Published 8/11/22, 9:00am
As we move into our 3rd GRIT Ransomware Report (the standalone May ransomware report can be found here, and the Q2 ransomware report is inclusive of June), the team has noticed a demonstrable increase in ransomware activity compared to past reports. This includes a massive increase in reports across all countries and industries perpetrated by 21 separate ransomware groups.
GRIT saw and tracked activity from 21 total ransomware groups in July, 4 more threat groups than the month before. With an increase of 69 claimed victims, the average reports per day jumped from 4 in June to 6.2 in July. The publicly posted victims represented 35 industries and 40 countries, compared to 23 industries and 27 countries last month.
This 59% month-over-month increase in claimed victims may have several causes. Chief among them, July’s top four ransomware groups cumulatively claimed 50 more victims compared to last month. These four groups accounted for 69% of all of July’s reports.
While the targeted industries were fairly widespread this month, Retail and Wholesale, Technology, and Manufacturing were the most targeted, totaling 43 claimed victims. Of the 40 industry categories GRIT tracks, 35 were targeted by ransomware groups in July.
After the release of LockBit 3, ransomware reports in July appeared fairly level throughout the month of July, with 38 to 55 victims claimed each week. There were two days with no claimed victims, and 2 days with more reports than June’s busiest day.
Sales (Retail & Wholesale) and Technology were the top two targeted industries for the month, with Lockbit, Hive, and Blackbasta being the most active ransomware groups targeting these sectors. The top countries targeted for Sales and Technology were the United States, France, Ireland, and South Africa.
US victims appeared in 30 of the 40 industries GRIT tracked. For comparison, the next most-targeted country, France, saw victims from 9 industries targeted. Lockbit, Alphv, Hiveleak, Blackbasta, and Lorenz were the groups most actively targeting the US. The number of US victims equaled the total combined victims of the 9 remaining countries in the top 10, and outpaced the total number of victims from the remaining 42 tracked countries.
Keeping up the momentum from June, Lockbit continues to be the most prolific ransomware group by far. Since the release of Lockbit 3 in late June, their claimed victims have increased significantly from 44 to 60. Hive, the closest group to Lockbit, claimed less than half that, with 26 victims. Still, Hive generated an increase in victims of more than 500% compared to June. Third for the month of July is Alphv, going from 13 victims in June to 21. Alphv’s focus on recruiting new affiliates with offers of up to 90% payout may account for some of their growth.
Threat Actor Spotlight: Hive
Hive began operations one year ago in July 2021, aggressively claiming more than 300 victims in their first few months of operation.
Hive offers significant benefits to affiliate hackers (80%), driving aggressive victim targeting based on perceived value for ransomware payment and disregarding other potential impacts. Unlike other groups that prohibit or discourage targets that could impact the average person, they appear to have no regard for potential loss of human life–including conducting destructive ransomware activity against the healthcare industry. In fact, Hive is the top group targeting Healthcare industry organizations as a percent of total victims.
Hive’s targeting is heavily centralized around English-speaking countries, with US, UK, and Australia accounting for 86% of their victims in the top 5 countries.
Other Notable Ransomware Groups
New Ransomware Group: Redalert
Internally calling themselves N13V (according to analysis of a leaked Linux-based encryptor), Redalert launched operations in late June or early July. Redalert targets VMware ESXi on Windows and Linux systems, and currently only encrypts the following file types:
On its own, Redalert is just an encryptor and requires manually infiltrating target systems. The need to separately infiltrate the network and find an ESXi server indicates use of other tools for initial access, privilege escalation, and lateral movement. Having an advanced understanding of your attack surface aids in identifying attackers’ opportunities for initial access, regardless of their methodology.
New Ransomware Group: 0mega
Launched in May, 0mega puts a heavy focus on double extortion campaigns. Ransom notes are customized before being left on victim systems, including:
- Victim organization
- Data exfiltrated by 0mega
- Threats of data release or exposure to partners
0mega’s leak site has been observed to post and then remove victim information, which may indicate they take down information for victims who have paid their ransoms.
At a high level, all but 8 of the 23 groups GRIT tracked through June and July saw an increase in monthly victims. This suggests there are still strong incentives for ransomware operators and affiliates to continue and expand their malicious campaigns.
As discussed in our Threat Actor Spotlight, Lockbit’s decision to prohibit attacks against victims based on industry (healthcare and critical infrastructure) or location (former USSR nations) opens an avenue for groups less concerned with retribution from government and law enforcement entities to seek revenue by targeting organizations in these categories. If Hive continues to victimize critical industry verticals, other groups are likely to follow suit.