New coercive tactics used to extort ransomware payments

The increase in reported ransomware victims across Q1 2023 reflects the continued prevalence of ransomware as a worldwide, industry agnostic threat, according to GuidePoint Security.

The report is based on data obtained from publicly available resources, including threat groups themselves, and insight into the ransomware threat landscape. In the first quarter, GRIT tracked 849 total publicly posted ransomware victims claimed by 29 different threat groups.

Increase in public ransomware victims

GRIT’s latest report shows a 27% increase in public ransomware victims compared to Q1 2022, and a 25% increase from Q4 2022. Manufacturing, technology, education, banking and finance, and healthcare organizations continue to represent the majority of publicly posted ransomware victims.

LockBit remains the most prolific ransomware threat group, and the rapid and widespread exploitation of a file-sharing application vulnerability brought Clop into a leading position. Vice Society remains the most impactful group targeting the education sector, supporting the assertion that some groups maintain a consistent targeting profile.

Ransomware groups ramp up pressure tactics

GRIT’s analysis shows an increase in the use of novel coercive tactics by numerous prolific ransomware groups that follow the “double extortion” model of operations, where the ransomware operators not only encrypt files on corrupted networks and hosts, but also exfiltrate data.

The ransomware groups then leverage the threat of leaking data to the public to coerce compliance with ransom demands. Specifically, threat groups including AlphV and Medusa have been observed releasing targeted sensitive data, including graphic images related to medical treatment, in an effort to place more pressure on victims to consider payment.

“Based on what we’ve observed during Q1, we assess that more advanced ransomware threat actors will increasingly deploy novel coercive techniques, particularly as the fallout of existing instances generates media coverage and civil lawsuits against affected organizations,” said Drew Schmitt, GRIT Lead Analyst. “We can make this assessment based on the increased prevalence of these techniques in open source reporting and internal research, as well as our technical and professional understanding of business risk as it pertains to ransomware events.”

5 most active ransomware threat actors

Additional observed coercive measures have included DDoS attacks and selective public leaks designed to generate media attention and cause reputational damage to organizations.

“Exfiltration-only” ransomware attacks have also increased slightly, where a known ransomware threat actor has been unable to encrypt a victim’s network, but has continued with the extortion process, relying solely on the leverage of data they have successfully exfiltrated.

The top 5 most active ransomware threat actors are: Lockbit, Clop, AlphV, Royal and BianLian.

While manufacturing and technology continue to be the most impacted sectors, observed victims in the legal industry increased 65% from Q4 2022 to Q1 2023, from 23 to 38, with 70% consistently attributed to the most prolific “double-extortion” model ransomware groups – LockBit, AlphV, Royal, and BlackBasta.

The education sector had a 17% increase in publicly posted victims from Q4 2022 to Q1 2023, with Vice Society accounting for 27% of all education based activity.