KELA's Ransomware Victims and Network Access Sales Report Finds 227 Ransomware Attacks Every Month in Q1 2022

KELA Q1 Ransomware Report

With the kick-off of RSA 2022, KELA, the leading provider of cybercrime threat intelligence, has released its threat intelligence report: Ransomware Victims and Network Access Sales in Q1 2022.

In Q1 2022, ransomware gangs continued to be a major threat, collaborating with various cybercriminals, such as initial access brokers (IABs), and aiming to conduct attacks against corporations worldwide. 

"IAB offers continued to be in demand in Q1 2022 with some of the sold access listings exploited by ransomware gangs for their attacks," said David Carmiel, CEO of KELA. "It is crucial to monitor such activities and stay one step ahead of cybercriminals to prevent a potential ransomware attack."

Key findings from the company's monitoring of activity of ransomware gangs and initial access brokers in Q1:

  • KELA identified around 700 victims in our sources, showing a decrease of 40% compared to the end of 2021. Nevertheless, there was an increase in attacks per month from January 2022 (152 attacks) to March 2022 (320 attacks). On average, the company observed 227 ransomware attacks in each month of Q1 2022.
  • LockBit replaced Conti as the most active gang since the beginning of the year. The number of attacks launched by the Conti gang fell in January 2022 and increased following a leak of Conti's internal data
  • In Q1, 41 healthcare organizations still were compromised by ransomware gangs; 34% of the attacks were associated with Conti and Karakurt gangs.
  • The finance sector made it to the top five targeted sectors, with LockBit carrying out the largest number of attacks against financial companies.
  • Ransomware gangs were seen using a relatively new intimidating method which includes publishing a victim without its name.
  • The number of network access listings on sale decreased compared to Q4 2021. KELA traced over 520 offers for sale, with the cumulative price requested for all accesses surpassing $1.1 million. 
  • The average time it takes for access to be sold is 1.75 days.
  • KELA was able to identify more than 150 of the network access victims, which allowed it to link some ransomware attacks carried out by BlackByte, Quantum and Alphv to network access put on sale and then most likely bought by a ransomware affiliate.

To read the full report, please visit

About KELA

An award-winning cybercrime threat intelligence firm, KELA's mission is to provide 100% actionable intelligence on threats emerging from the cybercrime underground. Our success is based on a unique integration of our proprietary automated technologies and qualified intelligence experts. Trusted worldwide, our cybercrime threat intelligence and external attack surface management technology automatically penetrates the hardest-to-reach corners of the internet to provide you with unique, contextualized, and actionable insights. Our solutions infiltrate underground places your team can't reach and thoroughly learn your unique requirements to uncover direct threats to your organization. KELA's tailored threat visibility, combined with external attack surface management, arms you with highly contextualized intelligence, as seen from the eyes of attackers, thus enabling proactive network defense. For more information, visit

Media Contact 

Holly Hitchcock

Source: KELA