Most pandemic-era ransomware raids conducted by two gangs

Research from the Australian Institute of Criminology suggests that just two ransomware operations, Conti and LockBit, were responsible for nearly one third of all major attacks against organisations across four English-speaking nations during the pandemic era.

Based on data from security vendor Recorded Future, and from open sources, the study [pdf] examined 865 ransomware attacks targeting organisations in Australia, Canada, New Zealand and the United Kingdom between 2020 and 2022.

Counts of recorded ransomware attacks in each country between 2020 and 2022.

In the study, Conti emerged as the single most prolific group, conducting 141 attacks before it appeared to be shutting down in mid-2022 following public leaks of internal chats.

Despite supposedly disbanding, since May this year an anonymous leaker has published a vast trove of material on the Telegram app of alleged Conti and Trickbot members, including photos, personal videos, chat logs and ransomware negotiations, The Register reported.

Meanwhile, LockBit, when combining its various iterations, proved almost equally destructive with 129 attacks across the period.

These figures compare with other players like Pysa, which managed 48 attacks before ceasing operations in late 2021.

The research reveals a clear hierarchy of victimisation, with industrial companies suffering 239 attacks, more than any other sector.

Consumer goods businesses faced 150 attacks, while real estate, financial services and technology sectors each endured roughly 90 attacks.

One of AIC's findings was that once an organisation was hit, it stood at risk of being attacked again by ransomware raiders.

Among Conti's victims is New Zealand's Waikato District Health Board, which was attacked in 2021 with information services in all the region's hospitals experiencing full outages.

Ironically enough, of the countries in the study, New Zealand had the fewest recorded attacks at 18.

The United States State Department has had a US$10 million bounty on Conti since 2022.

In February 2024, Britain's National Crime Agency (NCA) and the US Federal Bureau of Investigation (FBI) said they had arrested Lockbit members.

However, soon after, the Lockbit gang appeared to be active again, and in February this year, was alleged to have been involved in the Medibank breach, through a Russian service provider.

A strong reason for the success of Conti and Lockbit is that they have evolved to become ransomware-as-a-service (RaaS) operators, a model in which affiliates perform most of the attacks, which become more prolific as a result.

In the RaaS model, core groups focus on developing and distributing malware, recruiting affiliates, and managing victim payments through "darknet" leak sites.

Meanwhile, affiliates act as commissioned workers responsible for the hands-on work of compromising victim systems, deploying the actual ransomware, and conducting ransom negotiations.

Such a market-based relationship has proven fluid, with affiliates frequently switching between different ransomware groups in response to better financial incentives, such as increased shares of ransom payments.

The ephemeral nature of these partnerships allows criminal organisations to rapidly scale their operations without the overhead of managing large permanent workforces.

AIC's research demonstrates the effectiveness of this approach. For example NetWalker's transition to a RaaS model in 2020 coincided with it becoming responsible for the greatest number of attacks that year, with 35 incidents.

Similarly, LockBit's successful operation of a RaaS scheme helped establish it as the world's most active ransomware group by 2022.

The report warns that high-risk sectors need tailored prevention strategies, including staff training, cybersecurity audits and advanced detection tools against ransomware.

It emphasises the importance of closer cooperation between governments, law enforcement and academics to disrupt ransomware groups, which the report describes as organised, adaptive and professional criminal networks.

AIC's report was written by criminologists Chad Whelan, David Bright, James Martin and Callum Jones from Deakin University, and Benoît Dupont from the Université de Montréal.