Watch for These Ransomware Trends in Q4 2022

ransomware trends - person logging into computer

The best defense against ransomware remains a solid foundation of backups, layered security, and cybersecurity monitoring. However, to keep the layers of security effective, it helps to stay current with the latest trends in ransomware activity. So, what do ransomware trends should you expect as we approach the end of 2022?

Well, since the last ransomware attack method review, the number of attacks continues to ebb and flow. Some attackers increased their activity, while other attackers became more selective.

However, the more important ransomware trends relate to changing methods and evolving targets.

Let’s dive into the latest forms of attack you’ll want to prepare for.

Corrupt Instead of Encrypt?

Endpoint protection and other security measures now effectively monitor for signs of data encryption. These options can trigger early warning for some ransomware attacks.

However, ransomware trends indicate that attackers remain well aware of this defense.

For instance, affiliates of the BlackCat ransomware-as-a-service (RaaS) gang modified their Exmatter data exfiltration tool to avoid such detection.

Although the tool still exfiltrates data, but only after the software randomly selects files to be partially overwritten and corrupted.

Victims can’t decrypt or recover corrupted data. Instead, they must to restore from backups or buy back the untainted data from the attacker. Essentially, victims are torn between restoring from backups (assuming they keep them), or paying the ransom.

And, with ransoms sometimes entering tens of millions of dollars, it’s an unsavory choice.


In further ransomware trends, the software attackers use now receive regular updates, just like any Microsoft or Apple product.


For example, the Exmatter tool continues to receive regular updates, such as:

  • Limiting file types to accelerate exifiltration
  • Adding FTP as an option for exfiltration
  • Detecting non-valid (ie: researcher) environments and self-delete the software to avoid analysis

Additionally, the pervasive Emotet botnet, now acts as a deployment vehicle, expanding the potential reach for both BlackCat and Quantum ransomware.

An image of a keyboard in front of a screen that reads "You have been hacked!"
Related: Have you been hacked? This is a key indicator. (click image to learn more)

Ransomware Trends: Adapting Attacks

Other notable developments illustrate the evolution of the ransomware trends, tactics, and targets.

Let’s take a look at some of the latest ransomware trends recently making headlines today.

  • Stolen code enables defense and attacks: Researchers love ransomware code leaks that enable analysis and the development of countermeasures. However, this works both ways. The Bloody ransomware gang took advantage of the leaked LockBit3.0 builder to create their own ransomware.
  • Anti-cheat system = Anti-antivirus: Attackers developed a method to install the anti-cheat driver for the Genshin Impact game. This enables kernel access, which attackers use to disable antivirus programs.
  • Fake Google software update: The HavanaCrypt ransomware gang hides their malware within a file named Google Software Update. Making matters worse, they’ve modified the file even gone so far as to list Google as the publisher. This gang is also notable for killing processes that might block encryption (VMs, data synchronization agents, etc.), as well as deleting restore points and Volume Shadow copies.
  • Double and triple extortion: The new Donut-Leaks extortion site recently posted files already posted by other ransomware gangs, such as Ragnar Locker and Hive. Their newest release was even more extensive, suggesting that the Donut-Leaks gang either performed the original exfiltration, or stole the data from the ransomware gang.
  • Banking trojan adds ransomware component: Version 5 of the SOVA Android banking trojan can now encrypt files on mobile devices and now extends the threat of ransomware to mobile devices.

  • Multiple encryption tactics: The FBI and CISA warns that the Zeppelin RaaS specializes in attacking both tech and healthcare companies in Europe and the USA. Additionally, the group may execute their malware multiple times on the same systems, in order to force their victims to need multiple decryption keys to restore their data.
  • VoIP Phone vulnerabilities provide network side doors: The Lorenz ransomware gang exploited vulnerabilities in Mitel’s MiVoice Voice-over IP (VoIP) system, in order to gain entry & ransom the rest of the corporate network.

  • Korean VM specialist: The GwisinLocker gang specializes in attacking the virtual machines and VMware ESXi servers of South Korean healthcare, pharmaceutical and industrial companies. Their sophisticated software injects malware into existing Windows processes to avoid antivirus detection. Or, alternatively, it registers as a service, in order to force computers to reboot in safe mode, then running the program.

  • Large victim specialist: Adapting to responses from law enforcement, ransomware trends indicate smaller businesses face new threats. Over the last several months, many ransomware gangs stopped pursuing high-profile corporations to avoid law enforcement attention.

    However, this opened a niche for the Royal ransomware gang, as they pursue the largest companies and demand $250k – $2 million in ransoms.

The Best Defense is Preparation Against Ransomware Trends

Ransomware recovery is many times more expensive than the costs for prevention and monitoring. As the 7-Eleven stores in Denmark discovered, even the disruption of a single critical system (their payment and checkout systems) can lead to shutting down all operations.

Additionally, the increasing costs and decreased payouts of cybersecurity insurance eliminates safety nets and forces organizations to become more serious about cybersecurity defense and monitoring.

But, the good news is that you never need to go it alone.

Blue Bastion, along with our partner division Ideal Integrations, is here to help.

If you’re looking for assistance for preparation, monitoring, or even recovery operations, just contact us at 412-349-6680, or fill out the form below, and we’ll be more than happy to assist you in any way possible.

And, as always, no matter your decision in the world of cybersecurity, always remain vigilant.

Secure Your Business With Blue Bastion - Contact Us Today!