{ "id": "c516aa75-38e7-4818-b81b-424efdc2a4ed", "created_at": "2026-04-06T00:13:28.52862Z", "updated_at": "2026-04-10T13:11:58.132247Z", "deleted_at": null, "sha1_hash": "0ab7b23a481b7efac15a653d8a19d0489e030ab7", "title": "LockBit, Conti, and BlackCat Lead Pack Amid Rise in Active RaaS and Extortion Groups: Ransomware in Q1 2022", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 666434, "plain_text": "LockBit, Conti, and BlackCat Lead Pack Amid Rise in Active RaaS\r\nand Extortion Groups: Ransomware in Q1 2022\r\nArchived: 2026-04-05 12:52:49 UTC\r\nWith contributions by Shingo Matsugaya\r\nRansomware actors were off to a running start in 2022, ramping up their activity as more gangs joined the fray.\r\nUsing data from ransomware-as-a-service (RaaS) and extortion groups’ leak sites, Trend Micro’s open-source\r\nintelligence (OSINT) research, and the Trend Micro™ Smart Protection Network™, we mapped out the\r\nransomware threat landscape of the first quarter (from Jan. 1 to March 31) of 2022. We tracked ransomware\r\nactivity with a focus on the malicious actor groups behind the three ransomware families that pulled in the highest\r\nnumbers of successful attacks during this period: the notorious LockBit and Conti, and the rising player BlackCat.\r\nRansomware threats post year-on-year growth\r\nOur telemetry showed that during this three-month span, we detected and blocked a total of 4,439,903\r\nransomware threats across email, URL, and file layers. This is a 36.6% increase in overall ransomware threats\r\nfrom the previous quarter (the fourth quarter of 2021), and a 4.3% year-on-year rise (from the first quarter of\r\n2021).\r\nThe number of RaaS and extortion groups grew by 63.2% in the first quarter of 2022 over the same period the\r\nprevious year, an increase that inevitably led to more organizations falling prey to ransomware activity. According\r\nto the ransomware groups’ leak sites, which recorded attacks on successfully compromised organizations that\r\nrefused to pay the ransom, ransomware victims rose by 29.2% year-on-year.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022\r\nPage 1 of 14\n\nFigure 1. The numbers of active RaaS and extortion groups and of victim organizations of successful ransomware\r\nattacks in the first quarter of 2021 and the first quarter of 2022 \r\nSource: RaaS and extortion groups’ leak sites\r\nLockBit, Conti, and BlackCat’s for-hire attacks prevail\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022\r\nPage 2 of 14\n\nThe three ransomware families that laid claim to the highest numbers of successful attacks in the first quarter of\r\n2022 were all widely known for operating under the RaaS model. Based on data from the leak sites of their\r\noperators, 35.8% of these attacks were attributed to LockBit, while 19% belonged to Conti and 9.6% to BlackCat.\r\nFigure 2. The top three ransomware families used in successful RaaS and extortion attacks in terms of victim\r\norganizations in the first quarter of 2022\r\nSource: RaaS and extortion groups’ leak sites\r\nBased on our ransomware data, which tracked detections of ransomware attempts to compromise organizations,\r\nLockBit and Conti were among the top 10 families detected in the entire first quarter of 2022. Meanwhile,\r\nBlackCat was among the top 10 ransomware families detected in February and March 2022.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022\r\nPage 3 of 14\n\nFigure 3. The numbers of ransomware file detections of LockBit, Conti, and BlackCat in machines in each month\r\nof the first quarter of 2022\r\nSource: Trend Micro™ Smart Protection Network™\r\nOf the three, only Conti was among the top active ransomware families in the first quarter of 2021, based on RaaS\r\nand extortion groups’ leak sites. In fact, Conti was first among them in that period, racking up a victim count of\r\n105. The Federal Bureau of Investigation (FBI) estimates that the group behind Conti, which Trend Micro tracks\r\nas Water Goblin, has amassed more than 1,000 victims and payouts amounting to over US$150 million as of\r\nJanuary 2022, making it one of the costliest ransomware families ever documented.\r\nRaaS providers like LockBit, detections of which were at their highest in the first quarter of 2022 in February,\r\nhave become an even more formidable threat since incorporating double extortion in their playbooks. Under\r\ndouble extortion, ransomware actors not only encrypt their victims’ data and demand payment in exchange for\r\nrestoration of access, but they also put additional pressure on victims by threatening to release the data if the\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022\r\nPage 4 of 14\n\nransom is not paid. LockBit operators relied on this tactic after they took credit for an attack on France’s Ministry\r\nof Justice in January 2022, threatening to publish sensitive ministry data on the dark web upon failure of payment.