Ransomware activity and network access sales in Q3 2022

Ransomware activity report: Threat actors are selling access to hundreds of organizations, with a cumulative requested price of around $4M.

Research published by threat intelligence firm KELA related to ransomware activity in Q3 reveals a stable activity in the sector of initial access sales, but experts observed a rise in the value of the offerings.

“In Q3 actors offered more expensive listings since the total number of listings remained almost the same. On average, there were around 190 access listings in each month of Q3, slightly higher than in Q2.” reads the report published by the experts.

KELA identified around 600 victims by analyzing ransomware actors’ blogs and negotiation portals, data leak sites and public reports. Compared to the second quarter of 2022, the activity decreased by 8%, falling from July to August but increasing from August to September. On average, the experts observed 200 attacks each month of Q3 compared to 216 victims in Q2.

In Q3 2022, the most prolific ransomware and data leak actors in Q3 were LockBit, Black Basta, Hive, Alphv(aka BlackCat) and the new entry BianLian group.

Giving a look at the geographical distribution of the attack, we can observe that the most targeted country is the US (40%), followed by France, Germany, and Spain.

The most targeted sector was professional services.

The average price for access was around $2800, while the median price was $1350.

One of the most worrisome findings of the report is the number of network access listings for sale in Q3, KELA experts traced over 570 offers, with a cumulative requested price of around $4 million.

“In Q3 2022, KELA traced over 570 network access listings for sale, with a cumulative requested price of around USD 4 million; one access was offered for USD 3 million. This constitutes a significant increase compared to the total amount of about USD 660,000 demanded in Q2.” continues the report. “However, excluding this one USD 3 million access, the difference wouldn’t be so serious,”

Ransomware is a profitable business, and for this reason, new ransomware gangs are entering the cyber arena, is some cases the groups are composed of members of now-defunct prominent extortion groups. In Q3, new data leak sites emerged in the cybercrime ecosystem, including BianLian, 0mega, Daixin Team, and Donut Leaks.

“Ransomware and data-leak actors continue to operate vigorously while new gangs emerged in Q3 2022. IABs offers continued to be in demand and to increase in quantity and price.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]