GuidePoint Security recently announced the release of their GuidePoint Research and Intelligence Teamβs (GRIT) 2023 Annual Ransomware Report. The report's findings include data obtained from threat groups themselves, focusing on the ransomware threat landscape.
GRIT observed victim volume nearly doubling year-over-year, driven in part by multiple mass exploitation campaigns impacting hundreds of organizations. In total, GRIT observed 63 distinct ransomware groups leverage encryption, data exfiltration, data extortion, and other novel tactics to compromise and publicly post 4,519 victims across all 30 of GRITβs tracked industries, and in 120 countries.
βComparing 2023 to 2022 ransomware activity, we saw an 80 percent YoY increase of victim posting,β said Drew Schmitt, Practice Lead, GRIT. βWhile mass exploitation campaigns contributed substantially to this large increase, we saw a significant increase in ransomware activity overall.
"New entrants in the ransomware ecosystem had repeated opportunities either through reduced technical barriers, such as the recycling of leaked ransomware builders and commodity malware, or the recycling of previously leaked data for attempted re-extortion and claims of attacks that never were. For those established groups with resources and technical expertise, exploitation of high-severity and zero-day vulnerabilities provided a reliable means of exploiting victims at scale, a trend we assess as likely to continue into 2024 as a means of overcoming improvements in security.β
Some additional highlights of the report include:
- 62 percent of all observed victims belong to one of the βtop tenβ most-impacted industries, with Manufacturing and Technology remaining the two most-impacted industries; Manufacturing represented 12.9 percent of all victims. Among Manufacturing industry victims, the U.S. was impacted five times as much as the next highest country, Germany (265 vs 48 victims).
- Manufacturing was the most impacted industry for almost every month in 2023.
- The United States was by far the most impacted country in 2023, accounting for 49 percent of posted victims. Eight out of the ten most impacted countries were within North America and Europe, with Brazil and Australia as the sole outliers. The same βtop tenβ most impacted countries were home to 76 percent of all observed victim organizations.
- In line with GRITβs taxonomy for classifying ransomware groups, long-term Established groups accounted for the overwhelming majority of observed victims (85 percent), followed by Developing groups (10 percent).
- The top three most prolific Established groupsβLockBit, Alphv, and Clopβcontinue to account for not just the lionβs share of victims but also much of the innovation and tactical changes across the ransomware ecosystem.
- Ephemeral and Emerging groups, as the newest and shortest-term entrants, lagged behind their maturing counterparts but still posed a significant threat to worldwide organizations, exacerbated by less βreliableβ actors and frequently recycled malware.
βLast year, ransomware continued to increase in terms of impact, sophistication, and the number of participating actors, indicating that the ransomware ecosystem has not yet reached a point of market saturation,β said Schmitt. βWe expect ransomware impacts to continue an upward trajectory into 2024 and beyond until ransomware groupsβ financial interests conflict with one another or until law enforcement and regulatory pressures reduce the perceived attractiveness of the space and the risk calculus of its participants.β