\r\nRelative to Conti and LockBit, BlackCat (aka AlphaVM, AlphaV, or ALPHV) is a newcomer; it was first reported\r\nin November 2021 by researchers from MalwareHunterTeam. But what sets it apart from many other RaaS\r\noperators is its use of triple extortion, a tactic where ransomware actors threaten to launch distributed denial-of-service (DDoS) attacks on their victims’ infrastructure on top of leaking their data unless the ransom is paid.\r\nBlackCat demands millions of US dollars in bitcoin or monero from its victims. It is shaping up to be a major\r\ncontender in the underground marketplace, thanks to its generous payouts to its RaaS affiliates, who can earn as\r\nmuch as 90% of paid ransoms.\r\nBlackCat, which our detections showed was most active in the first quarter of 2022 in February, has successfully\r\ncompromised at least 60 organizations around the world as of March. BlackCat is also notable for being the first\r\nprofessional ransomware family to be written in Rust. This is a major selling point for BlackCat, as Rust is\r\nconsidered a more secure programming language that is capable of concurrent processing. As a cross-platform\r\nlanguage, Rust also makes it easier for threat actors to tailor malware to different operating systems like Windows\r\nand Linux.\r\nRansomware attackers set their sights on small and medium-size businesses\r\nSmall businesses are often subjected to a huge volume of cyberattacks because malicious actors believe that they\r\nhave fewer resources to counter cyberthreats, while medium-size ones make compelling targets because they\r\npossess comparatively valuable assets.\r\nAccording to its leak site data, Conti staged attacks primarily on medium-size organizations (with 201 to 1,000\r\nemployees), accounting for 41.9% of its successful attacks in the first quarter of 2022, with the rest of its attacks\r\nevenly split between small businesses (with at most 200 employees) and large enterprises (with more than 1,000\r\nemployees).\r\nIn contrast, 65.5% of LockBit’s successful attacks in the first quarter of 2022 affected small businesses, followed\r\nby medium-size companies at 20.5% and large enterprises at 10.5%. Similarly, BlackCat victimized mostly small\r\nbusinesses in the first quarter of 2022, making up 57.6% of its successful attacks, with medium-size organizations\r\nand large enterprises constituting 25.4% and 17%, respectively.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022\r\nPage 5 of 14\n\nFigure 4. The distribution by organization size of LockBit, Conti, and BlackCat’s successful attacks in terms of\r\nvictim organizations in the first quarter of 2022\r\nSource: LockBit, Conti, and BlackCat’s leak sites, and Trend Micro’s OSINT research\r\nGovernment, finance, and manufacturing industries grapple with onslaught of\r\nattacks\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022\r\nPage 6 of 14\n\nOur telemetry showed that government agencies and financial companies consistently ranked in the top three\r\nindustries in terms of ransomware file detections from January to March 2022, followed by organizations in the\r\nmanufacturing and fast-moving consumer goods (FMCG) industries. Ransomware actors continued to beset\r\ngovernment organizations, which also contended with high quantities of ransomware detections in the fourth\r\nquarter of 2021.\r\nFigure 5. The top three industries in terms of ransomware file detections in machines in each month of the first\r\nquarter of 2022\r\nSource: Trend Micro Smart Protection Network\r\nOrganizations in finance and IT remained common targets of RaaS and extortion groups. In a repeat of the first\r\nquarter of last year, ransomware groups’ leak sites showed that these two industries sustained the most attacks in\r\nthe first quarter of 2022. Ransomware groups have typically been drawn to financial companies not only for their\r\nvaluable data, but also because their attack surface continues to expand as a result of increased connectivity and a\r\nmore distributed workforce.