A rise in ransomware activity and a shift in aggressor behaviour was noted in the GuidePoint Security Q1 2024 Ransomware Report. This included an almost 20% year-on-year increase in the number of ransomware victims and a 55% YoY increase in active ransomware groups in spite of initiatives from law enforcement to counter this cyber threat. 'Off-limits' organisations such as emergency hospitals are now also seen as viable targets.

"Overall, we're seeing an increasingly volatile ransomware ecosystem. Law enforcement disruptions this quarter appear to have temporarily slowed or shifted operational activities of prolific Ransomware-as-a-Service (RaaS) groups, including Alphv and LockBit," said Drew Schmitt, Practice Lead for GuidePoint Security research team, GRIT. As a part of this evolving landscape, smaller ransomware groups are observed recruiting affiliates that have seemingly been left directionless due to the disruption of larger groups.

The report took a comprehensive look at the changing RaaS ecosystem, observing the impact of the Operation Cronos Task Force, an international law enforcement initiative led by the UK National Crime Agency, on LockBit. Other major occurrences from the quarter featured an apparent exit scam by Alphv, following their widely-reported attack on Change Healthcare, re-extortion attempts by Phobos affiliates and a proclaimed collaboration renewal by members of the notorious cybercrime collective, The Five Families.

Despite the disruption of prominent ransomware groups, Alphv and LockBit, the first quarter of 2024 still saw a near 20% increase in reported victims compared to the same period in 2023. The number of active ransomware groups during this time rose by 55% YoY, from 29 in 2023, to 45 in 2024. The three most aggressive of these were LockBit, Blackbasta and Play. LockBit even managed to claim the top spot for RaaS operations, possessing 219 victims, despite facing significant disruption in February.

The quarter also saw a resurgence in activity towards the retail and wholesale sectors, which overtook healthcare as the second-most impacted industry by these attacks. The United States became the most targeted nation, holding over half of all observed ransomware victims at 537 cases, despite the fact it only observed a marginal increase compared to the previous year. On the other hand, the United Kingdom noticed the most significant drop in observed victims by country, but it was still the second-most affected nation with 60 reported cases.

Drew Schmitt believes that these developments suggest an impending increase in opportunistic and indiscriminate attacks, disregarding any previous norms in the RaaS ecosystem. He suggests, "It's also likely that some portion of relatively less mature Emerging and Developing groups maintain a steady enough increase in operations to become new long-standing Established groups". This projection is based on data collected from publicly available resources and insights from threat analysts into the ransomware threat landscape, providing a comprehensive overview of the current state of ransomware threats.