be a successor to the earlier Mespinoza ransomware and has a mature RaaS platform first observed in late 2019. The ransomware displays advanced evasion capabilities and security tool bypass or disablement.
Attack Volume: Pysa was one of the most active attack groups but in 2022 started to fade out.
Ransom Demands: The Pysa gang used data exfiltration prior to encryption and uses the threat of exposure to drive ransom payments to an average of almost $400k.
RaaS Platform Development: Pysa has been observed deploying numerous iterations of the payload over the course of its evolution and includes the use of Docker containers and Amazon S3 cloud storage for encrypted files; PYSA ransomware leverages the open-source CryptoPP C++ library for encryption. Infection vectors include RDP credential theft and exploitation, as well as typical phishing campaigns. They also abuse tools like PowerShell, WinSCP and Mimikatz.
Targeted Industries: Pysa typically targets the government, healthcare, and educational sectors.
Economic Model: Pysa developers created one of the most user-friendly interfaces for affiliate attackers including a full-text search engine for accessing victim information quickly and are generally regarded as being a very well-organized business operation; the group exfiltrates sensitive data for double extortion.
RaaS Platform: Egregor is a RaaS platform that first emerged in September of 2020 and claimed to have compromised over 150 victims by the end of the year. Egregor has been assessed to likely have evolved from the Sekhmet and Maze ransomware families given code similarities and the tendency to target a similar victim set and was first observed at about the time the Maze ransomware gang announced it was shutting down operations.
Attack Volume: Egregor has not been as active as when they first emerged following the arrests of several affiliate members in Ukraine in February of 2021. The RaaS platform was taken offline for a while after the arrests, but it is still an active threat. In February of 2022, Maze ransomware developers shared the master decryption keys for Egregor, Maze, and Sekhmet.
Ransom Demands: Egregor ransom amounts vary, but they can reach amounts in the millions of dollars depending on the victim organization.
RaaS Platform Development: Egregor also uses the data exfiltration double extortion scheme that was pioneered by its predecessor the Maze group, and uniquely utilizes the print function on victim machines to deliver the ransom demands. Egregor TTPs can vary widely, making defense and mitigation difficult, and are known to leverage tools like Cobalt Strike, Qakbot/Qbot, Advanced IP Scanner, and AdFind to escalate privileges and move laterally across a network.
Targeted Industries: Egregor targets vary, but tend to be larger enterprises including the likes of Kmart, Ubisoft, Ouest France, and Gefko.
Economic Model: Egregor partners with affiliates who carry out the actual attacks and deploy the ransomware payloads and was observed to offer a generous 70/30 split on the illicit proceeds. They also actively maintain Egregor News, their extortion leaks website.
RaaS Platform: Lapsu$ first emerged in late 2021 with a ransomware attack against the Brazilian Ministry of Health but was thought to be inactive after a series of arrests of its core members in the spring of 2022 despite taking credit for attacks on Uber and Rockstar Games while members were incarcerated. Lapsu$ did not operate as a RaaS.
Attack Volume: Considered inactive by April 2022 following multiple arrests; some believe they re-emerged in September 2022 with attacks against Uber and Rockstar Games that prompted more arrests.
Ransom Demands: Lapsu$ typically did not publish the amount of their ransom demands.
RaaS Platform Development: None
Targeted Industries: Lapsu$ targeted large enterprises with the ability to pay high ransom demands, including Nvidia, Samsung, Microsoft, Vodafone, and Ubisoft.
Economic Model: Lapsu$ does not operate a RaaS platform but instead managed all attacks themselves, and they don’t encrypt targeted systems, opting instead to exfiltrate data to extort a payment from the victim by threatening to expose the information; Lapsu$ famously offered to pay employees at AT&T, T-Mobile and Verizon up to $20,000 a week to assist in attacks and claimed to have a $100,000 budget to buy zero-day vulnerabilities.
Halcyon is the industry’s first dedicated, adaptive security platform focused specifically on stopping ransomware attacks. Halcyon is built by attackers to stop attackers. The solution is a lightweight agent that combines multiple proprietary advanced prevention engines along with AI models trained solely on ransomware.
Interested in getting a demo? Fill out the form and let’s talk!