Additional contributors to this GRIT report: Grayson North, Jason Baker, and Drew Schmitt

Compared to January, February showed a heavy increase in ransomware activity in reported victims and the countries affected, but overall trends in victims, group activity, and targeting remained largely the same. 

The most notable change was the increase in victim count by the Lockbit ransomware-as-a-service (RaaS) group. Lockbit reported 129 victims in February, more than double what they reported in January (50). This suggests that Lockbit may have expanded its network of affiliates, or this may be the result of a large series of campaigns from the group and its affiliates. Another RaaS group, AlphV, also significantly increased its reported monthly victim count from 20 to 31. Meanwhile, Vice Society’s monthly victim count dropped from 22 to two victims, showing that not all ransomware groups are increasing their operational tempo.

The data also revealed some shifts in the industries targeted by ransomware groups. The Food and Beverage industry saw a significant increase from four victims in January to 17 in February, possibly due to its high dependence on operational continuity and customer service. The Banking and Finance industry also saw an increase from nine to 19 victims, reflecting its attractiveness for cybercriminals seeking monetary gain. The Engineering industry increased from one to eight victims, indicating that ransomware groups may be targeting sectors with valuable intellectual property and sensitive data.

Finally, GRIT observed some variations in the countries affected by ransomware attacks. The United Kingdom saw the most significant decrease, from 20 victims in January to 14 in February. The United States took the majority of the hits again, going from 62 victims in January to 117 in February, demonstrating its vulnerability to ransomware attacks across various industries and regions. Italy and France increased by six and five respectively, suggesting that ransomware groups are expanding their geographical reach and exploiting local weaknesses. Overall, ransomware groups targeted victims in 48 countries in February, a steep increase from the 38 countries attacked in January.

Ransomware Trends

There was a 51.5% increase in posted ransomware victims compared to January, and a 15.8% increase compared to February last year. The increase in activity is almost entirely attributable to Lockbit’s posting rate, which saw a 158% increase from 50 posts in January to 129 in February.

Sorted by Threat Actor targeting, February’s top countries were the United States, United Kingdom, France, Italy, Germany, Brazil, Canada, Australia, Hong Kong, and India. These are largely the same as they were in January, with only two countries being swapped out entirely–Portugal and Belgium in January were switched with Hong Kong and Brazil in February.

In what is starting to become a bit of an axiom in the Ransomware Report, Lockbit remained the most prolific group; claiming victims in more countries than any other group by far. In February, Lockbit’s victims spanned 33 of the 47 countries where GRIT observed activity, while the next highest group–AlphV–claimed victims in only 15.

The United States remained the most targeted country–representing 48.5% of the targeted victims–and the groups most actively targeting the US were Lockbit, AlphV, and Royal.

The US saw targeting against 29 of the 35 industries we observed in February, more than double the 11 industries targeted in the UK. The complete list of targeted industries per country is as follows: 

• US: 29
• UK: 11
• France: 9
• Italy: 9
• Germany: 5
• Canada: 6
• Brazil: 4
• India: 5
• Australia: 4
• Hong Kong: 4

Six industries, including two that didn’t make the top ten last month, saw a slight decrease in targeting compared to January, each dropping no more than three victims. Still, due to the overall increase in activity from January to February, that decrease was enough to move two verticals (Automotive and Government) out of the monthly top ten entirely. Six industries all saw increases ranging from 27% to 350%, with three more than doubling their victim count–Legal saw a rise of 116%, Banking and Finance went up 122%, and Food & Beverage saw a massive 350% increase.

Among the top targeted industries, the most active groups were Lockbit, AlphV, and Royal and Medusa tied for third place. A notable shift in industry targeting came from Vice Society, who dropped from the number one spot in Education targeting to join a three-group tie for second place.

Lockbit continues to dominate the landscape, accounting for 129 victims, or 54% of all February ransomware victims. Their most targeted industries were Manufacturing, Banking & Finance, and Food & Beverage.

AlphV came in as the second most active group for the month. While Lockbit dwarfed AlphV’s victim count of 31, they still had more than double the reported victims of any other group. They heavily favored Banking & Finance in February.

Finally, Royal saw a 21% decrease in their reported victims, but still came in third for activity this month. They also decreased the number of countries they targeted this month, with victims in only half as many countries as they reported in January.

