Chris Swagler | January 24th, 2023

Looking forward in 2023, people can learn a lot about ransomware by looking back to 2022. Many of the same ransomware operations cybersecurity companies have been watching for years, along with some newcomers, carried out frequent cyberattacks. Various ransomware groups run their operations like businesses, complete with marketing departments and user guides. With the introduction of Ransomware-as-a-Service (RaaS), groups can sell their software to other cybercriminals and receive revenue without lifting a virtual finger. Some groups, like real businesses, are more successful than others. Companies can develop an effective plan to avoid ransomware attacks in 2023 by analyzing current and prevalent techniques. The following four ransomware groups that made the news in 2022 can be expected to continue their malicious operations throughout 2023.


Through May of 2022, LockBit was responsible for 40% of all ransomware attacks. On social media, the group said that it breached 12,125 organizations, including Thales Ground and the French Ministry of Justice. One of the main reasons the group made news in 2022 was the release of a new ransomware variant known as LockBit 3.0. Even though the group targeted global organizations, the United States was the most heavily targeted with the most victims. Additionally, LockBit made news for becoming the first group to start its own bug bounty program: up to a million dollars was offered to anyone willing to share sensitive personal information with them. LockBit distinguishes itself from other organizations by employing a proprietary information stealer and downloading browser data to its secure server. LockBit was one of several groups that appeared to be “dead” before resurfacing.


Even though the group had an official death date of May 2022, a story about the top groups would be incomplete without REvil. In early 2022, numerous members of the group were arrested in Russia; however, they’re back on the offensive, creating disruption to businesses. Many of the same tactics are being used by the reborn REvil, including creating and appending a random extension to affected files. The attacks are now using an updated encryptor, making it easier for the groups to target their victims.

BlackCat (ALPHV)

BlackCat is new on the ransomware market, having launched its first official cyberattack in 2021. According to the FBI, members are associated with the BlackMatter/DarkSide group. BlackCat has targeted over 60 organizations, including nonprofits and corporations in industries ranging from technology to real estate. The Austrian federal state of Carinthia was among the high-profile attacks in which BlackCat demanded a $5 million ransom. Additionally, the group claims to be the first to launch an attack on a company using RUST, which is widely regarded as one of the most secure programming languages. BlackCat’s attacks are similar in gaining access using previously compromised credentials and then utilizing distributed denial-of-service (DDoS) attacks. The attacks begin with compromising Active Directory user and administrator accounts, followed by the deployment of ransomware.

Black Basta

Numerous members of the Black Basta ransomware group previously belonged to Conti and REvil. The first reported attack by the group occurred in April when the American Dental Association was forced to shut down member services, including online, phone, chat, and email. Other victims were Knauf, a building and construction company, and AGCO, an agricultural equipment manufacturer. Black Basta is known for utilizing a RaaS double-extortion approach that disables victims’ data and threatens to make sensitive information public. Black Basta, like other numerous groups, relies on DDoS attacks to improve the likelihood that the targets will pay the ransom demands.

Companies should use the lessons gained and ransomware techniques witnessed in 2022 to utilize cybersecurity professionals to help them to be safer and more secure moving forward. Additionally, it’s important for companies to always remain vigilant on the current threat landscape and have an incident response plan in place. At SpearTip, our certified engineers examine companies’ security postures to improve the weak points in their networks. We engage companies’ people, processes, and technology to measure the maturity of the technical environment. For all vulnerabilities our engineers uncover, we provide technical roadmaps ensuring companies have the awareness and support to optimize their overall cybersecurity posture. Our ShadowSpear Threat Hunting is a critical pre-breach step in evaluating the effectiveness of current security measures to determine the overall health of environments and prevent breaches.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.