GuidePoint Security, in its Q1 2023 Ransomware Report released in April, indicated a 27 percent increase in public ransomware victims — mainly in education, manufacturing, technology, health care, banking and finance industries — compared to the first quarter of 2022. It also noted a 25 percent rise from the last quarter of 2022. The report is based on public information.
The analysis indicated that “double extortion,” where the criminal operators encrypt files while also exfiltrating data, was a common tactic. In these instances, the ransomware groups retrieve data and then threaten to leak it to the public. The report identified two criminal groups, ALPHV and Medusa, as using this approach to extort institutions.
“Based on what we’ve observed during Q1 (849 total attacks worldwide), we assess that more advanced ransomware threat actors will increasingly deploy novel coercive techniques, particularly as the fallout of existing instances generates media coverage and civil lawsuits against affected organizations,” Drew Schmitt, a lead analyst for GuidePoint Research and Intelligence team (GRIT), said in a news release. “We can make this assessment based on the increased prevalence of these techniques in open source reporting and internal research, as well as our technical and professional understanding of business risk as it pertains to ransomware events.”
The analysis measured activity worldwide, though the United States reported the highest number of attacks, at 46 percent, followed by the United Kingdom, Germany, Canada and France.
The education industry, specifically, saw a 17 percent increase from Q4 2022 to the first quarter of this year. This sector is unique in that while classes are not in session year-round, administrative offices are often staffed 12 months a year. Because of this “year-round victimization,” the report said, students are not always the “weak link” for intrusions. It identified Western Michigan University, Dallas (Texas) Public Schools and the Minneapolis school districts as the most high-profile victims.
Learning institutions in the U.S. encountered the most ransomware attacks, followed by those in the United Kingdom, Australia, Germany, France and Brazil, according to the report.
The report identified the February 2023 attack against the Minneapolis school district as particularly heinous: The culprit, Medusa, published screenshots describing sexual allegations after the district declined to pay the group’s demands. Medusa also displayed a video reviewing the exfiltrated data.
In the health-care industry, an attack against an Australian health insurance company leaked alleged lists of patients who had received mental health treatment or abortions after the victim refused to pay the $10 million (U.S.) ransom demand. And in early 2023, according to the report, the criminal group ALPHV leaked clinical photos of U.S. cancer patients after its ransom demand went unpaid. Following that leak, ALPHV posted a message: “Our blog is followed by a lot of world media. The case will be widely publicized and will cause significant damage to your business.”
The report also noted:
- Certain attacks were designed to generate media attention and harm the reputations of organizations.
- The five most frequent culprits of ransomware attacks, out of the 29 tracked groups, were LockBit, Clop, ALPHV, Royal and BianLian.
- While manufacturing and technology were the sectors most impacted by ransomware attacks in the first quarter of this year, the legal industry also saw a major increase in the number of attacks since the last quarter of 2022 — from 23 to 38 total, an increase of 65 percent.
In summary, the report said ransomware remains a “worldwide industry-agnostic threat.”
“Open source reporting indicating a decrease in the amount of paying victims, while significant, does not appear to have detracted newcomers and ongoing operations in the ransomware-as-a-service (RaaS) ecosystem,” the report concluded. “Barring substantial disruption by international law enforcement or continuous declines in revenue, GRIT’s assessment is that ransomware threat activity is unlikely to decline in the near term.”
