Ransomware attackers are shifting away from “big game” targets and towards easier, less defended organizations, a new report from Trend Micro has found.
It observed a 47% increase in the number of new victims of this vector from the second half of 2022, many of which were small organizations with less mature cyber postures.
In H1 2023, the majority (57%) of victims of the LockBit gang, responsible for recent high-profile attacks on the Royal Mail and Taiwan Semiconductor Manufacturing Company (TSMC), were organizations that had up to 200 employees, which the report defined as small businesses.
Small businesses also made up nearly half (45%) of victims of BlackCat in this period.
However, small businesses made up a much smaller proportion of Clop victims, at 27%, with large enterprises accounting for half.
LockBit has been the top ransomware family since 2022, accounting for 26.09% of victim organizations, according to the report. This was followed by BlackCat (10.59%) and Clop (10.09%). LockBit was also responsible for one in every six attacks targeting US government offices in 2022.
Globally, the number of victim organizations surged by 45.27% in H1 2023 compared to H2 2022, reaching 2001.
US-based organizations made up nearly half of all ransomware victims (949) in H1 2023, representing a 69.94% rise compared to H2 2022.
Changing Ransomware Landscape
Speaking during Trend Micro’s ‘Risk to Resilience World Tour Breakfast’ media event on Thursday September 21, David Sancho, a senior threat researcher at Trend Micro explained that there are a lot more smaller ransomware groups now in operation. “Whereas there used to be three to five big ones and a tail, there are now three big ones and a very long tail,” he noted.
One factor for the rise in smaller ransomware groups is the leaking of source codes used by LockBit and Conti in recent years, which has enabled other actors to recompile and create new ransomware strains, added Sancho.
He also noted that many ransomware groups are not even encrypting files anymore, and instead simply threatening to expose the information and publicize the incident. “There’s a tendency for new groups not to do ransomware anymore, they just hack and then extort,” explained Sancho.
The Trend Micro report highlighted a 11.3% increase in the number of new ransomware-as-a-service (RaaS) groups in H1 2023 compared to H2 2022, reaching 69.
The Trend Micro breakfast event emphasized the need to shift from cybersecurity to cyber-resilience in the face of an attack surface that has “exploded beyond belief,” according to Bharat Mistry, technical director, UK and Ireland at Trend Micro.
This requires an assumption from organizations that they will be hit, and therefore a prioritization on incident response and recovery. This in turn necessitates cyber being seen as a business risk rather than solely the domain of IT, added Mistry.
Sancho observed a shift in the cyber-criminal mindset, which makes attacks like ransomware much harder to stop. They increasingly utilize a range of methods to infiltrate networks, including in “unexpected ways,” rather than relying on traditional social engineering attacks.
“Ransomware has become a hacking operation with a ransomware payload instead of just a ransomware attack,” he said.