Skip to content
Grit Blog

Quarterly GRIT Ransomware Report – Q1 2023

With the close of 2023’s first quarter, we’re publishing GRIT’s findings and research from the first three months of the year. What follows is a brief summary of the report’s contents, for the full details and analysis you can find the complete Q1 GRIT Ransomware Report here.

The end of Q1 brought an increase in publicly posted ransomware victims and a continued impact on worldwide organizations, agnostic of industry. LockBit remains the most prolific ransomware threat group, and the rapid and widespread exploitation of a file-sharing application vulnerability brought cl0p into a leading position. Vice Society remains the most impactful group targeting the education sector, supporting the assertion that some groups maintain a consistent targeting profile.

The increasingly crowded “Ransomware as a service” space has caused existing groups to evolved their tactics, techniques, and procedures. This is reflected in the increase of “data only” extortion efforts and the use of coercive public leaks as leverage to increase payouts and maintain profitability.

The manufacturing industry (the leading industry at the end of 2022) continued to hold top billing in the most targeted industries. The legal industry saw a stunning increase in targeting of 65%, lead mostly by popular double-extortion style groups like Lockbit. Additionally, driving the focus of this quarter’s industry spotlight, the education sector saw a 17% increase in victims. The United States continued to be the most impacted country with respect to number of posted victims, but organizations in India saw an acceleration in targeting that GRIT will continue to monitor.

This report also extensively covers the escalation of coercive tactics in ransomware, starting with the use of double-extortion and covering the rise in triple-extortion attacks. This trend towards adding more high-pressure tactics to extract ransom is likely to continue as revenues continue to decline and Ransomware-as-a-Service continues to proliferate.

You can view the full Quarterly Ransomware Report here.