Skip to content

GuidePoint Research and Intelligence Team’s (GRIT) 2023 Q3 Ransomware Report Examines the Continued Surge of Ransomware Activity

Latest Quarterly Ransomware Analysis from GuidePoint Security’s Threat Intelligence Team Highlights Increased Threats and Observed Groups

HERNDON, Va. (October 19, 2023)GuidePoint Security, a cybersecurity solutions leader enabling organizations to make smarter decisions and minimize risk, today announced the release of GuidePoint Research and Intelligence Team’s (GRIT) Q3 2023 Ransomware Report. This report is based on data obtained from publicly available resources, including threat groups themselves, and insight into the ransomware threat landscape. GRIT observed a nearly 15% increase in ransomware activity since Q2 due to an increased number of ransomware groups, including 10 new Emerging groups tracked during this quarter. In the third quarter, GRIT tracked 1,353 publicly posted ransomware victims claimed by 46 different threat groups. Through the first three quarters of 2023, GRIT has tracked a total of 3,385 publicly posted ransomware victims claimed by 57 different threat groups, representing an 83% YoY increase.

“Q3 of 2023 marked the largest volume of public ransomware victims that GRIT has observed since we began tracking the ransomware ecosystem for the last 2 plus years,” said Drew Schmitt, Practice Lead, GRIT. “The ransomware ecosystem, as a whole, is on pace to nearly double its number of publicly posted victims year over year despite a lesser increase in the number of threat actors. This suggests that many of the groups we are tracking are continuing to increase their operational tempo, but also may be the result of many organizations not being willing to pay the ransom demand.”

GRIT’s latest Ransomware Quarterly Report examines the large-scale ransomware attacks against MGM Resorts and Caesars Entertainment, highlighting possible seasonal targeting of the Entertainment, Hospitality, and Tourism (EHT) industry. Other notable Q3 ransomware events included the end of Clop’s MOVEit campaign, LockBit’s return to a high operational tempo, and Bianlian’s sustained capabilities despite moving to an exfiltration-only model, all of which have contributed to this quarter’s rise in ransomware activity.

Key Highlights of the Report:

  • The Manufacturing and Technology industries were the 1st and 2nd most impacted by ransomware, followed by Retail & Wholesale as the 3rd most impacted. The Retail & Wholesale vertical has experienced a steady quarterly climb in observed victims throughout the year, jumping from 9th place with 38 victims in Q1 to its current spot in the top three with 98 victims.
  • While US-based organizations saw an increase in total observed victim count in Q3 2023, the percentage of attacks directed against US-based organizations – decreased by 3.3%, reflecting a marked increase in attacks impacting other nations. In particular, United Kingdom-based organizations saw an increase from 59 victims in Q2 to 83 in Q3, an approximate 40.7% quarter-over-quarter increase.
  • The top three most active ransomware groups were Lockbit, Clop, and Alphv. LockBit posted roughly the same number of victims in Q2 as in Q3, totaling 770 victims for the year thus far. Clop activity in Q3 stemmed almost entirely from its mass exploitation of a vulnerability in the MOVEit managed file transfer software, which resulted in a 5% total increase in victims from Q2 to Q3. While Alphv experienced a modest decrease in total victim volume and market share between Q2 and Q3, it retained its position as one of the most impactful ransomware groups, claiming responsibility for more than 10 healthcare victims as well as the MGM resorts breach.
  • Two of the top 10 most active ransomware groups, Bianlian and Akira, have continued to be impactful despite each group having a public decryptor released by security researchers in 2023.

“We foresee a continued upward trend in data-only exfiltration by groups that have been impacted by the release of public decryptors, or groups without the resources to develop and maintain their own encryption capabilities,” said Schmitt. “Standalone ransomware groups may choose to continue this trend as part of their long-term operations, while Ransomware as a Service groups may pursue data-only exfiltration as a stopgap while developing new encryptors or pursuing Rebrands.”

For more information on GRIT’s 2023 Q3 Ransomware Report:

About GuidePoint Security

GuidePoint Security provides trusted cybersecurity expertise, solutions and services that help organizations make better decisions that minimize risk. Our experts act as your trusted advisor to understand your business and challenges, helping you through an evaluation of your cybersecurity posture and ecosystem to expose risks, optimize resources and implement best-fit solutions. GuidePoint’s unmatched expertise has enabled a third of Fortune 500 companies and more than half of the U.S. government cabinet-level agencies to improve their security posture and reduce risk. Learn more at www.guidepointsecurity.com.