A BLACK KITE RESEARCH REPORT

RANSOMWARE THREAT
LANDSCAPE REPORT
RANSOMWARE

20
RESURGENCE
EMERGING TRENDS,
THREAT ACTORS, AND
CYBERSECURITY

23
STRATEGIES
EXECUTIVE
SUMMARY
Among all cyber threats, ransomware
groups continue to evolve into formidable
adversaries, causing significant financial
and operational disruptions.

This Ransomware Threat Landscape: Ransomware Resurgence 2023

report examines the evolving landscape of ransomware attacks from
April 1, 2022, to March 31, 2023. The analysis includes 2,708
ransomware victims whose names were publicized by ransomware
groups on their underground blogs. The report delves into the targeted
industries, countries, and ransomware groups involved in these attacks,
as well as the victims' Ransomware Susceptibility Index™ (RSI™)
values.

Although the overall number of ransomware attacks did not increase

significantly until 2023, a resurgence in February and March 2023 was
PREP A R E D BY observed, with new ransomware gangs emerging and established
Black Kite Research players executing mass-ransomware attacks. The top targeted
industries during this period were Manufacturing, Professional,
HEAD O F R ESEARCH Scientific, and Technical Services, and Educational Services. The
Ferhat Dikbiyik United States remained the top targeted country, followed by the UK,
Germany, Canada, and France.
A BLACK KITE RESEARCH REPORT
KEY TAKEAWAYS
Ransomware attacks resurged in early 2023, with new players such as Royal, BianLian, and Play ransomware gangs joining the field and major
players like LockBit and Clop executing mass-ransomware attacks.

The top targeted industries were Manufacturing (19.5%), Professional, Scientific, and Technical Services (15.3%), and Educational Services
(6.1%).

The United States was the top targeted country, accounting for 43% of victim organizations, followed by the UK (5.7%) and Germany (4.4%).

Ransomware groups tended to target companies with annual revenues of around $50M to $60M, with third-party vendors often being targeted
for client information extortion.

The top ransomware groups during the analysis period included LockBit (29%), AlphaVM (BlackCat) (8.6%), and Black Basta (7.2%).

Encryption-less ransomware is on the rise, underscoring the importance of data protection and regulatory compliance in addition to
addressing business interruption risks posed by traditional encryption-based attacks.

Over 70% of ransomware victims had an RSI™ value above the high-risk threshold (0.4), indicating their susceptibility to ransomware attacks.

Common ransomware indicators among victims included poor email configuration, recent credential leaks, public remote access ports, out-of-
date systems, and IP addresses with botnet activity.

By understanding these key insights, organizations can better prepare

and defend against the ever-evolving threat of ransomware attacks.

A BLACK KITE RESEARCH REPORT

1
NAVIGATING THE RANSOMWARE
LANDSCAPE IN 2023
The dynamic and often unpredictable nature of cyber threats poses Through a detailed analysis of 2,708 ransomware victims publicized
a constant challenge for organizations worldwide. Among these by ransomware groups between April 1, 2022, and March 31, 2023,
threats, ransomware groups continue to evolve into formidable we have identified key trends, targeted industries, and countries, as
adversaries, causing significant financial and operational well as the prominent ransomware groups behind these attacks.
disruptions. In recent years, ransomware groups have adapted their Additionally, we delve into the Ransomware Susceptibility Index™
tactics, honed their targeting methodologies, and exploited (RSI™), a parameter developed by Black Kite, which computes the
vulnerabilities in third-party vendors to maximize their profits. likelihood of an organization experiencing a ransomware attack.

These groups have taken on the characteristics of a tech company, By understanding the complexities of the ransomware landscape in
adopting a mentality geared towards expanding their illicit 2023, recognizing the patterns of these cybercriminals, and
businesses. This rapid evolution of cybercriminals creates a acknowledging the challenges faced by cybersecurity professionals,
challenging and uneven playing field for cybersecurity professionals organizations can make informed decisions about their
tasked with defending organizations against ransomware attacks. cybersecurity strategies, invest in the right defenses, and ultimately
reduce their susceptibility to ransomware attacks.
This report aims to provide valuable insights into the current state of
ransomware attacks and equip cybersecurity professionals with We hope that the information, statistics, and insights provided in this
crucial information to combat these resourceful adversaries. report will empower and aid cybersecurity professionals in their
ongoing battle against cybercrime.

