GuidePoint Security's Research and Intelligence Team’s (GRIT) Ransomware Report for the second quarter (Q2) 2023 shows a 38% increase in public ransomware victims as compared to first quarter (Q1) of 2023, as well as a 100% increase from the same period in 2022.
The report is based on data obtained from publicly available resources, including threat groups themselves, and insight into the ransomware threat landscape.
41 Threat Groups Identified
In Q2 2023, GRIT tracked 1,177 total publicly posted ransomware victims claimed by 41 different threat groups. By comparison, in the prior quarter, the researchers tracked 849 total publicly posted ransomware victims claimed by 29 different threat groups.
Manufacturing and technology, representing 14% and 11% of impacted industries, respectively, were the most impacted industries, continuing a trend GRIT found in 2022 and Q1 of 2023. Consulting (+236%) and insurance (+160%) industries experienced the greatest relative growth in observed ransomware attacks. By contrast, governments (-61%) and automotive (-59%) showed a substantial decline.
Ransomware-as-a-Service Gains Ground
GRIT again observed an increase in the activity of Ransomware-as-a-Service (RaaS) groups throughout the quarter, attributed to 14 new groups that began operations in Q2 2023. This represents a 260% increase in "first seen” groups as compared to Q1.
Key highlights of the report include:
- Q2 observed ransomware events are visibly higher than Q1, month-over-month. The observable spikes in late March, May and June are the result of mass vulnerability exploitation events (GoAnywhere, PaperCut and MOVEit respectively) attributed to Clop and other ransomware groups. The MOVEit campaign accounted for 6% of June’s attacks and 94% of Clop’s total for Q2.
- LockBit remains the most prolific ransomware threat group, despite experiencing a 10% decline in observed victim volume in Q2 relative to Q1. AlphV is the second most active ransomware group in Q2, experiencing a 50% increase in victim volume over Q1. 8Base is a newcomer, but is the third most active actor in Q2, responsible for 9% of all observed ransomware attacks. Bianlian and Clop round out the top five most active ransomware groups in Q2.
- 8Base and Akira, two new ransomware groups, surprised security researchers in Q2with the speed at which they established themselves as prolific actors. In Q2 alone, 8Base was responsible for 107 observed ransomware incidents, and Akira was responsible for 60, placing both within the top 10 most impactful ransomware groups.
- GRIT has observed an increase in ransomware groups impacting public, non-profit school systems and districts. Historically, image-conscious groups have stated that these types of targets are “off limits,” except in instances where the organization is private and/or generates revenue.
- The prevalence of leaked ransomware builders has continued to lower the barriers to entry for emerging ransomware groups. Most notably, encryptors for Babuk, LockBit, and Conti have all been leaked online, allowing threat actors with lower technical expertise or familiarity with encryption to slightly alter and deploy fully functional ransomware.
Drew Schmitt, GRIT lead analyst, said the study’s results show the “growing ransomware threat” facing organizations worldwide:
“Q2 2023 continued to highlight the growing ransomware threat facing organizations across the globe, from both established ransomware gangs and emerging or ephemeral opportunistic groups. Reduced barriers to entry afforded by the Crimeware-as-a-Service and Ransomware-as-a-Service economies will almost certainly encourage more entrants going forward, and though the re-use of historical malware and ransomware provides an advantage for well-prepared and resourced defenders, smaller or less-resourced organizations will face an increased risk from the greater volume of threats.”