The global cybersecurity landscape witnessed a significant escalation in ransomware activity throughout July 2022, marking a definitive end to the brief lull observed earlier in the year. According to comprehensive data released by the NCC Group’s strategic threat intelligence team, the frequency of successful ransomware campaigns surged by 47% in a single month. This resurgence is characterized not only by a higher volume of attacks but also by a strategic realignment within the cybercriminal underworld, as established Ransomware-as-a-Service (RaaS) operations undergo sophisticated restructuring. Leading this aggressive wave is Lockbit 3.0, which has solidified its position as the world’s most prolific threat actor, followed closely by a duo of emerging groups—Hive and BlackBasta—both of which have been identified as direct offshoots or affiliates of the now-fragmented Conti syndicate.
The July Resurgence: Data and Market Share
In July 2022, researchers identified 198 distinct ransomware attacks where victim data was published on leak sites, a sharp increase from the 135 incidents recorded in June. While this figure remains below the record-breaking peaks of March and April 2022, where nearly 300 monthly attacks were documented, the upward trajectory suggests that threat actors have successfully navigated a period of internal volatility and are returning to full operational capacity.
Lockbit 3.0, the latest iteration of the Lockbit family, dominated the threat landscape with 62 confirmed victims in July alone. This represents a nearly 20% increase from its June activity. To put Lockbit’s dominance into perspective, the group was responsible for nearly one-third of all global ransomware attacks during the month. Their output more than doubled the combined efforts of the second and third most active groups. The "Lockbit Black" variant, as it is often called, has introduced several innovations to the RaaS model, including the industry’s first bug bounty program for a criminal enterprise, offering rewards for identifying vulnerabilities in their encryption software.
Following Lockbit in the rankings were Hiveleaks (Hive) and BlackBasta. Hive recorded 27 successful compromises, representing a staggering 440% increase in activity compared to June. BlackBasta followed with 24 attacks, a 50% increase month-over-month. Together, these three groups accounted for 57% of the total ransomware volume in July, illustrating a high degree of consolidation in the "big game hunting" segment of the cybercrime market.
The Fragmentation of Conti: A Chronology of Transformation
To understand the current spike in activity, one must look back at the dissolution of the Conti ransomware group, which was previously the most dominant force in the industry. The group’s downfall began in late February 2022, following the Russian invasion of Ukraine. After Conti’s leadership declared its full support for the Russian government, a pro-Ukrainian member of the group leaked over 60,000 internal chat logs and the group’s source code—an event now known as "ContiLeaks."
By May 2022, the brand had become "toxic." The United States Department of State, under its Rewards for Justice program, offered a bounty of up to $15 million for information leading to the identification and location of Conti’s leadership. This immense pressure from international law enforcement, combined with the difficulty of receiving ransom payments as the group became a sanctioned entity, forced a structural overhaul.
Throughout May and June, the Conti hierarchy began a phased shutdown of its public-facing infrastructure. However, rather than retiring, the members dispersed into smaller, more agile cells. This "diaspora" led to the rapid ascent of Hive and BlackBasta. Hive, which had existed previously, absorbed a significant number of Conti’s experienced affiliates, while BlackBasta emerged as a sophisticated "replacement strain," utilizing similar negotiation tactics and technical protocols previously associated with Conti. The July data confirms that this transition period is over; the fractured elements of the Conti empire have settled into their new identities and are now operating at high efficiency.
Technical Evolution and the RaaS Model
The resurgence of ransomware is also fueled by technical refinements in the Ransomware-as-a-Service (RaaS) model. In this ecosystem, developers maintain the ransomware code and infrastructure, while "affiliates" carry out the actual intrusions in exchange for a percentage of the ransom—typically 70% to 80%.
Lockbit 3.0 has set a new benchmark for technical professionalism in this space. By introducing a bug bounty program, they have crowdsourced the security of their own malware, ensuring that their encryption tools remain uncrackable by security researchers. Furthermore, Lockbit has expanded its "triple extortion" tactics. Beyond simply encrypting data and threatening to leak it, the group now frequently employs Distributed Denial of Service (DDoS) attacks against victims who refuse to negotiate, adding a third layer of operational pressure.
Hive and BlackBasta have similarly evolved. Hive has gained notoriety for its "multi-platform" approach, utilizing versions of its ransomware written in the Go and Rust programming languages, which are more difficult for traditional antivirus solutions to reverse-engineer. BlackBasta, meanwhile, has demonstrated a high level of proficiency in targeting Linux-based virtual machines, specifically VMware ESXi servers, which are the backbone of many modern corporate data centers.
Sectoral Impact and Regional Targeting
The July data highlights a continuing trend of targeting specific high-value sectors. The industrial sector remains the primary target, accounting for a significant portion of the attacks. This includes manufacturing, construction, and engineering firms where operational downtime results in immediate and massive financial losses, making these companies more likely to pay ransoms quickly.
The retail and wholesale sectors followed closely, as threat actors looked to exploit the complex supply chains of global commerce. Geographically, the United States remains the most targeted nation, followed by the United Kingdom and Canada. However, July saw a notable increase in attacks against organizations in Western Europe, particularly in Germany and France, as BlackBasta and Lockbit expanded their footprint in the region.
Official Responses and International Cooperation
The surge in July has prompted renewed calls for international cooperation in the fight against cybercrime. Government agencies, including the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), have issued joint advisories regarding the tactics, techniques, and procedures (TTPs) of Lockbit 3.0 and the Conti offshoots.
In a statement following the release of the July data, cybersecurity analysts noted that the $15 million reward for Conti information remains a pivotal moment in the timeline of the "Ransomware War." While it led to the group’s fragmentation, it also served as a warning to other groups. However, the July figures suggest that the financial incentives for cybercriminals still outweigh the risks of law enforcement action.
"The persistence of these groups, even under extreme pressure, demonstrates the resilience of the RaaS economy," noted one threat intelligence analyst. "When one brand falls, the talent and the technology simply migrate to a new name. We are no longer fighting single groups; we are fighting a global, decentralized labor market of specialized criminals."
Broader Implications and Future Outlook
The rise of Lockbit 3.0 and the resurgence of the Conti-descended groups carry profound implications for global business and national security. The transition from monolithic gangs to a more fragmented, "brand-agnostic" landscape makes attribution and takedown efforts significantly more complex for law enforcement.
The financial impact of these attacks continues to grow. Beyond the ransom payments themselves—which frequently reach into the millions of dollars—the "hidden costs" of ransomware are becoming the primary concern for organizations. These include the cost of digital forensics, legal fees, public relations management, and the long-term increase in cyber insurance premiums. In some cases, the cost of recovery has been estimated to be ten to fifteen times higher than the actual ransom demand.
Looking ahead to the remainder of 2022, experts predict that the trend of high-volume, high-pressure attacks will persist. The successful "rebranding" of Conti into Hive and BlackBasta provides a blueprint for other groups to evade sanctions and law enforcement. Organizations are urged to move beyond traditional perimeter defenses and adopt a "Zero Trust" architecture, emphasizing data backups, multi-factor authentication (MFA), and proactive threat hunting.
The July data serves as a stark reminder that the ransomware threat is not diminishing; it is merely evolving. As Lockbit 3.0 maintains its foothold and new iterations of the Conti legacy continue to mature, the global community must prepare for a sustained period of heightened cyber conflict. The shift into August is expected to show even higher figures as these restructured groups reach their full operational stride, making 2022 a potentially record-breaking year for the ransomware industry.
Related posts:
