GuidePoint ransomware analysis detects quarterly rise in novel coercive tactics, as RaaS ecosystem evolves

Researchers at GuidePoint Research and Intelligence Team (GRIT) disclosed this week a 27 percent increase in public ransomware victims in the first quarter of this year, compared to the first quarter of last year, and a 25 percent increase from the last quarter of last year. During the quarter, GRIT identified that the most active ransomware threat actors are LockBit, Clop, AlphV, Royal, and BianLian. The team also tracked down 849 publicly posted ransomware victims claimed by 29 different threat groups, ending with an increase in victims that continue to affect organizations worldwide, regardless of industry.

“Manufacturing, technology, education, banking and finance, and healthcare organizations continue to represent the majority of publicly posted ransomware victims, probably reflecting the frequency with which threat actors target highly-sensitive data and inadequately defended organizations,” GuidePoint identified in its research report. “In notable moves, observed victims in the legal industry increased 65% from Q4 of last year or Q1 of this year, from 23 victims to 38. Of those victims, 70% were attributed to the most prolific ‘double extortion’ model ransomware groups–LockBit, AlphV, Royal, and BlackBasta.” 

GuidePoint assesses that the increase in reported ransomware victims across the first quarter of this year reflects the continued prevalence of ransomware as a worldwide, industry-agnostic threat. Additionally, open-source reporting indicates that, while there has been a significant decrease in the number of paying victims, this does not seem to have deterred new entrants or ongoing operations in the ransomware-as-a-service (RaaS) ecosystem.

“Barring substantial disruption by international law enforcement or continuous declines in revenue, our assessment is that ransomware threat activity is unlikely to decline in the near term,” it added.

Furthermore, as the ‘business’ of ransomware continues to evolve, this increase could reflect the attractive draw of exfiltrating sensitive legal data that ransomware groups would likely view as more coercive leverage, GuidePoint reported. 

“Based on what we’ve observed during Q1, we assess that more advanced ransomware threat actors will increasingly deploy novel coercive techniques, particularly as the fallout of existing instances generates media coverage and civil lawsuits against affected organizations,” Drew Schmitt, GRIT lead analyst, said in a media statement. “We can make this assessment based on the increased prevalence of these techniques in open source reporting and internal research, as well as our technical and professional understanding of business risk as it pertains to ransomware events.”

GuidePoint reported that LockBit remains the most prolific ransomware threat group, and GRIT has observed an increase in the number of posted victims and their share of reported attacks. “LockBit’s reported victims decreased 31% from Q3-Q4 2022 before this quarter’s increase of 15% (276 victims, up from 240 in Q4). LockBit’sshare of affected victims also increased in Q1 from 21% (145 of 676) to 32% (276 of 851).”

Data also identified widespread exploitation of vulnerable GoAnywhere instances led to cl0p claiming a significant share of victims in the first quarter. “cl0p only had two public victims across January and February before claiming 128 victims in March. AlphV primarily impacted legal or banking and finance industry victims in Q1, increasing the number of publicly posted victims by 16% from 69 in Q4 2022 to 80 in Q1 2023.”

The GuidePoint report said that the U.S. continues to bear the brunt of global ransomware attacks, followed by the U.K., Germany, Canada, France, and others. “Though not approaching the volume seen in the Western world, we continue to see notable numbers of attacks impacting other countries around the world –from Bangladesh to Barbados,” it added.

“US-based organizations remained the most heavily impacted by ransomware, making up 46% (395 out 851 total) of observed victims in Q1. This is consistent with the ratio observed in Q4, where US victims accounted for 45% of victims (301 out of 676),” the report added. “The current ratio appears to be holding steady since first increasing from approximately 40% in Q2-Q3 2022. Outside the US, observed attacks against organizations based in India appear to be accelerating. This increase is driven mainly by LockBit, which accounts for 35% of the attacks over the past two quarters. Between Q2 and Q3 of 2022, there were only 14 observed attacks, and in Q4 of 2022 and Q1 of 2023 that number has ballooned to 40.”

GRIT also disclosed that it continues to monitor evolving tactics, techniques, and procedures (TTPs) demonstrated by ransomware threat actors seeking to adapt to an increasingly crowded RaaS ecosystem. It also detected an increase in ‘data only’ extortion efforts, and increasingly coercive selective public leaks are examples of new methods employed by these threat actors to maintain profitability and market share.

The report revealed that cl0p group has been observed conducting ransomware attacks leveraging single and double extortion techniques against victims across multiple industries since February 2019. “While cl0p has primarily impacted North American organizations, it has also been observed impacting organizations in the United Kingdom, Germany, Australia, and others.cl0p tends to cluster its activity, often ending large periods of seeming inactivity by extorting several victims at a time.”

The tactic was recently demonstrated by a series of attacks carried out this quarter against users of the GoAnywhere MFT secure file-sharing solution, the GuidePoint report disclosed. “GoAnywhereMFT is widely used by US and Western organizations, which allowed cl0p to leverage a vulnerability (CVE-2023-0669) to exfiltrate sensitive data from a wide range of customers who had not yet patched the vulnerability. In March 2023 alone,cl0p claimed 128 victims on its leak site, most of which appear to have been related to the exploitation of the GoAnywherevulnerability.”

GRIT revealed that there were five ransomware groups that it began tracking during the first quarter. These have been identified as MoneyMessage, Abyss, Vendetta, FreeCivilian, and Nokoyawa. The team is also monitoring the emergence of an unbranded and particularly fast ransomware dubbed ‘Rorschach’ or ‘Bablock’ in open-source security reporting. This threat actor allegedly encrypts at nearly twice the speed of LockBit, considered the fastest encryptor, through intermittent encrypting. 

The researchers also observed an increase in the use of novel coercive tactics by numerous prolific ransomware groups that follow the double extortion model of operations. In this attack model, the ransomware operators not only encrypt files on corrupted networks and hosts but also exfiltrate data. The ransomware groups then leverage the threat of leaking data to the public to coerce compliance with ransom demands.

GRIT assesses with moderate confidence that the increased use of ‘triple extortion’ tactics, including selective public leaks, is an attempt by ransomware groups to increase the likelihood of victim compliance with ransom demands, particularly in the face of declining revenues. 

The team also assesses with moderate confidence that more advanced ransomware threat actors–those with strong infrastructure and the capability to successfully exfiltrate and review compromised data–will increasingly deploy novel coercive techniques, particularly as the fallout of existing instances generates media coverage and civil lawsuits against affected organizations.

GRIT has observed in the first quarter of this year an uptick in ‘exfiltration-only’ ransomware attacks. In situations where a known ransomware threat actor has been unable to encrypt a victim’s network, either because of defenses or lack of access, they have continued with the extortion process, relying solely on the leverage of data they have successfully exfiltrated. In particular, “we observed the ransomware group BianLian moving towards this model of data-centric extortion, probably following the publishing of a universal decryptor for their specific encryption,” the research added.

Earlier this month, cybercrime threat intelligence firm KELA released similar data revealing that the manufacturing and industrial sectors were the most targeted by ransomware attackers and data leak actors during the first quarter of this year. LockBit, Royal, and Alphv were behind over 50 percent of the attacks in this sector, while the U.S. is still the most targeted country. The firm also observed an increase in ransomware and extortion attacks and sales of network access, an important part of ransomware gangs’ supply chain, in the first quarter of this year, compared to the average metrics of 2022.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.