A BLACK KITE RESEARCH REPORT

RANSOMWARE ATTACK TRENDS:
A YEAR OF UPS AND DOWNS
Throughout 2022, ransomware attacks experienced a period of However, the ransomware landscape experienced a notable uptick in
relative stagnation as several major ransomware groups were shut February and March of 2023:
down, and various external factors contributed to a decrease in
attack frequency: Emergence of new ransomware gangs such as Royal, BianLian,
and Play, with some like Karakurt and BianLian adopting
International sanctions due to the Russian invasion of Ukraine, encryption-less tactics.
hindering ransom money movement and resource investment in Mass ransomware attacks executed by major players like LockBit
Western countries. and Clop.
Increased pressure from law enforcement and successful joint
operations against ransomware groups in 2021 and 2022, The number of ransomware victims announced in March 2023 was
leading to heightened caution among cyber criminals. nearly double that of April 2022 and 1.6 times higher than the peak
A general lack of ransom coverage in cyber insurance policies, month in 2022, signaling a dramatic increase in ransomware activity.
discouraging ransom payments.
The knowledge that paying a ransom does not guarantee the The following chart (Chart 1) visually illustrates the fluctuating pattern
threat actor will refrain from publishing sensitive records, leaving of ransomware attacks over the year, emphasizing the significant rise
organizations vulnerable to regulatory fines regardless of in recent months. This trend underscores the importance of remaining
payment. vigilant in the face of an ever-evolving threat landscape and adapting
cybersecurity strategies accordingly.

# of victims announced
by ransomware groups

A BLACK KITE RESEARCH REPORT

NUMBER OF VICTIMS ANNOUNCED BY RANSOMWARE GROUPS CHART 1

A BLACK KITE RESEARCH REPORT

INDUSTRY INSIGHTS:
RANSOMWARE GROUPS' FOCUS
AND EVOLVING LANDSCAPE
Our analysis reveals the distribution of ransomware victims across Additionally, our trend analysis (Chart 3) indicates that (1)
various industries*, shedding light on the areas of focus for Educational Services, (2) Wholesale Trade, and
cybercriminals and the evolving threat landscape. (Chart 2) (3) Administrative, Support, Waste Management, and
Remediation Services are emerging as trending industries for
Based on these findings, we can provide the following insights: ransomware attacks. This suggests that ransomware groups are
expanding their focus and adapting their tactics to exploit
Manufacturing and Professional, Scientific, and Technical vulnerabilities in a broader range of sectors.
Services together account for nearly 35% of all ransomware
victims, making these industries particularly attractive targets for Based on these insights, organizations should assess their
cybercriminals. This could be attributed to the wealth of valuable industry's risk profile and tailor their cybersecurity strategies
intellectual property and sensitive data held by organizations in accordingly. Being aware of the specific vulnerabilities and
these sectors. motivations behind targeting certain industries can help
organizations better prepare for and mitigate the risks
associated with ransomware attacks.
Educational Services, Retail Trade, and Health Care and
Social Assistance together represent around 17% of
ransomware victims. Organizations in these industries often hold
sensitive personal information, making them lucrative targets for
ransomware groups seeking to extort money.

Industries such as Wholesale Trade, Finance and Insurance,

and Public Administration make up a smaller portion of total
ransomware victims, but still require close attention. The finance
sector, for example, faces inherent risks due to the high value of
financial data they possess, while public administration entities
may be targeted for political reasons or to disrupt essential
services.

*We use the North American Industry Classification System (NAICS) codes for industry
classifications in this analysis.

