Ransomware Attacks Up 20% YoY with 55% Increase in Active Ransomware Groups
An analysis of ransomware activity by GuidePoint Security’s Research and Intelligence Team (GRIT) shows a 55% year-over-year increase in active ransomware groups and an almost 20% increase in ransomware victims (1,024) compared to Q1, 2023.
According to Guidepoint Security’s Q1 2024 Ransomware Report, the industries most impacted by ransomware attacks were manufacturing, retail and wholesale, and healthcare. While there was a 7.4% increase in posted victims from February to March, there was a decline in attacks on healthcare organizations, which fell from 32 new additions to data leak sites in February to just 20 in March. There was a similar reduction in attacks on law firms, which decreased from 20 in February to 10 in March. In Q1, 2024, more than half of all victims (537 attacks) were based in the United States – The first time since Q2, 2023, that more than 50% of attacks were conducted in the US. The United Kingdom was the second most targeted country (60 attacks).
In Q1, 2023, GRIT identified 29 distinct, active ransomware groups whereas 45 groups were detected in Q1, 2024. The most active ransomware group in Q1, 2024 was LockBit. Even with the law enforcement disruption of the LockBit ransomware group in February 2024, LockBit retained the top spot claiming 219 victims in the quarter, although this was below the typical number of attacks the group conducts. Prior to the law enforcement operation that disrupted its operation on February 20, 2024, LockBit was averaging 3 attacks a day. From February 24 through the end of March, the group dropped to an average of 2 attacks a day. The group now appears to be back up to full speed, claiming 97 victims in March alone. The next most active group was Blackbasta which conducted 73 attacks in Q1, 2024, up 151% from the previous quarter, followed by Play with 71 attacks, down 37% from Q4, 2023. While the Qilin ransomware-as-a-service group conducted relatively few attacks (44) in 2023, it has increased activity considerably in 2024 claiming 34 victims in the quarter.
There has been significant law enforcement activity against ransomware groups in recent months. LockBit survived the attempted takedown by the Operation Cronos Task Force, which only caused a few days of severe disruption but ransomware attacks have been conducted at a lower volume in the weeks since. In late December, law enforcement disrupted the ALPHV/Blackcat ransomware group, which was the second most prolific ransomware group in 2023. The group responded by removing virtually all restrictions for affiliates and actively encouraged attacks on healthcare organizations until the attack on Change Healthcare, after which the group appeared to pocket the full ransom payment as part of an exit scam and shut down its operation.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Even with the disruption of LockBit and the ALPHV shutdown, there was still a 19.2% increase in reported victims in the quarter with a minimum of 50 victims added to data leak sites each week and a high of 125 victims posted one week in March. GRIT identified attempts by several groups to attract new affiliates in Q1, including the Medusa, Cloak, and RansomHub groups, which were advertising their RaaS operations on deep and dark web forums in January and February 2024, with RansomHub activity appearing to have increased in the weeks since. Three new ransomware groups emerged in Q1 – Killsec, Donex, and Redransomware. While these groups only conducted a small number of attacks (22) in March, activity is likely to increase. Attacks fell from 1,117 in Q4, 2023 to 1,024 in Q1, 2024, and with the shutdown of the ALPHV operation, Q2 may see attacks continue to decline; however, the affiliates who worked for ALPHV are likely to switch ransomware operations, with other groups likely to increase activity to fill the gap.