2022 Ransomware Attacks and Evolution of Data Exfiltration


By: Anthony Webb, VP International at A10 Networks

Ransomware is one of the most sophisticated and feared attacks in the modern threat landscape. A specialized form of malware, ransomware is designed to forcibly encrypt a victim’s files. The attacker then demands a payment from the victim in exchange for the decryption key to restore access to the data upon payment. Costs can range from a few hundred dollars to millions, in addition to the disruption suffered while data remained inaccessible.

Notable ransomware attacks of 2022

1. Costa Rica ransomware attack (government)

In May 2022 President Rodrigo Chaves of Costa Rica declared a national emergency due to  Conti ransomware attacking numerous government institutions including the Ministry of Finance, Ministry of Science, and the Costa Rican Social Security Fund (CCSS).

Conti, a ransomware-as-a-service, has been wreaking havoc since 2020. Conti ransomware has several unique features not seen before, including the ability to run 32 encryption threads simultaneously, and remote control through command-line options.


2. Puma ransomware attack (enterprise)

Puma was alerted to a security breach on 10 January, caused by a ransomware attack on Kronos, their workforce management solutions provider. With ransomware and data exfiltration, the goal, personal data of over 6,600 employees, including Social Security numbers, were taken and encrypted, but no customer information was compromised. Kronos regained access to their data soon after, issuing two years of complimentary Experian Identity Works to affected Puma employees as compensation, including credit monitoring, insurance, and restoration.

3. French hospitals targeted with ransomware (healthcare)

In August, hackers used LockBit ransomware and targeted French hospital Centre Hospitalier Sud Francilien with data exfiltration. In retaliation for not paying a ransom, the attackers leaked patient data, including laboratory analyses, radiology reports, and more. The attack caused disruption of all health services, forcing transfer of patients to other facilities and postponement of surgeries.

Another French hospital, André Mignot hospital in Versailles, was also hit with ransomware in December. They had to shut down their network as a security measure.

What was the prevailing ransomware variant of 2022?

According to a Mawarebytes report, LockBit (formerly “ABCD” ransomware) was the main ransomware variant of the year. LockBit ransomware scans for targets of value, propagates itself, and encrypts any computers that are connected to the network.

“LockBit is a subclass of ransomware known as a ‘crypto virus’ due to forming its ransom requests around financial payment in exchange for decryption. It focuses mostly on enterprises and government organizations rather than individuals.”

– Source: Kapersky Lab’s article LockBit ransomware — What You Need to Know 

How do ransomware attacks work?

Ransomware attacks can be initiated in many ways. One of the most common is a phishing exploit, in which an email delivers an attachment disguised as a legitimate business file. Once it has been downloaded and opened—often by a victim with good intentions and no awareness of the threat it contains—the malware takes over the victim’s computer, and can even use built-in social engineering tools to gain administrative access. At this point, the ransomware can spread laterally from one computer to another and ultimately infect the entire network.

Once the malware has taken over the victim’s computer, the typical next social engineering toolsstep is to encrypt some or all of the user’s sensitive files and forcibly reboot the user’s system. The user is then informed of the exploit and notified of the ransom being demanded, usually in the form of an untraceable Bitcoin payment, as well as a deadline for payment.

Leave A Reply