GuidePoint reports alarming rise in ransomware, mostly impacting manufacturing and technology industries

GuidePoint Security disclosed that 2023 observed most impacts affecting a limited subset of industries. 62 percent of all observed victims belong to one of the ‘top ten’ most-impacted industries, with manufacturing and technology remaining the two most-impacted industries, representing 12.9 percent and 7.9 percent of all victims, respectively. Ransomware victim posting increased by a staggering 80.1 percent year-on-year (YoY) increase in ransomware activity, driven in part by multiple mass exploitation campaigns impacting hundreds of organizations. 

In its 2023 Annual Ransomware Report, the GuidePoint Research and Intelligence Team (GRIT) reported that ransomware continued to increase in 2023 in terms of impact, sophistication, and the number of participating actors, indicating that the ransomware ecosystem has not yet reached a point of market saturation. GRIT expects ransomware impacts to continue on an upward trajectory in 2024 based on Established groups continuing to leverage high-severity and zero-day vulnerabilities as a reliable means of exploiting victims at scale.

GuidePoint data also identified that the research observed 63 distinct ransomware groups leverage encryption, data exfiltration, data extortion, and other novel tactics to compromise and publicly post 4,519 victims across all 30 of GRIT’s tracked industries, and in 120 countries.

Manufacturing was the most impacted industry for almost every month last year, excluding May, when it was placed behind technology by a single observed victim. From an industry perspective, the GRIT team observed most impacts affecting a limited subset of industries with roughly two-thirds of all observed victims belonging to one of the ‘top ten’ most-impacted industries. 

“Comparing 2023 to 2022 ransomware activity, we saw an 80% YoY increase of victim posting,” Drew Schmitt, practice lead at GRIT, identified in a Thursday media statement. “While mass exploitation campaigns contributed substantially to this large increase, we saw a significant increase in ransomware activity overall. New entrants in the ransomware ecosystem had repeated opportunities either through reduced technical barriers such as the recycling of leaked ransomware builders and commodity malware, or the recycling of previously leaked data for attempted re-extortion and claims of attacks that never were.” 

Schmitt added for those “established groups with resources and technical expertise, exploitation of high-severity and zero-day vulnerabilities provided a reliable means of exploiting victims at scale, a trend we assess as likely to continue into 2024 as a means of overcoming improvements in security.”

The ‘top 10’ most impacted industries accounted for 2,794 (62 percent) of all posted victims. It was impacted by all but one of the groups tracked by GRIT – Free Civilian, a group with only two posted Ukrainian victims in late January 2023. Free Civilian, a self-proclaimed pro-Russian hacktivist group, has been reported as a Russian GRU persona by Microsoft and Mandiant. 

Given the typical diversity of impacted victims, limited victim diversity may serve as a future indicator for government-sponsored ‘faux-ransomware’ operations. Alphv’s status as one of the leading ransomware groups impacting the healthcare industry may continue after their response to law enforcement efforts to shut down their operations. After restoring operations, Alphv announced a change to affiliate rules, allowing the targeting of critical infrastructure. This may lead less scrupulous affiliates to disproportionately target hospitals and other healthcare providers using Alphv’s ransomware.

The U.S. was by far the most impacted country in 2023. Among posted victims, 2,199 were U.S.-based organizations, accounting for 49 percent of all observed ransomware attacks in 2023. Eight out of the ten most impacted countries were within North America and Europe, with Brazil and Australia as the sole outliers. The same ‘top ten’ most impacted countries were home to 76 percent of all observed victim organizations, of which 27 percent impacted non-US countries. 

The top three most prolific established groups – LockBit, Alphv, and Clop – continue to account for not just the lion’s share of victims but also much of the innovation and tactical changes across the ransomware ecosystem.

In line with GRIT’s taxonomy for classifying ransomware groups, long-term Established groups accounted for the overwhelming majority of observed victims (85 percent), followed by developing groups (10 percent). Ephemeral and Emerging groups, as the newest and shortest-term entrants, lagged behind their maturing counterparts but still posed a significant threat to worldwide organizations, exacerbated by less ‘reliable’ actors and frequently recycled malware. 

“We note that for 2023, we have attributed only one Rebrand group in Black Suit, stemming from the now inactive Established group, Royal,” the report detailed. “Conversely, we have not definitively attributed any Splinter groups in 2023, though groups that we currently classify as Emerging or Ephemeral may, in time, show indications of having Splintered from other organizations.”

Tactically, GuidePoint said that 2023 presented repeated opportunities for new entrants in the ransomware ecosystem. “This was achieved either through reduced technical barriers such as the recycling of leaked ransomware builders and commodity malware, or the recycling of previously leaked data for re-extortion and claims of attacks that never were.” 

It added for those established groups with resources and technical expertise, exploitation of high-severity and zero-day vulnerabilities provided a reliable means of exploiting victims at scale, a trend we assess as likely to continue into 2024 as a means of overcoming improvements in security. 

The report also highlighted that law enforcement disruptions and rumors thereof circulated the ransomware community in 2023, culminating in a highly publicized takedown of Alphv’s dark web leak site. “Regrettably, Alphv chose not to go down without a fight, and its continued presence and operations highlight the resiliency of ransomware’s most entrenched groups.” 

It assessed that targeting of victims previously considered ‘off limits,’ such as schools and hospitals, is expected to continue, as are attempts to attract additional attention to high-impact ransomware attacks. “This brinkmanship, which aligns with several of the novel coercive techniques we observed in 2023, will likely attract the attention of both law enforcement and potential affiliates over time.”

In reviewing 2023’s ransomware trends, GRIT analyzed and considered potential signposts or indicators contributing to increases or decreases in ransomware operations or ransom payment rates. These indicators are anecdotal in nature but were reviewed critically for the feasibility of impact and consistent observations over the preceding two years. 

“As 2024 unfolds, defenders and the security community are increasingly aware of and prepared for the threat of ransomware,” the GuidePoint report said. “Our future success will depend on our ability to adapt to and match the paces of a committed, resilient, and increasingly professionalized adversary. To this end, industry best practices in threat intelligence, information sharing, and public-private partnerships remain our most viable and effective options to force adversaries to cede ground.”

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.