LockBit Remains Most Prolific Ransomware in Q3

Written by

The infamous LockBit ransomware variant remained the most widespread in the third quarter of 2022, accounting for over a fifth (22%) of detections, according to a new report from Trellix.

The threat intelligence vendor analyzed proprietary data from its sensor network, open source intelligence and investigations by the Trellix Advanced Research Center to compile The Threat Report: Fall 2022.

It revealed that Lockbit and Phobos were the most common ransomware families during Q3 2022. Lockbit was recently assessed by Deep Instinct to be the most prolific variant of 2022 so far.

“At the end of Q3 their ‘builder’ was released, and allegedly various groups are already establishing their own RaaS with it,” the report said of LockBit.

“Phobos ransomware continues to be active and accounts for 10% of our telemetry hits. Their tactic of selling a complete ransomware kit and avoiding large organizations allows them to stay under the radar.”

Germany recorded the highest detections of APT-related activity (29%) and the highest volume of ransomware (27%), while telecoms was the sector most impacted by ransomware, followed by transportation and shipping.

The latter accounted for more APT detections than any other vertical and witnessed a 100% increase in ransomware in the US, the report claimed.

The most active advanced threat groups during the quarter were the China-linked Mustang Panda, Russia’s APT29 and Pakistan-linked APT36.

Red team software Cobalt Strike remained a popular tool for threat actors, seen in a third (33%) of observed global ransomware activity and 18% of APT detections in Q3.

There was also a reminder in the report of the need for risk-based patch management programs. Trellix observed Microsoft Equation Editor vulnerabilities from several years ago – CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802 – as the most frequently exploited among malicious emails received by customers in the quarter.

“We continue to see unremitting activity out of Russia and other state-sponsored groups,” noted Trellix head of threat intelligence, John Fokker.

“This activity, plus a rise in politically motivated hacktivist action and sustained ransomware attacks on healthcare and education systems, signals the need for increased inspection of cyber-threat actors and their methods.”

What’s hot on Infosecurity Magazine?