GuidePoint Ransomware Report Observes 80 Percent Increase in Activity, Escalations

Cybersecurity solutions provider GuidePoint Security published its GuidePoint Research and Intelligence Team (GRIT)‘s 2023 Annual Ransomware Report. Data was obtained from publicly available resources, including insight from threat groups and the ransomware threat landscape at large.

In particular, GRIT noted that ransomware victims nearly doubled Y2Y, partially driven by mass exploitation campaigns that targeted hundreds of organizations. This includes 63 distinct ransomware groups leveraging encryption, data exfiltration, data extortion and other techniques to compromise and publicly post 4,519 victims across all 30 of GRIT’s tracked industries, spanning 120 countries.

“Comparing 2023 to 2022 ransomware activity, we saw an 80 percent YoY increase of victim posting,” said Drew Schmitt, Practice Lead, GRIT. “While mass exploitation campaigns contributed substantially to this large increase, we saw a significant increase in ransomware activity overall. New entrants in the ransomware ecosystem had repeated opportunities either through reduced technical barriers such as the recycling of leaked ransomware builders and commodity malware, or the recycling of previously leaked data for attempted re-extortion and claims of attacks that never were. For those established groups with resources and technical expertise, exploitation of high-severity and zero-day vulnerabilities provided a reliable means of exploiting victims at scale, a trend we assess as likely to continue into 2024 as a means of overcoming improvements in security.”

The report also tracked major ransomware events throughout the year, including Clop’s MOVEit campaign, Scattered Spider’s attacks on major casinos, LockBit’s new Affiliate Rules regarding ransom negotiations, SEC’s new guidance for incident notifications, law enforcement’s disruption of Alphv operations and published decryptors impacting ransomware operations for BianLian and Akira.

GRIT noted, from an industry perspective, that most most impacts affected a “limited” subset of industries, with:

  • 62 percent of victims belonging to a “top ten” most-impacted industry, of which Manufacturing (12.9 percent) and Technology (7.9 percent) led the way. The latter sector, it should be noted, tends to feature larger percentages of remote and hybrid workers whose internet activity may go more unsupervised.
  • The U.S. impacted approximately 5X as often as the next-highest country, Germany (265 vs. 48 victims).
  • U.S.-based organizations accounting for 49 percent of observed ransomware attacks (2023).
  • The same “top ten” most-impacted countries being home to 76 percent of all observed victim organizations, with 27 percent affecting countries other than the U.S..

“We expect ransomware impacts to continue an upward trajectory into 2024 and beyond,” added Schmidt, “until ransomware groups’ financial interests conflict with one another or until law enforcement and regulatory pressures reduce the perceived attractiveness of the space and the risk calculus of its participants.”