Ransomware activity and network access sales in Q3 2022

Ransomware activity report: Threat actors are selling access to hundreds of organizations, with a cumulative requested price of around $4M.

Research published by threat intelligence firm KELA related to ransomware activity in Q3 reveals a stable activity in the sector of initial access sales, but experts observed a rise in the value of the offerings.

“In Q3 actors offered more expensive listings since the total number of listings remained almost the same. On average, there were around 190 access listings in each month of Q3, slightly higher than in Q2.” reads the report published by the experts.

KELA identified around 600 victims by analyzing ransomware actors’ blogs and negotiation portals, data leak sites and public reports. Compared to the second quarter of 2022, the activity decreased by 8%, falling from July to August but increasing from August to September. On average, the experts observed 200 attacks each month of Q3 compared to 216 victims in Q2.

In Q3 2022, the most prolific ransomware and data leak actors in Q3 were LockBit, Black Basta, Hive, Alphv(aka BlackCat) and the new entry BianLian group.

Giving a look at the geographical distribution of the attack, we can observe that the most targeted country is the US (40%), followed by France, Germany, and Spain.

The most targeted sector was professional services.

The average price for access was around $2800, while the median price was $1350.

One of the most worrisome findings of the report is the number of network access listings for sale in Q3, KELA experts traced over 570 offers, with a cumulative requested price of around $4 million.

“In Q3 2022, KELA traced over 570 network access listings for sale, with a cumulative requested price of around USD 4 million; one access was offered for USD 3 million. This constitutes a significant increase compared to the total amount of about USD 660,000 demanded in Q2.” continues the report. “However, excluding this one USD 3 million access, the difference wouldn’t be so serious,”

Ransomware is a profitable business, and for this reason, new ransomware gangs are entering the cyber arena, is some cases the groups are composed of members of now-defunct prominent extortion groups. In Q3, new data leak sites emerged in the cybercrime ecosystem, including BianLian, 0mega, Daixin Team, and Donut Leaks.

“Ransomware and data-leak actors continue to operate vigorously while new gangs emerged in Q3 2022. IABs offers continued to be in demand and to increase in quantity and price.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.