Number of ransomware victims reaches record high

A new report from GuidePoint Security's Research and Intelligence Team (GRIT) shows a total of 3,385 publicly posted ransomware victims in the first three quarters of this year, claimed by 57 different threat groups, representing an 83 percent year-on-year increase.

Attacks directed against US-based organizations decreased, but there has been a marked increase in attacks impacting other nations. Other countries consistently affected, like the UK, saw an approximate 41 percent increase in attacks in Q3.

"Q3 of 2023 marked the largest volume of public ransomware victims that GRIT has observed since we began tracking the ransomware ecosystem for the last two plus years," says Drew Schmitt, practice lead at GRIT. "The ransomware ecosystem as a whole is on pace to nearly double its number of publicly posted victims year over year despite a lesser increase in the number of threat actors. This suggests that many of the groups we are tracking are continuing to increase their operational tempo, but also may be the result of many organizations not being willing to pay the ransom demand."

The manufacturing and technology industries were the first and second most impacted by ransomware, followed by retail and wholesale. The latter sector has experienced a steady quarterly climb in observed victims throughout the year, jumping from ninth place with 38 victims in Q1 to its current spot in the top three with 98 victims.

The top three most active ransomware groups are Lockbit, Clop, and Alphv. LockBit posted roughly the same number of victims in Q2 as in Q3, totaling 770 victims for the year so far. Clop activity in Q3 stemmed almost entirely from its mass exploitation of a vulnerability in the MOVEit managed file transfer software, which resulted in a five percent total increase in victims from Q2 to Q3.

"We foresee a continued upward trend in data-only exfiltration by groups that have been impacted by the release of public decryptors, or groups without the resources to develop and maintain their own encryption capabilities," adds Schmitt. "Standalone ransomware groups may choose to continue this trend as part of their long-term operations, while Ransomware as a Service groups may pursue data-only exfiltration as a stop-gap while developing new encryptors or pursuing rebrands."

The full report is available from the GuidePoint site.

Image credit: Andrey_Popov/ Shutterstock