GuidePoint Security announced the release of GuidePoint
Research and Intelligence Team's (GRIT) Q1 2024 Ransomware Report.
In addition to revealing a nearly 20% year-over-year increase in the
number of ransomware victims, the GRIT Q1 2024 Ransomware Report
observes major shifts in the behavioral patterns of ransomware groups
following law enforcement activity - including the continued targeting of previously "off-limits" organizations and industries, such as emergency hospitals.
"Overall, we're seeing an increasingly volatile ransomware ecosystem.
Law enforcement disruptions this quarter appear to have temporarily
slowed or shifted operational activities of prolific
Ransomware-as-a-Service (RaaS) groups, including Alphv and LockBit,"
said Drew Schmitt, Practice Lead, GRIT. "Affiliates are the lifeblood of
RaaS operations, and in the wake of these disruptions, we've already observed
smaller RaaS groups attempting to recruit disaffected or displaced
affiliates. While the long-term effects of law enforcement efforts are
yet to be seen, we expect a turbulent Q2 as the RaaS landscape continues
to evolve."
The GRIT Q1 2024 Ransomware Report takes an in-depth look at the
shifting RaaS ecosystem, including the residual impact on LockBit from
the Operation Cronos Task Force, an international law enforcement effort
helmed by the UK National Crime Agency (NCA). Other notable Q1
ransomware events include an apparent exit scam from Alphv following its
highly-publicized Change Healthcare ransomware attack, re-extortion
attempts from Phobos affiliates and self-proclaimed renewed
collaboration from members of the "Five Families" cybercrime collective.
Key Highlights of the Report:
-
Q1 2024 resulted in a nearly 20% increase in reported victims over Q1 2023, despite the disruption of LockBit and the disbandment of Alphv, two of the largest and most prolific ransomware groups.
-
The number of active ransomware groups more than doubled year-over-year, increasing 55% from 29 distinct groups in Q1 2023 to 45 distinct groups in Q1 2024.
-
The top three most active ransomware groups were LockBit, Blackbasta and Play.
Even with significant law enforcement disruption in February 2024,
LockBit maintained the top spot among RaaS service operations at 219
victims, albeit with a lower operational tempo compared to previous
quarters. LockBit claimed an average of almost 3 victims per day before
the disruption occurred on February 20th, and had an average of about 2
victims per day from February 24th through the end of March.
-
The industries most impacted by ransomware in Q1 2024 were manufacturing, retail & wholesale and healthcare, respectively.
The retail & wholesale industry experienced a surge in observed
activity during the quarter, accounting for 7% of all observed posts and
overtaking healthcare to become the second-most impacted industry.
-
For the first time since Q2 2023, over half of all observed ransomware victims were based in the United States,
making it the most targeted country with a total of 537 victims. Though
the United Kingdom saw the largest decrease in observed victims by
country (-26%), it still held the second highest number of observed
ransomware attacks (60).
"As the ransomware ecosystem responds to recent events with long
standing, highly-impactful groups, we anticipate an upward trend in
opportunistic and indiscrete attacks regardless of industry and previous
RaaS norms," Schmitt added. "It's also likely that some portion of
relatively less mature Emerging and Developing groups maintain a steady enough increase in operations to become new long-standing Established groups."