New Research Shows a Continuing Increase in Ransomware Victims

GuidePoint Security recently announced the release of GuidePoint Research and Intelligence Team’s (GRIT) Q1 2024 Ransomware Report.

In addition to revealing a nearly 20% year-over-year increase in the number of ransomware victims, the GRIT Q1 2024 Ransomware Report observes major shifts in the behavioral patterns of ransomware groups following law enforcement activity – including the continued targeting of previously “off-limits” organizations and industries, such as emergency hospitals.

“Overall, we’re seeing an increasingly volatile ransomware ecosystem. Law enforcement disruptions this quarter appear to have temporarily slowed or shifted operational activities of prolific Ransomware-as-a-Service (RaaS) groups, including Alphv and LockBit,” said Drew Schmitt, Practice Lead, GRIT. “Affiliates are the lifeblood of RaaS operations, and in the wake of these disruptions, we’ve already observed smaller RaaS groups attempting to recruit disaffected or displaced affiliates. While the long-term effects of law enforcement efforts are yet to be seen, we expect a turbulent Q2 as the RaaS landscape continues to evolve.”

The GRIT Q1 2024 Ransomware Report takes an in-depth look at the shifting RaaS ecosystem, including the residual impact on LockBit from the Operation Cronos Task Force, an international law enforcement effort helmed by the UK National Crime Agency (NCA). Other notable Q1 ransomware events include an apparent exit scam from Alphv following its highly-publicized Change Healthcare ransomware attack, re-extortion attempts from Phobos affiliates and self-proclaimed renewed collaboration from members of the “Five Families” cybercrime collective.

Key Highlights of the Report:

  • Q1 2024 resulted in a nearly 20% increase in reported victims over Q1 2023, despite the disruption of LockBit and the disbandment of Alphv, two of the largest and most prolific ransomware groups.
  • The number of active ransomware groups more than doubled year-over-year, increasing 55% from 29 distinct groups in Q1 2023 to 45 distinct groups in Q1 2024.
  • The top three most active ransomware groups were LockBit, Blackbasta and Play. Even with significant law enforcement disruption in February 2024, LockBit maintained the top spot among RaaS service operations at 219 victims, albeit with a lower operational tempo compared to previous quarters. LockBit claimed an average of almost 3 victims per day before the disruption occurred on February 20th, and had an average of about 2 victims per day from February 24th through the end of March.
  • The industries most impacted by ransomware in Q1 2024 were manufacturing, retail & wholesale and healthcare, respectively. The retail & wholesale industry experienced a surge in observed activity during the quarter, accounting for 7% of all observed posts and overtaking healthcare to become the second-most impacted industry.
  • For the first time since Q2 2023, over half of all observed ransomware victims were based in the United States, making it the most targeted country with a total of 537 victims. Though the United Kingdom saw the largest decrease in observed victims by country (-26%), it still held the second highest number of observed ransomware attacks (60).

“As the ransomware ecosystem responds to recent events with long standing, highly-impactful groups, we anticipate an upward trend in opportunistic and indiscrete attacks regardless of industry and previous RaaS norms,” Schmitt added. “It’s also likely that some portion of relatively less mature Emerging and Developing groups maintain a steady enough increase in operations to become new long-standing Established groups.”

The GRIT Q1 2024 Ransomware Report is based on data obtained from publicly available resources, including threat groups themselves, as well as threat analyst insights into the ransomware threat landscape.

Featured

  • Evolving Cybersecurity Strategies: Uniting Human Risk Management and Security Awareness Training

    Organizations are increasingly turning their attention to human-focused security approaches, as two out of three (68%) cybersecurity incidents involve people. Threat actors are shifting from targeting networks and systems to hacking humans via social engineering methods, living off human errors as their most prevalent attack vector. Whether manipulated or not, human cyber behavior is leveraged to gain backdoor access into systems. This mainly results from a lack of employee training and awareness about evolving attack techniques employed by malign actors. Read Now

  • Report: 1 in 3 Easily Exploitable Vulnerabilities Found on Cloud Assets

    CyCognito recently released new research highlighting critical security vulnerabilities across cloud-hosted assets, revealing that one in three easily exploitable vulnerabilities or misconfigurations are found on cloud assets. As organizations increasingly shift to multi-cloud strategies, the findings underscore significant security gaps that could provide attackers with potential footholds into networks. Read Now

  • Built for Today, Ready for Tomorrow

    Selecting the right VMS is critical for any organization that depends on video surveillance to ensure safety, security and operational efficiency. While many organizations focus on immediate needs such as budget and deployment size, let us review some of the long-term considerations that can significantly impact a VMS's utility and flexibility. Read Now

  • Paving the Way to Smart Buildings

    In today's rapidly evolving security landscape, the convergence of on-prem, edge and cloud technologies are critical. The physical security landscape is undergoing a profound transformation, driven by the rapid digitalization of buildings and the evolving needs of modern organizations. As the buildings sector pivots towards smart, AI and data-driven operations, the integration of both edge and cloud technology has become crucial. Read Now

  • The Cybersecurity Time Bomb

    If you work in physical security, you have probably seen it: a camera, access control system, or intrusion detection device installed years ago, humming along without a single update. It is a common scenario that security professionals have come to accept as "normal." But here is the reality: this mindset is actively putting organizations at risk. Read Now

New Products

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions.