GuidePoint Research and Intelligence Team’s (GRIT) 2023 Q1 Ransomware Report Highlights a 25% Increase in Public Ransomware Victims Compared to Q4 2022

The GuidePoint Security Threat Intelligence Team’s Latest Quarterly Ransomware Analysis Shows a Quarterly Increase in Novel Coercive Tactics as the Ransomware-as-a-Service Ecosystem Evolves

HERNDON, Va.--()--GuidePoint Security, a cybersecurity solutions leader enabling organizations to make smarter decisions and minimize risk, today announced the release of GuidePoint Research and Intelligence Team’s (GRIT) Q1 2023 Ransomware Report. This report is based on data obtained from publicly available resources, including threat groups themselves, and insight into the ransomware threat landscape. In the first quarter, GRIT tracked 849 total publicly posted ransomware victims claimed by 29 different threat groups.

GRIT’s latest Ransomware Quarterly Report shows a 27% increase in public ransomware victims compared to Q1 2022, and a 25% increase from Q4 2022. Manufacturing, Technology, Education, Banking and Finance, and Healthcare organizations continue to represent the majority of publicly posted ransomware victims. LockBit remains the most prolific ransomware threat group, and the rapid and widespread exploitation of a file-sharing application vulnerability brought Clop into a leading position. Vice Society remains the most impactful group targeting the education sector, supporting the assertion that some groups maintain a consistent targeting profile.

GRIT’s analysis shows an increase in the use of novel coercive tactics by numerous prolific ransomware groups that follow the "double extortion" model of operations, where the ransomware operators not only encrypt files on corrupted networks and hosts, but also exfiltrate data. The ransomware groups then leverage the threat of leaking data to the public to coerce compliance with ransom demands. Specifically, threat groups including AlphV and Medusa have been observed releasing targeted sensitive data, including graphic images related to medical treatment, in an effort to place more pressure on victims to consider payment.

“Based on what we’ve observed during Q1, we assess that more advanced ransomware threat actors will increasingly deploy novel coercive techniques, particularly as the fallout of existing instances generates media coverage and civil lawsuits against affected organizations,” said Drew Schmitt, GRIT Lead Analyst. “We can make this assessment based on the increased prevalence of these techniques in open source reporting and internal research, as well as our technical and professional understanding of business risk as it pertains to ransomware events.”

Key Highlights of the Report:

  • Additional observed coercive measures have included Distributed Denial of Service (DDoS) attacks and selective public leaks designed to generate media attention and cause reputational damage to organizations.
  • "Exfiltration-only" ransomware attacks have also increased slightly, where a known Ransomware threat actor has been unable to encrypt a victim's network, but has continued with the extortion process, relying solely on the leverage of data they have successfully exfiltrated.
  • The Top 5 most active Ransomware Threat Actors are: LockBit, Clop, AlphV, Royal and BianLian
  • While Manufacturing and Technology continue to be the most impacted sectors, observed victims in the legal industry increased 65% from Q4 2022 to Q1 2023, from 23 to 38, with 70% consistently attributed to the most prolific "double-extortion" model ransomware groups – LockBit, AlphV, Royal, and BlackBasta.
  • The education sector had a 17% increase in publicly posted victims from Q4 2022 to Q1 2023, with Vice Society accounting for 27% of all education based activity.

GRIT’s ransomware trends and analysis reporting is an example of the curated threat intelligence, based on both OSINT and proprietary threat research sources, that the team regularly produces in numerous formats. The latest format available as a Threat Feed which allows customers to incorporate high quality, actionable threat intelligence into their tools and processes to enhance their existing cybersecurity program.

The GRIT Threat Feed is designed to help SOC and IR teams prevent and respond to threats such as Phishing Attacks, Malware Loaders, eCrime Trojans, Ransomware, Hacking Tools and Utilities. It includes a curated dataset that focuses on providing critical intelligence of the following types:

  • Domains and Subdomains
  • IP Addresses
  • Hashes (MD5, SHA1, SHA356)
  • URLs
  • Email Addresses
  • File/Registry Paths

Intelligence provided via the GRIT threat feed undergoes a rigid curation process by GRIT analysts to ensure that only the highest fidelity, enriched intelligence is fed into an organization’s cybersecurity tools and processes to identify, prioritize, and respond to active threats within the environment. The GRIT Threat Feed provides a consolidated data source that can be consumed by any tool or process that supports STIX/TAXII.

For more information on GRIT’s 2023 Q1 Ransomware Report or on the GRIT Feed:

About GuidePoint Security

GuidePoint Security provides trusted cybersecurity expertise, solutions and services that help organizations make better decisions that minimize risk. Our experts act as your trusted advisor to understand your business and challenges, helping you through an evaluation of your cybersecurity posture and ecosystem to expose risks, optimize resources and implement best-fit solutions. GuidePoint’s unmatched expertise has enabled a third of Fortune 500 companies and more than half of the U.S. government cabinet-level agencies to improve their security posture and reduce risk. Learn more at


Danielle Ostrovsky