Ransomware groups continue to increase their operational tempo
Q3 of 2023 continued an ongoing surge in ransomware activity, according to GuidePoint Security.
GuidePoint Research and Intelligence Team (GRIT) observed a nearly 15% increase in ransomware activity since Q2 due to an increased number of ransomware groups, including 10 new emerging groups tracked during this quarter.
In the third quarter, GRIT tracked 1,353 publicly posted ransomware victims claimed by 46 different threat groups. Through the first three quarters of 2023, GRIT has tracked a total of 3,385 publicly posted ransomware victims claimed by 57 different threat groups, representing an 83% YoY increase.
“Q3 of 2023 marked the largest volume of public ransomware victims that GRIT has observed since we began tracking the ransomware ecosystem for the last 2 plus years,” said Drew Schmitt, Practice Lead, GRIT.
“The ransomware ecosystem as a whole is on pace to nearly double its number of publicly posted victims year over year despite a lesser increase in the number of threat actors. This suggests that many of the groups we are tracking are continuing to increase their operational tempo, but also may be the result of many organizations not being willing to pay the ransom demand,” added Schmitt.
Ransomware impact on industries
GRIT’s latest report examines the large-scale ransomware attacks against MGM Resorts and Caesars Entertainment, highlighting possible seasonal targeting of the entertainment, hospitality, and tourism (EHT) industry.
Other notable Q3 ransomware events included the end of Cl0p’s MOVEit campaign, LockBit’s return to a high operational tempo, and Bianlian’s sustained capabilities despite moving to an exfiltration-only model, all of which have contributed to this quarter’s rise in ransomware activity.
The manufacturing and technology industries were the 1st and 2nd most impacted by ransomware, followed by retail & wholesale as the 3rd most impacted. The retail & wholesale vertical has experienced a steady quarterly climb in observed victims throughout the year, jumping from 9th place with 38 victims in Q1 to its current spot in the top three with 98 victims.
While US-based organizations saw an increase in total observed victim count in Q3 2023, the percentage of attacks directed against US-based organizations – decreased by 3.3%, reflecting a marked increase in attacks impacting other nations.
In particular, United Kingdom-based organizations saw an increase from 59 victims in Q2 to 83 in Q3, an approximate 40.7% quarter-over-quarter increase.
LockBit, Cl0p, and Alphv lead ransomware activity in Q3 2023
The top three most active ransomware groups were Lockbit, Cl0p, and Alphv. LockBit posted roughly the same number of victims in Q2 as in Q3, totaling 770 victims for the year thus far.
Cl0p activity in Q3 stemmed almost entirely from its mass exploitation of a vulnerability in the MOVEit managed file transfer software, which resulted in a 5% total increase in victims from Q2 to Q3.
While Alphv experienced a modest decrease in total victim volume and market share between Q2 and Q3, it retained its position as one of the most impactful ransomware groups, claiming responsibility for more than 10 healthcare victims as well as the MGM resorts breach.
Two of the top 10 most active ransomware groups, Bianlian and Akira, have continued to be impactful despite each group having a public decryptor released by security researchers in 2023.
“We foresee a continued upward trend in data-only exfiltration by groups that have been impacted by the release of public decryptors, or groups without the resources to develop and maintain their own encryption capabilities,” said Schmitt. “Standalone ransomware groups may choose to continue this trend as part of their long-term operations, while Ransomware as a Service groups may pursue data-only exfiltration as a stop-gap while developing new encryptors or pursuing Rebrands.”