A BLACK KITE RESEARCH REPORT

NUMBER OF RANSOMWARE VICTIMS IN THE LAST 12 MONTHS BY INDUSTRY CHART 2

A BLACK KITE RESEARCH REPORT

TRENDING INDUSTRIES IN RANSOMWARE CHART 3

A BLACK KITE RESEARCH REPORT

GEOGRAPHIC HOTSPOTS:
RANSOMWARE ATTACKS ACROSS THE GLOBE
Our analysis of the geographic distribution of ransomware victims Understanding the geographic distribution of ransomware
(Chart 4) reveals key insights regarding the countries most heavily attacks can provide valuable insights for organizations looking to
targeted by ransomware groups. Here are some important strengthen their defenses against this evolving threat. By
observations: recognizing the countries and regions most heavily targeted,
organizations can assess their risk profile based on their location
The United States leads as the top targeted country, and implement appropriate security measures to counter
accounting for a staggering 43% of all victim organizations. The potential ransomware attacks.
prominence of US-based victims could be attributed to the
country's wealth, a large number of organizations with valuable
data, or the potential for larger ransom payouts.

European countries also experienced a significant number of

attacks, with the UK, Germany, France, Italy, and Spain together
making up around 20% of total victims. This highlights that
ransomware groups are actively targeting organizations across
Europe, capitalizing on the region's economic importance and
interconnected industries.

Other countries such as Canada, Australia, India, and Brazil are

not immune to the threat, with each experiencing a smaller but
still notable percentage of ransomware attacks.

The remaining attacks are distributed across 111 different

countries, with less than 35 victims per country. This
demonstrates the global reach of ransomware groups and the
need for organizations in all regions to prioritize cybersecurity.

A BLACK KITE RESEARCH REPORT

NUMBER OF RANSOMWARE VICTIMS IN THE LAST 12 MONTHS BY COUNTRY CHART 4

A BLACK KITE RESEARCH REPORT

RANSOMWARE TARGETS:
REVENUE PROFILE AND RELUCTANCE
TO ATTACK LARGE ORGANIZATIONS
Our analysis of ransomware victims' annual revenue distribution
(Chart 5), along with factors that influence ransomware groups'
targeting decisions, reveals insightful patterns about the types of
organizations frequently targeted. Here are some key findings:
OPINION: HEAD OF RESEARCH, FERHAT DIKBIYIK
Ransomware groups often target companies with annual Why are Ransomware Groups Reluctant to Target Very Large Organizations?
revenues of around $50M to $60M, as they may have the
financial resources to pay ransoms but potentially lack the Ransomware groups are often reluctant to target large organizations for several
robust security measures of larger corporations. reasons. Large organizations have extensive security infrastructure and resources to
combat ransomware threats, but this is not the only reason for the reluctance of
Large organizations with high annual revenues (e.g., more than ransomware groups.
$100B) are targeted less frequently.
Ransomware groups may avoid targeting large organizations to prevent significant
Smaller organizations with lower revenues are targeted as third- disruptions that could draw nationwide attention, unwanted publicity, and increased
party vendors, allowing ransomware groups to obtain valuable likelihood of a strong law enforcement response.
client information for extortion purposes, such as the LockBit High-profile attacks on large organizations, such as Lapsus$ targeting Nvidia with
ransomware group's alleged attack on a small CNC/Laser political motivations, are exceptions rather than the norm, as they can draw
cutting vendor to obtain SpaceX engineering drawings. unwanted attention and prompt stronger countermeasures.
Unintended consequences, like the Stormous and LockBit ransomware group's
According to our Third-Party Breach Report published in recent attack on a hospital's IT system, may lead to apologies from ransomware
January 2023, ransomware ranks as the second most groups to avoid further scrutiny.
common root cause of data breaches caused by third The Colonial Pipeline attack by the DarkSide ransomware group serves as a
parties. cautionary tale, reinforcing the tendency of ransomware groups to avoid targeting
large organizations and causing significant disruptions.

Ransomware groups often target smaller organizations or third-party vendors to

minimize the risks of attracting unwanted attention and law enforcement responses. By
understanding ransomware groups' motivations and reluctance to target large
organizations, we can better prepare and protect against the threat landscape.

A BLACK KITE RESEARCH REPORT

ANNUAL REVENUE DISTRIBUTION OF RANSOMWARE VICTIMS CHART 5

A BLACK KITE RESEARCH REPORT

TOP 13 RANSOMWARE
GROUPS AND KEY EVENTS:
A 12-MONTH ANALYSIS
Our analysis of the top ransomware groups and their activities over the past 12 months sheds light on the changing threat landscape and reveals
important events that have shaped the ransomware ecosystem.

