Under Attack? Contact Us Start a Free Demo

Top 3 Ransomware Gangs in 2022


Cybercriminal groups continue to emerge worldwide, launching dreadly ransomware and malware attacks at alarming rates. According to the Cyber Crime Magazine, global ransomware damage costs are predicted to exceed $265 billion by 2031, more than twice as much as it does today. In order to defend against these evolving ransomware attacks in the current situation, it is wise to become familiar with the top ransomware groups active in 2022, their key tactics, and prominent attacks. Here are the top 10 ransomware groups that are making the headlines and are actively exploiting organizations across the globe.

LockBit 2.0

LockBit 2.0 is the latest ransomware variant of the original LockBit ransomware gang. The original LockBit ransomware group resurfaced as LockBit 2.0, with reports indicating an increased number of targeted companies. The group uses ransomware-as-a-service (RaaS), whose most recent victim is Accenture. First appearing in Russian-language cybercrime forums in January 2021, LockBit 2.0 is thought to be related to the Ryuk, Egregor, LockerGoga, and the MegaCrotex malware families due to similarities in tactics, techniques, and procedures (TTPs). In contrast to LockBit’s attacks and features in 2019, this version includes automatic encryption of devices across Windows domains by abusing Active Directory (AD) group policies, prompting the group behind it to claim that it’s one of the fastest ransomware variants in the market today. LockBit 2.0 relies on tools such as Windows PowerShell and Server Message Block (SMB) to attack organizations – scanning networks to infect compromised devices. LockBit 2.0 has successfully deployed ransomware within the following industries: manufacturing, retail and food, construction, and professional services, with most of the attempts being against Chile, Tawain, Italy, and the U.K.


The Conti is a ransomware-as-a-service (RaaS) operation believed to be controlled by a cybercrime group in Russia called WizardSpider. The ransomware shares some code with the infamous Ryuk Ransomware, which was last reported in July 2020. The Conti ransomware gains initial access to the network through malicious attachments and links, encrypts data, and spreads to other systems exceptionally quickly, which makes it a very dangerous malicious actor. Cybercriminals typically launch Conti ransomware attacks by stealing files, encrypting servers and workstations, and demanding a ransom payment. Conti was considered one of the most successful ransomware gangs of 2021 and continues to be one of the most prolific ransomware gangs today, especially since REvil members were arrested at the beginning of 2022. According to the Ransomware project, Conti is a highly prolific threat actor managing to obtain more than $50 Million.

Figure 2: Conti Ransom Note


‘BlackMatter’ is a ransomware-as-a-service (RaaS) that first appeared in July 2021, when rumors began circulating that it was linked to the DarkSide attack. Those behind BlackMatter have announced that they have incorporated the best features of DarkSide, REvil, and LockBit. BlackMatter ransomware is gaining popularity and targeting high-profile targets in the U.S., Europe, and Asia. The U.S. government has issued a security bulletin concerning the BlackMatter ransomware group following increased incidents targeting U.S. companies. To combat these attacks, organizations recommend using multifactor authentication (MFA) and updating vulnerable software and systems, such as those that ransomware groups commonly exploit. BlackMatter attackers have demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoins and Monero, which indicates that it is hitting hard and achieving big goals.

Figure 3: BlackMatter Ransom Note

How to Defend Against Ransomware Attacks?

Cyber security threats and ransomware attacks are increasing at a tremendous pace. It is extremely difficult for cyber security analysts and incident responders to investigate and detect cyber security threats using conventional tools and techniques. NetSecurity’s ThreatResponder, with its diverse capabilities, can help your team detect the most advanced cyber threats, including APTs, zero-day attacks, fileless malware, and ransomware attacks. It can also help automate incident response actions across millions of endpoints, making it easy, fast, and hassle-free.

Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR), and ThreatResponder FORENSICS, the Swiss knife for forensic investigators in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.


The page’s content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that the contents of this page are copyrighted by NETSECURITY CORPORATION. Any violation/misuse/unauthorized use of this content “as is” or “modified” shall be considered illegal and subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).