Threat Actor Spotlight

Royal Ransomware Group [GRIT Ransomware Taxonomy*: Rebrand]

Royal was the fourth most active ransomware group in February 2023, responsible for 6% of total victims. The group has claimed 97 victims since October 2022, though CISA and FBI track their emergence to September 2022. Royal’s primary targets have been in the Manufacturing sector, accounting for 11% of their victims, followed by Technology (9%) and Food & Beverage (7%). Construction and Education complete their top five most impacted industries with 6% each. The United States makes up the majority of Royal’s victim targeting at 60%, with Canada also heavily impacted at 10%. Germany, Brazil, and Australia have also noticed a considerable volume of attacks.

Royal’s initial ransom demands range from $250,000 USD to $11M, payable in Bitcoin cryptocurrency. Additionally, the group performs “double-extortion” attacks, exfiltrating sensitive data and threatening to leak it as additional leverage. 

Royal’s most common initial access vectors include Phishing (66.7%) and Remote Desktop Protocol (RDP) compromise (13.3%), according to CISA and FBI. Besides commonly used tools like Cobalt Strike, Ursnif, PsExec, and legitimate remote monitoring and management (RMM) software, Royal has also been observed using the Chisel HTTP tunneling tool to communicate with C2 infrastructure. QakBot/QBot and BATLOADER are some of the associated malware used to deliver the Royal ransomware.

Early Royal iterations employed ALPHV/BlackCat’s encryptor before moving on to an in-house “Zeon” encryptor. Security researchers have noted similarities between the ransom note generated by Zeon and those previously generated by Conti. These similarities and Royal’s TTPs suggest that Royal is likely operated by ransomware actors with experience from previous operations.

*for more information about the GRIT Ransomware Taxonomy, see our Annual Report on ransomware activity in 2022

Other New And Notable Ransomware Events

New leak site

In February 2023, GRIT first began tracking “Vendetta,” a leak site which abuses a vulnerability to post their own victims to a subdomain of the stagnant Cuba leak site.

ESXi Mass Exploitation

Early in February, security researchers discovered wide-reaching and automated exploitation of unpatched VMWare ESXi management systems. This attack disabled the management interfaces of hundreds of internet-accessible ESXi systems and displayed a message requesting a ransom. On February 7, the United States Cybersecurity and Infrastructure Security Agency released a tool that could help some victims recover from this series of attacks, now dubbed “ESXiArgs.”

Royal Mail attack claimed by Lockbit

On February 9, Lockbit claimed the Royal Mail Group, the United Kingdom’s largest mail delivery company, as a victim. This attack, believed to have started in early January, caused considerable losses and outages for the Royal Mail service. According to leaked chats from the negotiation with the threat actor, Lockbit demanded £65.7 million (around USD 80 million), which the victim did not pay.

Final Thoughts

​​February of 2023 has, as predicted, shown to be a “bounce back” month after a significant reduction in victims around the December and January timeframe. A relative lull of posted victims followed by a sharp increase midway through Q1 is a pattern that has now repeated itself two years in a row according to our previously collected data.

This month, leading the pack in claimed victims is unsurprisingly the Ransomware as a Service (RaaS) organization Lockbit, which continues to leverage their network of affiliates–drawn in by favorable deals and working conditions–to claim a significant portion of victims in the ransomware space. Despite the perceived dominance of Lockbit, other threat actors do not appear to be ceding much market share. Groups such as Royal, AlphV, and Bian Lian have all increased their rate of victim posts during this period, proving an increase in capabilities and improved operationalization within those groups. GRIT predicts that these groups in particular will continue this momentum and further increase their victim base as the quarter continues.

Not to be forgotten or discounted are the smaller ransomware groups still active in the environment. Groups such as Vice Society, Mallox, and Medusa only post a fraction of the number of victims as the larger groups; however, their consistency proves that these actors are still a threat. GRIT has observed that smaller “splinter” and “ephemeral” groups such as these are more likely to take advantage of their relative lack of notoriety to target more sensitive victims (such as those in the Education and Healthcare industries) compared to the larger “full time” groups. This trend is likely to continue as the smaller groups dodge sanctions and other government-level interventions aimed at disrupting the ransomware ecosystem.