A BLACK KITE RESEARCH REPORT

ONE: LOCKBIT (2.0 & 3.0)
LOCKBIT'S DOMINANCE, TARGET PREFERENCES, AND TTPS
LockBit ransomware group, responsible for 29% of attacks during LockBit's sophistication and organization are evident through its
this period, remains the top ransomware group. Its transition from dedicated teams of hackers and operators responsible for
LockBit 2.0 to LockBit 3.0 in June-July 2022 highlights its ongoing ransomware development, deployment, and negotiation with
evolution and expansion. victims. The group views ransom demands as payments for their
"post-paid services" and sees itself as a business rather than a
The group mainly targets companies with annual revenues between criminal operation*.
$40M and $80M, accounting for 60% of its victims. They primarily
focus on organizations in the US and Europe, across 75 different In a record-breaking incident this year, LockBit demanded an $80
countries. Manufacturing and Professional, Scientific, and Technical million ransom from the UK's largest shipping organization. After the
Services are the top industries targeted, comprising 21% and 19%
ransom was rejected, the group leaked files and negotiation chat
of its victims, respectively.
history, showcasing their determination and ruthlessness.

LockBit's main TTPs include: *This is a statement based on an interview with the leader of the LockBit group and published
Exploiting software vulnerabilities using exploit kits, such as negotiation chats.

unauthenticated remote command execution vulnerabilities in

F5's BIG-IP, remote code execution vulnerabilities in Microsoft
Exchange Server, vulnerabilities in the Windows Print Spooler
service, and vulnerabilities in the Windows Server Message
Block (SMB) protocol.
Utilizing phishing emails to deliver the ransomware payload.
Employing Remote Desktop Protocol (RDP) to gain access to
victims' computers.

A BLACK KITE RESEARCH REPORT

TWO: ALPHAVM THREE: BLACK BASTA
(BLACKCAT) KEY STATS AND TACTICS
RUNNER-UP Black Basta, a ransomware-as-a-service (RaaS) group responsible
for 7.2% of attacks, emerged in early 2022. The group employs
double-extortion tactics and tools like the Qakbot trojan and
Responsible for 8.6% of attacks, AlphaVM (BlackCat), also
PrintNightmare vulnerability.
known as AlphaV, LPHV, ALPHV-ng, or Noberus, ranks as the
second most active ransomware group over the past 12 months.
Notably, the American Dental Association fell victim to an attack,
Emerging in November 2021, BlackCat is an apparent descendant
with its stolen data later appearing on Black Basta's leak site. Black
of the BlackMatter (a possible rebrand of DarkSide) ransomware
Basta has also developed a Linux build of its ransomware capable
group.
of encrypting VMware ESXi virtual machines.
BlackCat possesses the knowledge to exploit various vulnerabilities,
The group's activities are concentrated within 15 countries, with
including a privilege escalation vulnerability in older versions of
67% of victims in the U.S. and 31% in Europe. Manufacturing (39%)
Microsoft Windows, an SQL injection vulnerability in SonicWall
and Retail Trade (16%) are the most targeted industries, and 60% of
Secure Remote Access devices, and critical vulnerabilities known
its victims report annual revenues between $40M and $70M.
as ProxyShell in Microsoft Exchange Server.

According to our analysis, 55% of BlackCat's victims are U.S.

organizations, with the full victim list spanning 44 different countries.
The group primarily targets Professional, Scientific, and Technical
Services (27% of its victims) and Manufacturing (12%). Over half of
its victims report annual revenues between $40M and $70M.

