GuidePoint Security’s Research and Intelligence Team (GRIT) investigated ransomware activity and discovered 55% more year-over-year active ransomware groups and 20% more victims of ransomware attacks (1,024) than in Q1 of 2023.
As per Guidepoint Security’s Q1 2024 Ransomware Report, the sectors most affected by ransomware attacks were retail and wholesale, manufacturing, and healthcare. Although posted victims from February to March increased by 7.4%, attacks on healthcare organizations dropped from 32 in February to 20 in March. Law firms also had the same reduction in attacks, which decreased from 20 in February to 10 in March. In Q1 of 2024, over 50% of all victims or 537 attacks were conducted in the United States, which is a first-time occurrence since Q2 of 2023. The United Kingdom was the second most attacked country with 60 attacks.
GRIT found 29 specific, active ransomware groups in Q1 of 2023 and 45 groups in Q1 of 2024. LockBit was the most active ransomware group in Q1 of 2024. Although the LockBit ransomware group encountered law enforcement disruption in February 2024, LockBit stayed active with 219 victims in the quarter, but less than its typical number of attacks. Before the law enforcement operation on February 20, 2024, LockBit conducted an average of 3 attacks per day. From February 24 to March 31, the group only conducted 2 attacks per day on average. The group currently seems to be back in full operation, having 97 victims in March alone. Blackbasta was the second most active group that held 73 attacks in Q1 of 2024, higher by 151% compared to the last quarter. Next was Play which conducted 71 attacks, lower by 37% compared to Q4 of 2023. Although the Qilin ransomware-as-a-service group performed only 44 attacks in 2023, it is more active in 2024 with 34 victims already in the Q1 of 2024.
Law enforcement has been significantly more active against ransomware groups in recent months. Despite the attempted shutdown by the Operation Cronos Task Force, LockBit survived and only suffered several days of serious disruption, although it conducted fewer ransomware attacks in the following weeks. At the end of December, law enforcement took action against the ALPHV/Blackcat ransomware group, which was the next most active ransomware group in 2023. The group removed all limits for affiliates and actively prompted attacks on healthcare companies including the attack on Change Healthcare, which resulted in a HIPAA compliance investigation. After the Change Healthcare attack, the group planned an exit scam by pocketing all the ransom payments and stopped its operation.
Despite the shutdown of LockBit and ALPHV, reported victims in the quarter still increased by 19.2% with at least 50 victims listed on the data leak sites per week and a maximum of 125 victims listed for a week in March. GRIT discovered efforts by a few ransomware groups to get new affiliates in Quarter 1, which include the Cloak, Medusa, and RansomHub groups. The ads for their RaaS operations were posted on deep and dark web forums last January and February 2024. The RansomHub activity seemed to have increased in the following weeks. These three ransomware groups, Killsec, Redransomware, and Donex, are the new ones that appeared in quarter 1 of 2024. Although these groups just performed 22 attacks in March, activity is expected to go up. Attacks dropped from 1,117 in the last quarter of 2023 to 1,024 in the first quarter of 2024. The shutdown of the ALPHV operation may also cause a decline in attacks in Q2. Nevertheless, the affiliates who were with ALPHV will likely find other ransomware operations, so the activity of other groups will likely increase to make up for the difference.