‘Top’ ransomware gangs favour smaller businesses

In search of the easiest route to a quick pay-off, ransomware gangs in 2023 have been increasingly targeting small and medium-sized enterprises (SMEs) with under 200 employees, rather than hunting for large targets, according to data drawn from Trend Micro.

Trend Micro collated data from ransomware-as-a-service (RaaS) and cyber extortion groups’ leak sites, its open source intelligence (OSINT) research and its Smart Protection Network. Trend Micro detected and blocked almost seven million ransomware threats in total itself, a slight decline of just under 4% compared with the last half of 2022.

It also looked in depth at the activities of three of the highest-profile operations – LockBit, ALPHV/BlackCat and Clop (aka Cl0p) – during the first six months of the year.

It revealed that despite netting high-profile victims such as Royal Mail and Ion, LockBit actually preferred to target SMEs, which are perceived as more likely to pay up without what its operatives and affiliates would consider undue fuss. Some 57% of its victims were smaller organisations – 299 out of a total of 522 observed by Trend Micro from 1 January to 30 June 2023.

LockBit remained exceptionally active during the period, and notably accounted for one in every six observed ransomware attacks that targeted government bodies in the US.

Meanwhile, a plurality of ALPHV/BlackCat victims (45%) were SMEs – 95 out of a total of 212 during the six-month period. For Cl0p, SMEs comprised 27% of its victims – 55 out of 202 – a total that may be skewed by the volumes of attacks it orchestrated via Progress Software’s MOVEit tool.

Altogether, Trend Micro found that new ransomware victims surged by 47% during the six-month period.

“We’ve observed a significant increase in the number of ransomware victims since the second half of 2022. Threat actors continue to innovate, target more victims, and cause significant financial and reputational damage,” said Trend Micro’s vice-president of threat intelligence, Jon Clay.

“Organisations of all sizes must prioritise and enhance their cyber security posture. Our report should help network defenders, policymakers and other stakeholders make better-informed decisions in the ongoing fight against ransomware.”

Despite the data being influenced by Trend Micro’s customer base, US-based organisations clearly accounted for the majority of victims – nearly half – during the period, up 70% compared to the last six months of 2022. The UK and Canada were the second and third most affected countries.

Trend Micro also noted that the number of active RaaS and RaaS-related groups grew by 11.3% during the six-month period, reflecting the highly organised and increasingly professionalised nature of the ransomware underground.

The mostly highly targeted sectors during the first six months of the year were banking, retail and transportation, with the banking industry registering the greatest number of incidents, retail consistently ranking in second place, and transport, which saw significant spikes in attacks between March and May, third.

LockBit tended to mainly focus its attention on victims working in the IT, finance and professional services sectors, while ALPHV/BlackCat focused more on finance, healthcare and professional services, as did Clop.