A BLACK KITE RESEARCH REPORT

NUMBER OF RANSOMWARE VICTIMS
WITH THE TIMELINE OF THREAT ACTORS

A BLACK KITE RESEARCH REPORT

FOUR: CLOP FIVE: ROYAL
RESURFACE WITH MASS- A NEW PLAYER IN TOWN
RANSOMWARE ATTACKS
Initially dubbed as "Zeon" before its rebranding to "Royal" in
September 2022, the Royal ransomware group has quickly gained
Clop ransomware group, responsible for 4.8% of attacks, has
traction, accounting for 4.8% of attacks. Backed by Conti threat
been active since at least 2019. The group resurfaced in March
actors, Royal uses a mix of old and new techniques, including
2023, launching a mass-ransomware campaign that exploited a
callback phishing and intermittent encryption.
high-severity Fortra GoAnywhere vulnerability. In March alone, they
announced over 100 victims. Previously, in December 2020, they
Most of Royal's victims are U.S. companies (66%), followed by
exploited an Accellion FTA zero-day vulnerability, stealing data from
European companies (22%). The top targeted industry is
approximately 100 companies.
Professional, Scientific, and Technical Services (23%). A majority of
victims have annual revenues between $40M and $70M. The group
High-profile victims include energy giant Shell, supermarket chain
has swiftly adapted to new tactics, developing Linux-based variants
Kroger, cybersecurity firm Qualys, and several universities
targeting ESXi servers, impacting enterprise data centers and
worldwide. In June 2021, an international law enforcement
virtualized storage.
operation, Operation Cyclone, led to the arrest of six money
launderers linked to the group.

Clop focuses on hit-and-run mass-ransomware attacks, exploiting

large-scale vulnerabilities without targeting specific organizations.
Their use of Accellion in 2020 and GoAnywhere in 2023
vulnerabilities demonstrate their opportunistic approach, which also
explains their on-and-off presence in the ransomware landscape.

A BLACK KITE RESEARCH REPORT

SIX: HIVE SEVEN: VICE SOCIETY
RISE AND FALL OF A FOCUSED ON EUROPE AND
PROMINENT RANSOMWARE EDUCATION
GROUP
Accounting for 3.6% of attacks, Vice Society stands apart from
Hive ransomware group, responsible for 3.9% of attacks, was other top ransomware groups mentioned in the report, as it primarily
launched in June 2021 as a Ransomware-as-a-Service operation. It targets European organizations and the Education sector. Initially
quickly became one of the most active ransomware groups, known for exploiting the PrintNightmare vulnerability and deploying
extorting around $100 million from over 1,500 companies. Hive's ransomware variants like Hello Kitty/Five Hands and Zeppelin, the
well-known attack on Lake Charles Memorial Health System in group has since developed its custom ransomware builder and
October 2022 resulted in a data breach affecting almost 270,000 adopted more robust encryption methods. These advancements
people. may indicate that Vice Society is preparing to launch its
Ransomware-as-a-Service (RaaS) operation.
In January 2023, an international law enforcement operation shut
down Hive by seizing its Tor websites. Although no arrests were With 43% of its victims in the Education sector, Vice Society also
made, the operation secretly hacked the group's servers in July targets Professional, Scientific, Technical Services, Manufacturing,
2022, monitoring communications, intercepting decryption keys, and Public Institutions. Half of its victims are European
and helping victims with free decryptors. This dealt a significant organizations, while 32% are in the U.S.
blow to a prominent player in the cybercrime space, preventing
$100 million in ransom payments.

A BLACK KITE RESEARCH REPORT

INDUSTRY DISTRIBUTION
OF VICTIMS FOR EACH RANSOMWARE GROUP

A BLACK KITE RESEARCH REPORT

 EIGHT: BIANLIAN NINE: KARAKURT
SWIFT RISE AND DATA EXTORTION ARM OF
ENCRYPTION-LESS CONTI SYNDICATE
EXTORTION
Responsible for 2.6% of attacks, Karakurt ransomware group
Emerging in July 2022, BianLian ransomware group quickly increased its activity around October 2022. Like BianLian, Karakurt
accounted for 3.6% of attacks. The group soon shifted focus from focuses solely on data theft and extortion, auctioning or leaking stolen
encrypting files to an encryption-less extortion model, threatening to data if the ransom is not paid. According to several reports, Karakurt is
leak stolen data instead. BianLian commonly targets the ProxyShell operationally linked to both Conti and Diavol ransomware groups.
vulnerability chain, SonicWall VPN devices, and remote network
access solutions like Remote Desktop. Karakurt, active since June 2021, began actively extorting in September
2021, targeting many organizations across multiple industries within two
The group predominantly targets the Manufacturing (24%) and months. While the group has targeted victims in 20 countries in the last
Healthcare (15%) sectors. Although victims have been reported in 12 months, 62% are located in North America. Although 26% of victims
18 different countries, 62% are located in the U.S., followed by 11% are in Manufacturing, Karakurt shows no specific industry preference.
in Europe.

