GuidePoint Security announced the release of GuidePoint Research and Intelligence Team's (GRIT)
Q2 2023 Ransomware Report. This report is based on data obtained from
publicly available resources, including threat groups themselves, and
insight into the ransomware threat landscape. In the second quarter,
GRIT tracked 1,177 total publicly posted ransomware victims claimed by
41 different threat groups.
GRIT's latest Ransomware Quarterly Report
shows a 38% increase in public ransomware victims compared to Q1 2023,
and a startling 100% increase from Q2 2022. Manufacturing and
Technology, representing 14% and 11% of impacted industries
respectively, continue to be the most impacted industries, a trend that
has persisted from GRIT's observations in 2022 and Q1 of 2023. The
Consulting (+236%) and Insurance (+160%) industries experienced the
greatest relative growth in observed ransomware attacks, contrasted with
the relative decline experienced by Governments (-61%) and the
Automotive (-59%) industry.
GRIT again observed an increase in the activity of
Ransomware-as-a-Service (RaaS) groups throughout the quarter, attributed
to 14 new groups that began operations in Q2 2023. This represents a
260% increase in "First Seen" groups compared to Q1. LockBit's
commanding lead in the Ransomware-as-a-Service (RaaS) economy can be
observed across all five of the most impacted industries except
Healthcare, where it faced competition from Bianlian and Karakurt.
"Q2 2023 continued to highlight the growing ransomware threat facing
organizations across the globe, from both established ransomware gangs
and emerging or ephemeral opportunistic groups," said Drew Schmitt, GRIT
Lead Analyst. "Reduced barriers to entry afforded by the
Crimeware-as-a-Service and Ransomware-as-a-Service economies will almost
certainly encourage more entrants going forward, and though the re-use
of historical malware and ransomware provides an advantage for
well-prepared and resourced defenders, smaller or less-resourced
organizations will face an increased risk from the greater volume of
threats."
Key Highlights of the Report:
For the first half of 2023, correlation between the total number of
ransomware groups and total observed ransomware events suggests that
newly emerging groups directly contribute to the rise in total victims.
-
Q2 observed ransomware events are visibly higher than Q1,
month-over-month. The observable spikes in late March, May and June are
the result of mass vulnerability exploitation events (GoAnywhere,
PaperCut and MOVEit respectively) attributed to Clop and other
ransomware groups. The MOVEit campaign accounted for 6% of June's
attacks and 94% of Clop's total for Q2.
-
LockBit remains the most prolific ransomware threat group, despite
experiencing a 10% decline in observed victim volume in Q2 relative to
Q1. AlphV is the second most active ransomware group in Q2, experiencing
a 50% increase in victim volume over Q1. 8Base is a newcomer, but is
the third most active actor in Q2, responsible for 9% of all observed
ransomware attacks. Bianlian and Clop round out the top five most active
ransomware groups in Q2.
-
8Base and Akira, two ransomware groups that came to prominence in Q2,
have surprised security researchers with the speed at which they
established themselves as prolific actors. In Q2 alone, 8Base was
responsible for 107 observed ransomware incidents, and Akira was
responsible for 60, placing both within the top 10 most impactful
ransomware groups.
-
GRIT has observed an increase in ransomware groups impacting public,
non-profit school systems and districts. Historically, image-conscious
groups have stated that these types of targets are "off limits," except
in instances where the organization is private and/or generates revenue.
However, groups are increasingly eschewing this norm indicating a
change in calculus, especially if public schools are easier to breach,
more consistently pay ransoms, or result in particularly sensitive data
exfiltration.
-
The prevalence of leaked ransomware builders has continued to lower the
barriers to entry for emerging ransomware groups. Most notably,
encryptors for Babuk, LockBit, and Conti have all been leaked online,
allowing threat actors with lower technical expertise or familiarity
with encryption to slightly alter and deploy fully functional
ransomware.
"From the rapid diversification of the ransomware threat roster, to
recycled ransomware and crimeware, to data-focused extortion shifts,
GRIT continues to monitor and report on the shifting TTPs in the
ransomware ecosystem," said Schmitt. "Community and law enforcement
information sharing remain key to identifying and stymying the
effectiveness of ransomware groups, and GRIT remains dedicated to the
mission of increasing threat intelligence sharing through public and
private partnerships."