According to the latest GRIT report by GuidePoint Security, there has been an increase in the number of ransomware victims in May compared to the previous month. Despite this overall rise, two prominent ransomware groups, LockBit and AlphV, experienced a decrease in observed victims in May.
LockBit, the leading ransomware group, saw a 30% decrease in observed victims, dropping from 110 in April to 77 in May. Similarly, AlphV experienced a decline in posted victims, with 38 observed victims in May compared to 51 in April. However, this decline was offset by the emergence of several new branded groups in the ransomware landscape.
The GRIT report identified a diverse slate of active threat groups, with 28 observed groups claiming victims in May. There was a significant increase of 13.57% in publicly posted ransomware victims from April to May, totaling 410 incidents. The most targeted country remains the United States.
One of the notable new ransomware groups highlighted in the report is the Akira group. Since April, Akira has gained prominence for its unique data-leak site designed as an interactive command prompt using jQuery. Akira has primarily targeted educational organizations, with eight of its 36 observed victims belonging to this sector. The group follows a “double extortion” approach, stealing data from victims and threatening to leak it if the ransom is not paid.
Interestingly, some of the new ransomware groups have been observed significantly lowering their initial ransomware demands. It is speculated that this trend may indicate an attempt to shorten the time between victimization and ransomware payment. However, more data is needed to confirm this hypothesis.
The findings of the GRIT report align with the 2023 Verizon Data Breach Investigations Report, which also noted escalating ransomware costs. This suggests that ransomware remains a persistent and costly threat to organizations.
The report also highlights the emergence of other new ransomware groups, such as 8Base, Malas, Rancoz, and BlackSuit. Each of these groups exhibits distinct characteristics and targets. For example, 8Base primarily targets the banking and finance industry in the US and Brazil, while Malas engages in mass exploitation of business email and collaboration software Zimbra. Rancoz and BlackSuit have posted only a few observed victims, but their operations demonstrate maturity.
Ransomware groups are deploying a combination of established and innovative tactics to blend in and profit in the crowded ransomware landscape. One observed trend is a shift towards single extortion, focused on exfiltrated data without encryption. This method is more sustainable for ransomware groups, as it involves less troubleshooting when decryption fails.
The recent behavior of ransomware groups suggests that they adopt tactics they perceive as novel and successful. For instance, the trend towards single extortion through the threat of data publication could imply success based on interactions with victims. Organizations should remain vigilant about developing detections and monitoring activity for potential data exfiltration efforts.
The education sector has become a prime target for ransomware groups, as observed with Akira and older groups like Vice Society. Ransomware groups posted 35 unique victims in the education industry in May. Vulnerabilities affecting software commonly used in schools, such as the PaperCut MF/NG vulnerability, contribute to the heavy targeting of this sector.
Another factor driving the growth of successful ransomware attacks is the exploitation of zero-day vulnerabilities en masse. Groups like Cl0p have exploited vulnerabilities in Moveit and other software, conducting exfiltration and expecting victims to reach out to coordinate ransoms. The strategic planning capability of these groups is significant and suggests an ongoing threat.
While there has been a slowdown in ransomware activity over the summer in the past years, there is a possibility that other ransomware groups may mimic the behavior of groups like Cl0p and attempt mass exploitation. This could offset declines in activity elsewhere and pose a continuous threat to organizations.