RaaS proliferation: 14 new ransomware groups target organizations worldwide

In the Q2 2023, GuidePoint Research and Intelligence Team (GRIT) tracked 1,177 total publicly posted ransomware victims claimed by 41 different threat groups.

The most impacted industries

GRIT’s report shows a 38% increase in public ransomware victims compared to Q1 2023, and a startling 100% increase from Q2 2022. Manufacturing and technology, representing 14% and 11% of impacted industries respectively, continue to be the most impacted industries, a trend that has persisted from GRIT’s observations in 2022 and Q1 of 2023.

The consulting (+236%) and insurance (+160%) industries experienced the greatest relative growth in observed ransomware attacks, contrasted with the relative decline experienced by governments (-61%) and the automotive (-59%) industry.

GRIT again observed an increase in the activity of Ransomware-as-a-Service (RaaS) groups throughout the quarter, attributed to 14 new groups that began operations in Q2 2023. This represents a 260% increase in “First Seen” groups compared to Q1. LockBit’s commanding lead in the Ransomware-as-a-Service (RaaS) economy can be observed across all five of the most impacted industries except healthcare, where it faced competition from Bianlian and Karakurt.

“Q2 2023 continued to highlight the growing ransomware threat facing organizations across the globe, from both established ransomware gangs and emerging or ephemeral opportunistic groups,” said Drew Schmitt, GRIT Lead Analyst.

“Reduced barriers to entry afforded by the Crimeware-as-a-Service and Ransomware-as-a-Service economies will almost certainly encourage more entrants going forward, and though the re-use of historical malware and ransomware provides an advantage for well-prepared and resourced defenders, smaller or less-resourced organizations will face an increased risk from the greater volume of threats,” Schmitt continued.

Ransomware groups vs. observed events correlation

For the first half of 2023, correlation between the total number of ransomware groups and total observed ransomware events suggests that newly emerging groups directly contribute to the rise in total victims.

Q2 observed ransomware events are visibly higher than Q1, month-over-month. The observable spikes in late March, May and June are the result of mass vulnerability exploitation events (GoAnywhere, PaperCut and MOVEit respectively) attributed to Clop and other ransomware groups. The MOVEit campaign accounted for 6% of June’s attacks and 94% of Clop’s total for Q2.

LockBit remains the most prolific ransomware threat group, despite experiencing a 10% decline in observed victim volume in Q2 relative to Q1. AlphV is the second most active ransomware group in Q2, experiencing a 50% increase in victim volume over Q1. 8Base is a newcomer, but is the third most active actor in Q2, responsible for 9% of all observed ransomware attacks. Bianlian and Clop round out the top five most active ransomware groups in Q2.

8Base and Akira, two ransomware groups that came to prominence in Q2, have surprised security researchers with the speed at which they established themselves as prolific actors. In Q2 alone, 8Base was responsible for 107 observed ransomware incidents, and Akira was responsible for 60, placing both within the top 10 most impactful ransomware groups.

GRIT has observed an increase in ransomware groups impacting public, non-profit school systems and districts. Historically, image-conscious groups have stated that these types of targets are “off limits,” except in instances where the organization is private and/or generates revenue. However, groups are increasingly eschewing this norm indicating a change in calculus, especially if public schools are easier to breach, more consistently pay ransoms, or result in particularly sensitive data exfiltration.

The prevalence of leaked ransomware builders has continued to lower the barriers to entry for emerging ransomware groups. Most notably, encryptors for Babuk, LockBit, and Conti have all been leaked online, allowing threat actors with lower technical expertise or familiarity with encryption to slightly alter and deploy fully functional ransomware.

“From the rapid diversification of the ransomware threat roster, to recycled ransomware and crimeware, to data-focused extortion shifts, GRIT continues to monitor and report on the shifting TTPs in the ransomware ecosystem,” said Schmitt. “Community and law enforcement information sharing remain key to identifying and stymying the effectiveness of ransomware groups, and GRIT remains dedicated to the mission of increasing threat intelligence sharing through public and private partnerships.”