April – June 2023
Q2 of 2023 continued a trend of increasing numbers of ransomware victims, brought a record increase in the number of first-seen ransomware groups, and brought new vulnerabilities that lead to large-scale attacks. Victim volume reached the highest volume observed since GRIT began tracking and reporting on ransomware statistics in 2022.
Multiple new ransomware groups entered the fray, spurred by many factors, including the availability of leaked ransomware builders such as those from Babuk and LockBit that further reduced the technical barriers to entry. Some Emerging groups may be fresh start-ups, but the appearance of fast-rising groups such as Akira and 8Base suggests that experienced operators may be reorganizing, either through splintering groups or rebranding historical organizations.
While the largest Established ransomware groups account for the majority of observed ransomware incidents, we continue to observe an increase in the ratio of total victims impacted by Emerging or Developing ransomware groups. In some instances, we have observed decreased market share by Established groups as a percentage of total victims, suggesting potential competition for limited targets, resources, and affiliates.
In the same way that the GoAnywhere vulnerability accounted for a spike in ransomware attacks in Q1, the MOVEit Managed File Transfer Application vulnerability provided a surge in Q2. Unlike the GoAnywhere vulnerability, the initial exploitation of known MOVEit vulnerabilities appears to have been limited strictly to Clop, and we do not yet know the full extent of impacted victims. These mass exploitation campaigns, which recently have come to be associated primarily with Clop, pose a unique and severe risk to organizations.
Download the full report for the full breakdown of Q2 2023’s ransomware trends, and analysis of the groups and tactics that rose to prominence.