KELA 2022 Cybercrime Annual Report: Ransomware, Extortion, and Network Access Sales

i-AML KELA 2022 Cybercrime Annual Report Ransomware, Extortion, and Network Access Sales

Ransomware and extortion attacks have been a growing concern for individuals and organizations alike in recent years. These types of attacks involve hackers gaining unauthorized access to a computer system or network and either holding the system hostage by encrypting the data until a ransom is paid, or threatening to release sensitive information unless a ransom is paid.

In addition to these types of attacks, particular attention was focused on the sale of network access on cybercrime sources, which can potentially be used by hackers to carry out ransomware and extortion attacks.

This report will provide an overview of the state of ransomware and extortion attacks and network access sales in 2022, as well as evolution of trends and ways to prevent and mitigate these types of attacks.

In 2022, KELA observed almost 2800 victims of ransomware and extortion attacks being claimed by threat actors across various platforms. The victims were listed on approximately 60 different platforms, with about 52% of these sources emerging in 2022 alone.




The average ransom demand was around USD3.7 million, based on negotiations observed by KELA.

In 2022, it became even more difficult to distinguish between groups that actually use ransomware and those that just mimic their methods without actually using encryption malware. Instead of participating in the ransomware-as-a-service (RaaS) underground economy, some threat actors realized that they could still be successful, leading to the emergence of “data leak sites” or Telegram channels where information was sold or leaked without the use of malware (such as Lapsus$ and Stormous).

Top five attackers tracked by KELA were responsible for more than 50% of all victims in 2022: LockBit, Alphv, Conti, Black Basta and Hive.

Top five countries affected by ransomware and extortion attacks were the US (40%), the UK, Germany, Canada and France (4-6% of overall victims each).

Top five sectors: in 2022, the manufacturing and industrial products sector suffered the most attacks, followed closely by the professional services sector. The technology, engineering, and consulting sector, as well as the healthcare and life sciences sector, had a similar number of victims.

Biggest events discussed by KELA in this part of the report included influence of the Russia-Ukraine war on ransomware & extortion actors, and leaks of RaaS operations’ internal information (Conti, Yanluowang and LockBit).

Biggest trends discussed by KELA in this part of the report included new intimidation methods used by ransomware and extortion attacks: not disclosing victims’ names instantly, listing of victims’ clients as alleged victims, “private” blog entries, and attacking companies through their managed service providers. Other trends were related to new features introduced with the goal of increasing monetization, such as collaboration of extortion actors with ransomware gangs, selling network access and corporate data.


January 23, 2023 Published by KELA Report (Download PDF).

Recent Posts