GuidePoint Security announced the release of GuidePoint Research and Intelligence Team's (GRIT) 2022 Ransomware Report. This report is based on data obtained from publicly available resources, including threat groups themselves, and insight into the ransomware threat landscape. GRIT outlined a new taxonomy that allows for more insights into how ransomware groups progress in their operational maturity and the ability to classify and identify potential rebranding activity. Over the course of 2022, GRIT tracked 2,507 publicly posted victims across 54 threat groups and 40 industry verticals.

The 2022 GRIT Ransomware Annual Report shows an uptick of ransomware activity from Q3 2022 to Q4 2022, as rebranded ransomware groups significantly increased the number of publicly claimed victims. Throughout 2022, victim posting rates remained fairly consistent - no quarter saw less than 569 total victims - with the biggest lull occurring in late June 2022 and early July 2022, most likely attributed to the shift from Lockbit2 to Lockbit3, although challenges in the crypto currency market may have also had an impact. Across the year on average, ransomware groups were responsible for publicly posting 6.87 victims per day to their respective leak sites.

"Threat actors continue to leverage many of the same tactics and techniques to compromise victim organizations such as open RDP and SSH, as well as unpatched and dated vulnerabilities," said Drew Schmitt, GRIT Lead Analyst, GuidePoint Security. "The exploitation and weaponization of vulnerabilities is one of the most effective methods for achieving initial access into victim networks. When updates are made, such as Microsoft's change of Office Macro default behavior, threat actors have continued to demonstrate flexibility, rapidly changing initial delivery methods for email-based attacks."

Key Highlights of the Report:

• There is a strong correlation between victim posting rates and the price of Bitcoin, suggesting that threat groups ramp up/down operations to maximize profits.
• GRIT tracked 54 groups utilizing a double-extortion methodology, many of which are utilizing a Ransomware as a Service (RaaS) model to increase productivity and maximize revenue.
• Every month in 2022 saw at least one new group emerge with double extortion capabilities.
• Manufacturing was by far the most targeted industry, followed by Technology, Construction and Healthcare.
• The United States is by far the most targeted country across all ransomware groups, and Western countries made up for the vast majority (77%) of all ransomware attacks.

Over the course of 2022, there was at least one new ransomware group each month. The most active ransomware groups were Lockbit, Alphv, Hive, Blackbasta and despite its early exit in 2022, Conti came in 5th. Lockbit accounted for 33% of all publicly posted ransomware victims. Blackbasta didn't enter the double extortion game until late April 2022, yet still ended 2022 as the 4th most impactful ransomware group. Vice Society began 2022 with a huge spike in publicly posted victims, posting 25 victims on January 6th, however, a sharp decrease and "low and slow" approach throughout the remainder of the year led them to 6th place overall among ransomware groups. Despite both getting a late start in 2022, BianLian and Royal ended up as the 7th and 8th most impactful ransomware groups of 2022, respectively.

"Based on the trends over the last year, we expect to see an increase in ransomware rebranding," said Schmitt. "Vulnerabilities, emerging technologies and personal devices will continue to be heavily researched and utilized for initial intrusion into networks, with the time to weaponize vulnerabilities likely decreasing as the year progresses. Additionally, as organizations make gains in improving their security posture, we believe that ransomware groups will shift to single extortion attempts based on data exfiltration where no encryption event occurs."