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022\r\nPage 7 of 14\n\nFigure 6. The top 10 industries affected by successful RaaS and extortion attacks in terms of victim organizations\r\nin the first quarter of 2022\r\nSource: RaaS and extortion groups’ leak sites, and Trend Micro’s OSINT research\r\nOur detections were more or less consistent with our findings from ransomware groups’ leak sites, where financial\r\norganizations bore the brunt — 12.7% — of LockBit’s successful attacks in the first quarter of 2022. The\r\nconstruction and manufacturing industries each made up 9.5% of LockBit’s victim count in the same period. This\r\ncount included one of the world’s largest tire manufacturers, which LockBit compromised in February.\r\nTable 1. The top industries affected by LockBit’s successful attacks in terms of victim organizations in the first\r\nquarter of 2022\r\nSource: LockBit’s leak site and Trend Micro’s OSINT research\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022\r\nPage 8 of 14\n\nIn comparison, Conti’s victims in the first quarter of 2022 were more varied: 12.8% of them were involved in\r\nmanufacturing, with materials and professional services companies running close behind at 10.3% and 8.5%,\r\nrespectively. One notable Conti attack occurred in January, against a Taiwanese electronics company that supplies\r\ncomponents to the likes of Apple, Dell, and Tesla. Fortunately, only noncritical systems were affected, but the\r\ncompany’s high-profile clientele gives an idea of how ransomware attacks have the potential to also affect a\r\nvictim’s big-name clients.\r\nTable 2. The top industries affected by Conti’s successful attacks in terms of victim organizations in the first\r\nquarter of 2022\r\nSource: Conti’s leak site and Trend Micro’s OSINT research\r\nOrganizations in the professional services industry were hit hardest by BlackCat in the first quarter of 2022, as\r\nthey were the victims in 13.6% of its successful attacks. Additionally, the finance and legal services industries\r\neach experienced 10.2% of BlackCat’s successful attacks. One organization that fell victim to BlackCat’s activity\r\nwas a Swiss aviation business, which suffered a data leak in February that included the company’s internal memos\r\nand information on job applicants.\r\nTable 3. The top industries affected by BlackCat’s successful attacks in terms of victim organizations in the first\r\nquarter of 2022\r\nSource: BlackCat’s leak site and Trend Micro’s OSINT research\r\nRansomware takes a toll on organizations in Europe and North America \r\nOur investigation into RaaS and extortion groups’ leak sites showed that the US still topped the list of countries\r\nthat suffered the most RaaS and extortion attacks, but many European countries were also affected.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022\r\nPage 9 of 14\n\nFigure 7. The top 10 countries affected by successful RaaS and extortion attacks in terms of victim organizations\r\nin the first quarter of 2022\r\nSource: RaaS and extortion groups’ leak sites, and Trend Micro’s OSINT research \r\nThe bulk — 40.5% — of LockBit’s victims in the first quarter of 2022 were organizations located in Europe,\r\nfollowed by those in North America at 34.1% and those in Asia-Pacific at 10.9%. In particular, the US, Italy, and\r\nFrance experienced the most LockBit attacks. Even though most of LockBit’s victims were based in Europe, the\r\nFBI noted in February that LockBit’s latest known version, LockBit 2.0, was designed to identify and exclude\r\nEastern European organizations from its attacks. LockBit’s previous version also had an automated vetting process\r\nthat screened out systems in Russia and countries belonging to the Commonwealth of Independent States, possibly\r\nas a means of avoiding prosecution in these countries.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022\r\nPage 10 of 14\n\nFigure 8. The top regions affected by LockBit’s successful attacks in terms of victim organizations in the first\r\nquarter of 2022\r\nSource: LockBit’s leak site and Trend Micro’s OSINT research\r\nIn February, Conti, which has many members located in Russia, weighed in on the Russia-Ukraine conflict and\r\nexpressed its intent to retaliate against anyone who would stage cyberattacks on Russia. This might explain, in\r\npart, the regional distribution of its activity in the first quarter of 2022: Organizations in North America were the\r\nmost affected by its successful attacks, making up 49.6% of its victims, whereas those in Europe accounted for\r\n41.9% and those in the Asia-Pacific region made up 6%. Most of Conti’s victims were in the US, Germany, and\r\nthe UK.