New Quarterly Ransomware Analysis from GuidePoint Security’s Threat Intelligence Team Highlights Significant Growth of New Ransomware Groups and Related Activity
GuidePoint Security, a cybersecurity solutions leader enabling organizations to make smarter decisions and minimize risk, today announced the release of GuidePoint Research and Intelligence Team’s (GRIT) Q2 2023 Ransomware Report. This report is based on data obtained from publicly available resources, including threat groups themselves, and insight into the ransomware threat landscape. In the second quarter, GRIT tracked 1,177 total publicly posted ransomware victims claimed by 41 different threat groups.
GRIT’s latest Ransomware Quarterly Report shows a 38% increase in public ransomware victims compared to Q1 2023, and a startling 100% increase from Q2 2022. Manufacturing and Technology, representing 14% and 11% of impacted industries respectively, continue to be the most impacted industries, a trend that has persisted from GRIT's observations in 2022 and Q1 of 2023. The Consulting (+236%) and Insurance (+160%) industries experienced the greatest relative growth in observed ransomware attacks, contrasted with the relative decline experienced by Governments (-61%) and the Automotive (-59%) industry.
GRIT again observed an increase in the activity of Ransomware-as-a-Service (RaaS) groups throughout the quarter, attributed to 14 new groups that began operations in Q2 2023. This represents a 260% increase in “First Seen” groups compared to Q1. LockBit’s commanding lead in the Ransomware-as-a-Service (RaaS) economy can be observed across all five of the most impacted industries except Healthcare, where it faced competition from Bianlian and Karakurt.
“Q2 2023 continued to highlight the growing ransomware threat facing organizations across the globe, from both established ransomware gangs and emerging or ephemeral opportunistic groups,” said Drew Schmitt, GRIT Lead Analyst. “Reduced barriers to entry afforded by the Crimeware-as-a-Service and Ransomware-as-a-Service economies will almost certainly encourage more entrants going forward, and though the re-use of historical malware and ransomware provides an advantage for well-prepared and resourced defenders, smaller or less-resourced organizations will face an increased risk from the greater volume of threats.”
Key Highlights of the Report:
For the first half of 2023, correlation between the total number of ransomware groups and total observed ransomware events suggests that newly emerging groups directly contribute to the rise in total victims.
- Q2 observed ransomware events are visibly higher than Q1, month-over-month. The observable spikes in late March, May and June are the result of mass vulnerability exploitation events (GoAnywhere, PaperCut and MOVEit respectively) attributed to Clop and other ransomware groups. The MOVEit campaign accounted for 6% of June’s attacks and 94% of Clop’s total for Q2.
- LockBit remains the most prolific ransomware threat group, despite experiencing a 10% decline in observed victim volume in Q2 relative to Q1. AlphV is the second most active ransomware group in Q2, experiencing a 50% increase in victim volume over Q1. 8Base is a newcomer, but is the third most active actor in Q2, responsible for 9% of all observed ransomware attacks. Bianlian and Clop round out the top five most active ransomware groups in Q2.
- 8Base and Akira, two ransomware groups that came to prominence in Q2, have surprised security researchers with the speed at which they established themselves as prolific actors. In Q2 alone, 8Base was responsible for 107 observed ransomware incidents, and Akira was responsible for 60, placing both within the top 10 most impactful ransomware groups.
- GRIT has observed an increase in ransomware groups impacting public, non-profit school systems and districts. Historically, image-conscious groups have stated that these types of targets are “off limits,” except in instances where the organization is private and/or generates revenue. However, groups are increasingly eschewing this norm indicating a change in calculus, especially if public schools are easier to breach, more consistently pay ransoms, or result in particularly sensitive data exfiltration.
- The prevalence of leaked ransomware builders has continued to lower the barriers to entry for emerging ransomware groups. Most notably, encryptors for Babuk, LockBit, and Conti have all been leaked online, allowing threat actors with lower technical expertise or familiarity with encryption to slightly alter and deploy fully functional ransomware.
“From the rapid diversification of the ransomware threat roster, to recycled ransomware and crimeware, to data-focused extortion shifts, GRIT continues to monitor and report on the shifting TTPs in the ransomware ecosystem,” said Schmitt. “Community and law enforcement information sharing remain key to identifying and stymying the effectiveness of ransomware groups, and GRIT remains dedicated to the mission of increasing threat intelligence sharing through public and private partnerships.”
For more information on GRIT’s 2023 Q2 Ransomware Report:
- Download the 2023 Q2 Ransomware Report
- Register for the webinar on July 20 at 1pm ET where GRIT analysts discuss their findings
- Read the blog
About GuidePoint Security
GuidePoint Security provides trusted cybersecurity expertise, solutions and services that help organizations make better decisions that minimize risk. Our experts act as your trusted advisor to understand your business and challenges, helping you through an evaluation of your cybersecurity posture and ecosystem to expose risks, optimize resources and implement best-fit solutions. GuidePoint’s unmatched expertise has enabled a third of Fortune 500 companies and more than half of the U.S. government cabinet-level agencies to improve their security posture and reduce risk. Learn more at www.guidepointsecurity.com.
View source version on businesswire.com: https://www.businesswire.com/news/home/20230720829413/en/
Contacts
Danielle Ostrovsky
Danielle.ostrovsky@guidepointsecurity.com
410-302-9459