A surprising new report out today from Digital Shadows Ltd. finds that ransomware attacks dropped in the third quarter, even despite cyberattacks continuing to remain highly publicized amid the invasion of Ukraine and increasing global macroeconomic uncertainty.

The drop is described in the report as the result of ransomware actors regrouping and refocusing after a busy start to the year, but it’s noted that there were still high-profile attacks. LockBit was the most prevalent ransomware group in the third quarter, with its highest-ever market share, while Conti ransomware attacks fell by the wayside.

The highlight of ransomware attacks in the third quarter was blurred lines between financially and politically motivated attacks. Both government and private companies were targeted as the fog of war from Ukraine spread to much of the rest of the world.

Digital Shadows recorded a 10.5% drop in ransomware attacks versus the second quarter. The demise of Conti and the launch of LockBit 3.0 are noted as primary factors. August in particular was quiet, but the number of ransomware attacks steadily picked up again in September.

LockBit was found to have a 35.1% market share of all ransomware attacks in the quarter, up from 32.8% in the previous quarter. In September, LockBit surged to over a 40% market share, despite some skepticism among hackers about the quality of LockBit 3.0.

The rise of LockBit is tackled further in the report, with Digitial Shadow’s researchers claiming that LockBit’s success is coming at a price — specifically, resentment from competing threat groups and previous members. LockBitSupp refers to the ransomware group’s support channel.

“LockBitSupp frequently — and infamously — gets into public spats with other ransomware representatives, including the representatives of Conti and ‘Alphv,'” the report explains. “It is realistically possible that a rival group targeted LockBit under the guise of retaliation for the Entrust breach.”

The resentment against LockBit culminated with the LockBit 3.0 loader being shared via Twitter Inc. in September. In response, LockBit claimed it was not hacked and it blamed a former developer for the leak. The Digital Shadows researchers notes that regardless of the source, the code appears to be legitimate, resulting in possible consequences in the fourth quarter should other threat actors weaponize the code for their own purposes.

The politicization of ransomware in the quarter is also said to be particularly notable. The report explains that highly disruptive ransomware attacks on both Montenegro and Albania in the quarter are examples of the challenges presented by politically motivated ransomware.

The attack on Montenegro, initially blamed on Russia, was found to have originated in Cuba. Likewise, it was a similar story with Albania, with Russia blamed and then it was discovered that the attack came from Iran.

The report concludes that ransomware gangs and groups, despite the decline in attacks in the quarter, are more prevalent than ever. Digital Shadows monitors 97 ransomware and data-leak sites, of which 44 are active.

Image: TheDigitalArtist/Pixabay