The number of ransomware victims appearing on data leak sites surged by 27% year-on-year (YoY) in April to 354, with manufacturing the most impacted industry, according to GuidePoint Security.
The security vendor’s latest monthly GRIT Ransomware Report was published on Thursday, ahead of Interpol’s awareness-raising initiative “Anti-Ransomware Day” today.
The GuidePoint Security report is compiled from analysis of 24 ransomware leak sites, so the real figure for victims could be many times greater, considering many victims choose to pay and therefore will not be featured on such sites.
However, on those analyzed sites, a fifth (19%) of victims were manufacturing companies. Manufacturers are often singled out by extorters, given their low tolerance for production outages.
While victim volumes declined 22% between March and April this year, they increased 46% in the manufacturing sector.
LockBit was once again the most prolific group, accounting for 31% of victims on leak sites in April, followed by Alphv (14%). Overall, however, the ransomware industry is increasingly characterized by a large number of smaller groups.
“We observed a diverse slate of active threat groups in April 2023, with 27 unique groups. This level of diversity, the highest that GRIT has observed since November 2021, reflects the continued threat and viability of smaller ransomware groups, including newly established ‘Splinter’ or ‘Ephemeral’ groups consisting of experienced ransomware operators,” Guidepoint Security explained.
Splinter refers to less experienced groups active for just 2–5 months, which have often split from larger entities. They are identified by varied public posting rates and TTPs, often borrowed from other groups.
Ephemeral groups have been active for less than two months with varied but low victim rates, and “do not progress to more developed and mature group types.”
The report also pointed to increasingly aggressive tactics on the part of ransomware groups intended to force payment from victims. This included DDoS threats, the release of sensitive internal chats, and the hijacking of a university alert system to direct staff and students to pressure administrators into paying