2 minute read

It’s 2023 and security firms are starting to release findings from 2022 threat data, notably their lists of the most active, impactful ransomware groups.

As with all threat reports, the findings and prevalence are subject to each firms’ visibility, methodology, etc. The data isn’t perfect and it’s not particularly actionable on its own, but it’s interesting and in aggregate can be a useful starting point for other analysis.

The 2022 ransomware leaderboard

This is not the product of any intelligence analysis. I am but an aggregator and this leaderboard is the product of “assign points based on individual rankings then count the points” by way of this spreadsheet :)

Rank Group
1 LockBit
2 Hive
  ALPHV/BlackCat
3 Conti
  Black Basta
4 Pyaa
  Phobos
5 Vice Society
  REvil

Read on for some thoughts re: how this type of data can be useful, followed by summary data and charts from each report.

Use cases for imperfect threat data

A good use case for these types of lists–and a way to make them actionable–is to look at tactics starting with initial access and progessing through the intrustion lifecycle. For each tactic, look for common vectors and MITRE ATT&CK techniques (some of this is readily available in the source reports below). The goal is see whether we can glean good enough insights and do it quickly, assess risks, and take preventative measures.

An example (not based on analysis of this data):

  • Prevailing initial access vectors for ransomware (and probably most intrustions) are something like: phishing, remote management and monitoring (think RDP systems), remote access systems (think employee VPNs), and widely exploited vulnerabilities.
  • We determine that 3 of the 5 most active ransomware groups leverage widely exploited vulnerabilities for intial access.
  • We now have a good enough case for looking at publicly-accessible systems immediately to ensure that they’re patched, and we have a strong vote for ensuring that vulnerability management is receiving the attention it deserves.

Go through this process, or seek out resources from folks who have already done the distillation, rinse and repeat.

This sounds simple and obvious because it is. The short list of “how ransomware happens” isn’t terribly long and few TTPs are novel. Unfortunately, it’s easy and commong for teams to get wrapped up in the minutiae of threat modeling, risk quantification, etc.–perfect over plenty good enough–and in doing so they waste valuable time addressing high impact, high likelihood risks that are staring us right in the face.

Reports and summary data

Sophos says:

  1. LockBit
  2. BlackCat
  3. Phobos
  4. Conti

Cisco Talos says:

  1. LockBit
  2. Hive
  3. Black Basta
  4. Vice Society

Recorded Future says:

  1. LockBit
  2. Conti
  3. Pyaa
  4. REvil

BlackFog says:

  1. LockBit
  2. BlackCat
  3. Hive
  4. Conti