GuidePoint Security has released its GuidePoint Research and Intelligence Team’s (GRIT) 2023 Ransomware Report, showing a 27% increase in public ransomware victims in the first quarter of the year.
The report is based on data obtained from publicly available resources, including threat groups themselves, and insight into the ransomware threat landscape. In the first quarter of 2023, GRIT tracked 849 total publicly posted ransomware victims claimed by 29 different threat groups.
LockBit Remains Most Prolific Ransomware
Here are some of the report's key findings:
- Manufacturing, technology, education, banking and finance, and healthcare organizations continue to represent the majority of publicly posted ransomware victims.
- LockBit remains the most prolific ransomware threat group. Also, the rapid and widespread exploitation of a file-sharing application vulnerability brought Clop into a leading position.
- Vice Society remains the most impactful group targeting the education sector, supporting the assertion that some groups maintain a consistent targeting profile.
Commenting on the report, Drew Schmitt, GRIT lead analyst, said:
“Based on what we’ve observed during Q1, we assess that more advanced ransomware threat actors will increasingly deploy novel coercive techniques, particularly as the fallout of existing instances generates media coverage and civil lawsuits against affected organizations. We can make this assessment based on the increased prevalence of these techniques in open-source reporting and internal research, as well as our technical and professional understanding of business risk as it pertains to ransomware events.”
Double Extortion on the Rise
GRIT’s analysis shows an increase in the use of the "double extortion" model of operations. This is a method whereby the ransomware operators not only encrypt files on corrupted networks and hosts but also exfiltrate data.
Specifically, threat groups, including AlphV and Medusa, have been observed releasing targeted sensitive data, including graphic images related to medical treatment, in an effort to place more pressure on victims to consider payment.
Additional observed coercive measures have included Distributed Denial of Service (DDoS) attacks and selective public leaks designed to generate media attention and cause reputational damage to organizations. Specifically:
- "Exfiltration-only" ransomware attacks have also increased slightly, where a known ransomware threat actor has been unable to encrypt a victim's network, but has continued with the extortion process, relying solely on the leverage of data they have successfully exfiltrated.
- The Top 5 most active ransomware threat actors are: LockBit, Clop, AlphV, Royal and BianLian
- Manufacturing and technology continue to be the most impacted sectors, observed victims in the legal industry increased 65% from Q4 2022 to Q1 2023, from 23 to 38, with 70% consistently attributed to the most prolific "double-extortion" model ransomware groups – LockBit, AlphV, Royal, and BlackBasta.
- The education sector had a 17% increase in publicly posted victims from Q4 2022 to Q1 2023, with Vice Society accounting for 27% of all education based activity.
GuidePoint Adds Partner
GuidePoint announced that Cequence Security, a provider of unified API protection (UAP), has joined its Emerging Cyber Vendor Program that helps partners build their federal business. Through this partnership, Cequence Security will leverage GuidePoint’s federal expertise across sales and marketing, operations, engineering and procurement to expand their federal footprint.
