Manufacturing sector remains prime target for ransomware attacks, according to GRIT report

Manufacturing was once again the most targeted industry by ransomware attackers, with 49 victims, according to data released by GuidePoint Research and Intelligence Team (GRIT) Ransomware Report for October. The sector was most heavily impacted by LockBit and Play, which accounted for 35 percent of the industry’s victims. While Lockbit typically tops the list of every industry in the top 10, retail and wholesale are mostly driven by Play and NoEscape ransomware hackers.

“The manufacturing industry maintained its spot on the top of the list of most impacted industries – healthcare, education, retail, and consulting round out the top of this list with all three showing significant growth in the past several months,” Grayson North, wrote in a company blog post. “The healthcare and education sectors continue to be targeted by threat actors willing to leak sensitive personal data as a part of the extortion process. The retail and wholesale industry has had a noticeable increase in posted victims in recent months, a trend we assess as likely to continue as holiday shopping represents a busy and sensitive time of year for retailers.”

GuidePoint also identified that as conflict explodes across the Middle East, several hackers have publicized their allegiance and desires to hack to support their side. “Nationalized hacktivism typically manifests as DDoS attacks or website defacements but there remains the possibility of ransomware actors adjusting their victimology towards one side of the conflict. It is likely too early in these operations for these changes to be reflected in the data as the countries most impacted by ransomware remain the United States, Canada, and the UK.”

“With fighting once again erupting in Israel, threat actors on both sides of the conflict have pledged to engage their enemy online. Through DDoS attacks, data theft, and website defacement these actors attempt to influence the battlefield by targeting high-value targets with their operations,” North added. “The individuals behind hacktivist groups perform attacks using their own knowledge while also recruiting other, less experienced hackers to support their cause.” 

The GRIT data disclosed that October was much quieter than anticipated. In comparison to the alarming number of 495 victims in September 2023, October saw a significant decrease of 32 percent in the number of victims. However, it is important to note that despite this slowdown, the victim count in October still surpasses the figures from the beginning of 2023. This reduction is likely a short-term trend and primarily reflects the high activity of ransomware groups in the third quarter. Interestingly, although there are fewer victims, the number of active ransomware groups has remained relatively stable. 

North highlighted that while the biggest names in the ransomware world have not yet pledged their allegiances, “GRIT assesses that operators in the Middle East may adjust their targeting methodology in the coming months to advance their, or their country’s, geopolitical interests.”

North wrote that “ransomed dropped 72% from 44 victims claimed in September to 12 in October. The second largest decrease came from Cactus, dropping 85% from 33 September victim posts to five in October. In total, among the 13 groups with observed declines in October, we observed an average decline of 10.6 posts compared to the previous month.”

GRIT observed three days with spikes in activity, two predominantly the result of mass posts from Play, and another mass post on Oct. 31st by NoEscape, the post said. “Play’s activity suggests a process of manually posting victims to their leak site, with 42 victims posted across only nine days. While this decrease is significant, total observed ransomware posts still far exceed those observed in October 2022, indicating ransomware activity is still trending upward as observed in our previous reports.”

Although the US is still the most impacted nation by victim count, posts from the US decreased by 83 from September to October, resulting in 164 total victims, 21 victims less than the monthly average throughout 2023 (184).  Germany saw a massive 76 percent decline in victim count from September to October, resulting in four total October victims, compared to 15 per month on average throughout 2023.

In contrast, the UK saw 33 total victim posts, 10 more (43 percent) than their average across 2023, aligning with the trend observed in GuidePoint’s Q3 ransomware report, in which it identified a 40 percent rise from the second to the third quarter. 

“Iran was a standout this month, with October representing their second-highest monthly total in 2023 at five total victims,” North wrote. “In August, they experienced 10 total victim postings. These are primarily the result of posts from Arvinclub, responsible for 70% of all observed Iranian victims and 100% of the Iranian victims posted in October.”

Despite having the highest number of reported victims, “LockBit’s October count (65) was far below (24%) their average monthly count in 2023 (85). Excluding Clop during their mass exploitation of MoveIT, LockBit has maintained the most prolific ransomware group every month since July 2021.” North wrote.

“Play’s reported victims in October (42) are nearly twice their next highest from previous months, 27 in June and September, and more than twice their average monthly victim count in 2023 (20),” the post identified. “NoEscape has seen an increase of victims month after month since their emergence in June, with average increases in posts of more than 20% each month. October’s victims (31) saw an almost 50% increase from September (22).”

Among the ‘Threat Actor Spotlight,’ GuidePoint focused on NoEscape, a ransomware-as-a-service group that began publicly posting victims in June this year. Although they are relatively new to the ransomware ecosystem, the group has been consistently accruing between 15 to 20 victims each month and is within the top 10 most active groups since June 2023 based on the number of victims posted to their data leak website. 

Furthermore, NoEscape is a rebrand of the terminated group, Avaddon, which ceased operations in June of 2021 after publicly releasing decryption keys for their victims, North disclosed. “NoEscape has been tied to Avaddon due to their encryptors being nearly identical with only minor changes. It is possible that the actors behind NoEscape simply purchased Avaddon’s encryptor, but algorithm changes made within the encryptor suggest that it is more likely that NoEscape is a true Rebrand. If the group continues to progress and becomes a mainstay in the ransomware ecosystem, they will be classified as an established group,” he added.

Like most ransomware operations, the group disproportionately affects victims in the U.S., the post added. “Of the group’s 92 victims claimed since the GRIT began tracking the group, 25 have been located in the US. The group’s most impacted industry sector is Retail and Wholesale, with Manufacturing being a close second. The group does not shy away from victimizing organizations within the Healthcare and Education sectors, which are commonly taboo among ransomware groups.”

Another interesting detail that North pointed out was that after completing one of the largest-scale mass exploitation attacks by a ransomware group in their MoveIT campaign, GRIT, and other security researchers predicted Clop would have a period of less activity as the group recovers and regroups. 

“A lengthy 50-day period of inactivity on the threat actor’s torrent-based leak site did occur but was suddenly broken when the group posted a new victim on October 20th and another five days later,” North wrote. “At this time, it is unclear whether these new victims were exploited as a part of the MoveIT campaign. However, all indications point to a return to relatively normal operations by the Clop group. Before adopting their mass exploitation strategy, the group’s operations more closely mirrored a traditional ransomware group – a return to form would not be out of the question considering their capabilities.”

In his conclusion, North detailed that all eyes are on the ransomware landscape as the last months of 2023 paint the picture for an extremely prolific year for ransomware operators. “In previous years, GRIT observed a slight slowdown in posted victims in November and December, however, time will tell whether this trend will continue. As the ransomware economy expands, a newly increased baseline of activity may result in less of a drop-off during the usually quiet end of the year. Regardless of the trends and projections, defenders should be as on guard as ever because the threat of ransomware shows no signs of subsiding,” he added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.