Emerging Threats

Ransomware rising: A look at ThreatLabz’ latest findings

Jun 27, 2022
ThreatLabz Ransomware Report 2022
“It is human nature to be born with a fondness for profit.” 

- Xun Qing, Chinese Philosopher

This year’s predicted increase in the severity and volume of ransomware attacks has unfortunately come to pass. Zscaler’s embedded threat research team, ThreatLabz, found that these attacks rose by 80% between February 2021 and March 2022 compared to the previous year. ThreatLabz also tracked a 120% jump in incidents of double extortion.

In their recently released annual ransomware report, ThreatLabz delivered a deep rundown of the troubling trends facing security teams. For instance, manufacturing is the most targeted industry, accounting for nearly a fifth of all double extortion ransomware attacks. It retained its position as most targeted from a year before, notching just shy of 13% of the total share of attacks. 

The use of ransomware-as-a-service (RaaS) and supply chain attacks like the Lapsus$ breach involving Okta also increased. 

Despite some headlines, high-profile ransomware groups aren’t disappearing; they’re just rebranding. As law enforcement steps up enforcement, groups change their names and continue their attacks under another banner to avoid pursuit. Importantly, ransomware is increasingly being offered as a service. In the RaaS model, ransomware is promulgated through affiliate networks, often as a method of avoiding sanctions by governments.

In the end, zero trust remains key to defending against ransomware, in addition to educating employees about phishing scams and other threats. When seeking to reduce the chances of a breach – or the impact of a successful one — organizations should minimize their attack surfaces and enforce privileged access control while monitoring traffic and data.

An important evolution in ransomware

Typically, ransomware encrypts an organization’s files into an unreadable format and then demands a ransom payment so the organization can access its files again. But, in 2019, ransomware took a fateful turn. Hackers began utilizing “double extortion” techniques. In this scenario, hackers threaten to leak data if organizations attempt to restore their data from a backup. 

In 2020, threat actors added DDoS tactics to the toolkit. DDoS attacks, also known as distributed denial of services attacks, cripple organizations by shutting down their network. Most recently, in 2021 and 2022, supply chain attacks have become the predominant trend. In these cases, vendors like software or technology providers become an attack vector for ransomware hackers. 

Most recently, cybercriminals greedy for a payday added search functionality to databases of stolen victim data. The brainchild of the ALPHV/BlackCat ransomware group, this feature was meant to make it easier to shame their victims into making a payment. When and from where the next major innovation in ransomware tactics will come is anyone’s guess, but its arrival is a near certainty. 

Attack trends 

Our report also includes detailed attack statistics from 2021 and 2022. As noted, manufacturing and supply chain disruptions were major themes. Manufacturing experienced 339 ransomware infections, with the service industry in second at 169 infections. Manufacturing experienced a 19.5% increase versus a 9.7% increase for the service industry between 2021 and 2022.

Healthcare saw the biggest increase in double extortion attacks, with a whopping 643% increase. Restaurants, bars, and food services were the second most affected by double extortion attacks, suffering from a 460% increase. Other triple-digit attack growth hit the ducation (225%), manufacturing (190%), construction (161%), and financial services (130%) sectors.

Findings clearly demonstrate that, as overall rates of ransomware attacks continue to rise, more and more groups are turning to double extortion to increase their odds of a payout. 


One of the top trends expected to continue into 2022 and beyond is an increased reliance on RaaS, which enables attackers to extend their reach and raise profits.

Targeting supply chains is another trend we expect to continue. In doing so, ransomware actors can focus on a wider attack surface and compromise additional victims with limited added effort. Exploiting suppliers’ weak security allows them to access upstream data of more valuable targets.

Finally, small to midsize businesses will continue to be ideal targets for ransomware actors. Their cybersecurity resources are typically more limited than at the enterprise level, and IT staffing remains a challenge. These trends and other advances in ransomware are explained in more detail in our on-demand webinar.

Top ransomware families 

The ransomware report also includes insights into the most prevalent ransomware families. These in-depth analyses will help you and your organization better defend against future attacks from groups like Conti, LockBit, and PYSA/Mespinoza.


Despite reports greatly exaggerating its demise, Conti is the most dangerous ransomware group currently active. Sometimes characterized as RaaS, Conti relies on affiliates that are essentially employees who receive a cut of the profits. The group delivers spam emails with malicious attachments and links that download additional ransomware. Conti has recently been focused on manufacturing, with 24% of its infections affecting that industry and contributing to its status as the most commonly targeted industry.

When ransoms aren’t paid, Conti publishes the stolen data to its data leak site. More on Conti and its attack tactics and techniques can be found in the report.


LockBit emerged in 2019 as ABCD ransomware, referring to the extension “.abcd.” Later, this extension was changed to “.lockbit,” and the group acquired its new moniker. LockBit then began publishing leaks on Maze’s website before finally starting its own leak site. LockBit’s threat is amplified because of its efficiency in encryption. The group focuses on targeting the manufacturing, services, and construction sectors.


PYSA also first appeared in 2019. Also known as Mespinoza, PYSA focuses on soft targets like educational institutions and hospitals. The group relies on spam emails and compromised remote desktop credentials to breach these organizations. Once they’ve entered a network, they collect intelligence and move laterally using stolen credentials. PYSA targeted the education sector in 18% of its attacks.

Your best defense 

Ultimately, the best way to defend against these attacks is by adopting zero trust principles. Zero trust architecture is a powerful defense against ransomware because of its commitment to minimizing attack surfaces, enforcing strict access control policies, and closely monitoring network traffic.

The data behind these findings and expanded analysis can be found in the full report. Staying on top of ransomware trends is an important step in keeping your organization safe from threat actors.

What to read next 

Shutting down the growing threat of initial access brokers (IABs)

C-SCRM and the C-suite: Securing executive buy-in for supply chain risk management

A CISO's perspective on ransomware payment