Ransomware and the threat landscape for Q2 was analyzed in a recent report by GuidePoint Security. In the second quarter, researchers tracked 1,177 total publicly posted ransomware victims claimed by 41 different threat groups.

The report shows a 38% increase in public ransomware victims compared to Q1 2023, and a startling 100% increase from Q2 2022. Manufacturing and technology, representing 14% and 11% of impacted industries respectively, continue to be the most impacted industries.

Researchers observed an increase in the activity of Ransomware-as-a-Service (RaaS) groups throughout the quarter, attributed to 14 new groups that began operations in Q2 2023. This represents a 260% increase in “First Seen” groups compared to Q1. LockBit’s commanding lead in the Ransomware as a Service (RaaS) economy can be observed across all five of the most impacted industries except Healthcare, where it faced competition from Bianlian and Karakurt.

For the first half of 2023, correlation between the total number of ransomware groups and total observed ransomware events suggests that newly emerging groups directly contribute to the rise in total victims. Q2 observed ransomware events are visibly higher than Q1, month-over-month. The observable spikes in late March, May and June are the result of mass vulnerability exploitation events (GoAnywhere, PaperCut and MOVEit respectively) attributed to Clop and other ransomware groups. The MOVEit campaign accounted for 6% of June’s attacks and 94% of Clop’s total for Q2.

LockBit remains the most prolific ransomware threat group, despite experiencing a 10% decline in observed victim volume in Q2 relative to Q1. AlphV is the second most active ransomware group in Q2, experiencing a 50% increase in victim volume over Q1. 8Base is a newcomer, but is the third most active actor in Q2, responsible for 9% of all observed ransomware attacks. Bianlian and Clop round out the top five most active ransomware groups in Q2. In Q2, 8Base was responsible for 107 observed ransomware incidents, and Akira was responsible for 60, placing both within the top 10 most impactful ransomware groups.

Researchers observed an increase in ransomware groups impacting public, non-profit school systems and districts. Historically, image-conscious groups have stated that these types of targets are “off limits,” except in instances where the organization is private and/or generates revenue. However, groups are increasingly eschewing this norm indicating a change in calculus, especially if public schools are easier to breach, more consistently pay ransoms, or result in particularly sensitive data exfiltration.

The prevalence of leaked ransomware builders has continued to lower the barriers to entry for emerging ransomware groups. Encryptors for Babuk, LockBit and Conti have all been leaked online, allowing threat actors with lower technical expertise or familiarity with encryption to slightly alter and deploy fully functional ransomware.