Lockbit Ransomware Dominant Even as Overall Attack Rates Fall
With victims from 23 countries, Lockbit continues to be the most prolific ransomware group in the early months of 2023, even as an 11% decrease in ransomware victims was reported in January.
These were among the findings from GuidePoint Security’s monthly ransomware threat report, which found the total number of attacks by Lockbit was more than double that of the remaining top five groups: Vice Society, AlphV, Royal and Play.
According to the report, the U.S. continues to be the most impacted country across all ransomware groups, while most industries saw a decrease in victims aligned with the overall slowdown in activity during January.
Target: USA
Darren Guccione, CEO and co-founder at Keeper Security, explained that the U.S. is an attractive target for ransomware groups because of the high concentration of financially attractive organizations that often have antiquated or insufficient technology to defend against a cyberattack.
“Organizations in the technology, finance and health care sectors, in particular, often hold valuable sensitive information that yields larger ransom rewards for cybercriminals,” he added. “There’s also a lack of deterrents for these bad actors who often operate from countries with lax cybersecurity laws and weaker legal privity with the American government.”
Guccione noted another major factor that makes U.S. businesses an attractive target is the lack of cybersecurity preparedness, which can happen for a number of reasons that range from a lack of resources and a shortage of skilled cybersecurity professionals to a lack of awareness about the risks.
Drew Schmitt, ransomware negotiator and principal threat analyst at GuidePoint, said there are a lot of factors that influence victim posting rates across ransomware groups.
“Historically, the beginning of the year seems to be a slower time for many ransomware groups,” he said.
Whether this is related to the associated slowdown of U.S. companies for the holiday season or the groups themselves going through a slowdown is undetermined.
Based on the trends observed in 2022 and in previous years, there is likely to be a rise in activity as Q1 continues and when it ends.
“Despite initial slowdowns at the beginning of January, Q1 tends to be a very active quarter in the year,” Schmitt said. “Anecdotally, based on our research so far in February, that does appear to be the case this year as well.”
He added that the most interesting finding from January 2023 was ViceSociety’s massive increase in victim posting compared to other ransomware groups.
Despite still coming in second compared to Lockbit, they had a 267% increase in January compared to the previous month and many of their victims were in the education sector, which is more sensitive than many other sectors.
“With such a high focus on the education sector, it is surprising that they are continuing to operate at such high levels with minimal law enforcement intervention,” Schmitt said.
He added that, if the last few years are any indication, Lockbit will continue to hold on to its spot amongst the more active ransomware groups operating today.
“Their affiliate base is plentiful, and their affiliate rules keep themselves just out of the spotlight enough to not warrant significant actions from law enforcement agencies compared to others that are actively targeted critical infrastructure and sensitive organizations,” he said.
Schmitt explained that, historically, ransomware groups ramped up activity shortly after the beginning of the year.
“Some of the rebrand groups from last year are now moving into a full-time state as they have solidified their identities and reputations,” he said. “We are also seeing a lot of activity related to splinter and ephemeral groups, which is contributing to an increase in activity, as well.”
Ransomware Spikes
Overall, ransomware activity is beginning to spike, as has been seen in past years, and will likely continue to ramp up as the year progresses.
Schmitt advises IT security teams to focus on the foundations of improving visibility through asset management, adequate tools deployment and squeezing the most out of the tools and processes currently available.
“This is an integral part of ensuring that you are prepared to prevent or respond to attacks effectively,” he said. “In many cases related to ransomware victims, having the foundations in place would have either prevented an initial attack or allowed for a swift response that would have significantly limited its impacts.”
Joseph Carson, chief security scientist and advisory CISO at Delinea, said with the rise of ransomware-as-a-service (RaaS), the cost, knowledge and time required to extort someone for profit has become easier and easier.
“Nowadays you don’t need to write your own malware, build attack infrastructure and create custom phishing campaigns; rather, you can just pay a group to have access to their RaaS product for trivial sums of money–sometimes as low as $40 per month,” he explained.
This low barrier to entry will allow unsophisticated criminals to prey on organizations that don’t have adequate defenses or proper backups in place to force a ransom payment.
“There are numerous ways organizations can protect themselves from ransomware attacks,” Carson added.
He labeled some as “obvious, after-the-fact protections,” like performing frequent data backups, having a wide-ranging incident response plan and investing in cyberinsurance policies that cover ransomware recovery and payments.”
“However, organizations should take a more proactive approach to cybersecurity, in particular where they are most vulnerable to these types of attacks—namely identity and access controls,” he said.
By taking a least privilege approach founded on zero-trust principles and enforced by methods such as password vaulting and multifactor authentication (MFA), organizations can significantly reduce their vulnerability to ransomware attacks.