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022\r\nPage 11 of 14\n\nFigure 9. The top regions affected by Conti’s successful attacks in terms of victim organizations in the first quarter\r\nof 2022\r\nSource: Conti’s leak site and Trend Micro’s OSINT research\r\nLike Conti, BlackCat focused its activity in the first quarter of 2022 on victims located in North America, where\r\n50.8% of its successful attacks took place. Its victims in Europe and Asia-Pacific accounted for 25.4% and 18.6%,\r\nrespectively. More specifically, it homed in on targets in the US and Italy. In the first quarter of 2022, BlackCat\r\nwas responsible for headline-making attacks on prominent European companies, including a German fuel\r\ndistribution firm and an Italian high-end fashion brand. \r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022\r\nPage 12 of 14\n\nFigure 10. The top regions affected by BlackCat’s successful attacks in terms of victim organizations in the first\r\nquarter of 2022\r\nSource: BlackCat’s leak site and Trend Micro’s OSINT research\r\nSecurity solutions and practices safeguard organizations against ransomware\r\nattacks\r\nRansomware remains a major threat to businesses of all sizes, which must contend with malicious actors wielding\r\nan arsenal of increasingly sophisticated tools and techniques. Organizations can mitigate the risk of ransomware\r\nattacks that could compromise their data by following these recommended security practices:\r\nEnable multifactor authentication. Organizations should have policies in place that require employees\r\nwho access or store company data on their devices to enable multifactor authentication, so that any\r\nsensitive information in these devices cannot be easily accessed.\r\nBack up data. As much as possible, organizations should follow the “3-2-1 rule” to protect their important\r\nfiles: Create at least three backup copies in two different file formats, with one of those copies stored off-site.\r\nKeep systems up to date. Organizations should update all of their applications, operating systems, and\r\nother software as soon as patches are released by vendors and developers. Doing so can help prevent\r\nransomware actors from exploiting vulnerabilities to gain access to organizations’ systems.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022\r\nPage 13 of 14\n\nVerify emails before opening them. Organizations should train their employees to avoid downloading\r\nattachments or clicking on embedded links in emails from senders they do not recognize, as malicious\r\nactors bank on these as means to install ransomware.\r\nFollow established security frameworks. Organizations can develop cybersecurity strategies based on the\r\nsecurity frameworks created by the Center of Internet Security (CIS) and the National Institute of\r\nStandards and Technology (NIST). The security measures and best practices laid out in these frameworks\r\ncan serve as a guide for organizations’ security teams as they design their own threat mitigation plans.\r\nOrganizations can augment their cybersecurity infrastructure with multilayered detection and response solutions\r\nthat can anticipate and respond to ransomware movements before operators can carry out an attack. One such\r\nsolution is Trend Micro Vision One™, which is equipped with extended detection and response (XDR)\r\ncapabilities that gather and automatically correlate data across multiple security layers — including email,\r\nendpoints, servers, cloud workloads, and networks — to avert ransomware attack attempts.\r\nOrganizations can also benefit from solutions with network detection and response (NDR) capabilities, which can\r\ngive them greater visibility over their network traffic. Among these solutions is Trend Micro Network One™,\r\nwhich provides security teams with the critical network telemetry they need to form a clearer picture of their\r\nenvironment, accelerate their response, and prevent future attacks.\r\nThe supplementary data sheet for this report, including data from RaaS and extortion groups’ leak sites, Trend\r\nMicro’s OSINT research, and the Trend Micro Smart Protection Network, can be downloaded here.\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your\r\npage (Ctrl+V).\r\nImage will appear the same size as you see above.\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-ac\r\ntive-raas-and-extortion-groups-ransomware-in-q1-2022\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022" ], "report_names": [ "lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434408, "ts_updated_at": 1775826718, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0ab7b23a481b7efac15a653d8a19d0489e030ab7.pdf", "text": "https://archive.orkl.eu/0ab7b23a481b7efac15a653d8a19d0489e030ab7.txt", "img": "https://archive.orkl.eu/0ab7b23a481b7efac15a653d8a19d0489e030ab7.jpg" } }