OPINION: THE RISE OF ENCRYPTION-LESS RANSOMWARE,

A NEW CHAPTER IN CYBER EXTORTION
Ransomware attacks have long dominated the cybersecurity landscape. However, a new trend is emerging: encryption-less
ransomware. Some ransomware groups, such as BianLian and Karakurt, have shifted their focus to holding data hostage without
resorting to encryption.

Why the change in tactics? As regulatory fines on data protection increase, data breaches become an attractive target for
ransomware operators. By threatening to leak sensitive data, they can pressure victims to pay the ransom, even if they have strong
backup and recovery systems in place. Ransomware groups may also want to avoid causing unintended business interruption and
attracting unwanted international law enforcement attention by disrupting critical infrastructure.

To address this evolving threat landscape, ransomware prevention now requires a dual approach. Organizations both ensure
robust backup and recovery processes and also prioritize data protection to avoid regulatory penalties and reputational damage.
A BLACK KITE RESEARCH REPORT
TEN: PLAY ELEVEN: AVOSLOCKER
EMERGING RANSOMWARE RAAS-FORWARD
GROUP TARGETING EUROPE
Accounting for 2.0% of attacks, AvosLocker is an affiliate-based
Ransomware-as-a-Service (RaaS) group. The FBI issued a warning
Appearing in June 2022 and becoming more visible in November in March 2022 about the group targeting victims across multiple
2022, Play ransomware group is responsible for 2.4% of attacks. critical infrastructure sectors in the United States, including
The group has targeted numerous organizations, including the City Financial Services, Critical Manufacturing, and Government
of Oakland, Antwerp, H-Hotels, Rackspace, Arnold Clark, and A10 Facilities.
Networks. Play's behavior and tactics resemble those of Hive and
Nokoyawa ransomware, using similar file names and paths for their In June 2022, the group exploited a remote code execution (RCE)
tools and payloads. vulnerability in Atlassian Confluence Server and Data Center
instances for initial access. Later, in December 2022, Kroll identified
Play's infection chain includes exploiting compromised valid new tactics targeting backup systems used by AvosLocker-
accounts or unpatched Fortinet SSL VPN vulnerabilities to access associated threat actors. They attempted to leverage vulnerabilities
organizational networks. By the end of December 2022, Play was in Veeam Backup and Replication software (CVE-2022-26500 and
observed exploiting two ProxyNotShell vulnerabilities in Microsoft CVE-2022-26501) for possible data exfiltration. AvosLocker has
Exchange for initial access. Notably, Play has announced more announced more victims in the Education sector than any other
victims in Europe than the U.S., with 52% of victims located in industry, with over 70% of victims located in the U.S.
Europe.

A BLACK KITE RESEARCH REPORT

REGIONAL DISTRIBUTION
OF VICTIMS FOR EACH RANSOMWARE GROUP

A BLACK KITE RESEARCH REPORT

TWELVE: CONTI THIRTEEN: BLACKBYTE
A DISMANTLED ANOTHER CONTI-RELATED GROUP
CYBERCRIME SYNDICATE
Accounting for 1.7% of attacks, BlackByte ransomware group, like
Karakurt, emerged from Conti’s data extortion arm. Unlike Karakurt,
Responsible for 1.7% of attacks, Conti ransomware group shut the group still operates with double extortion. BlackByte
down its operations in June 2022 after a data leak caused by a rival ransomware group emerged in summer 2021 and has since
group, and rebranded into smaller units. Conti is a Russian targeted organizations across various industries, including critical
ransomware operation, originally launched in the summer of 2020. infrastructure in the United States. The group's recent attacks
They quickly gained notoriety for their high-profile attacks against exploit last year's ProxyShell and ProxyLogon flaw sets in Microsoft
the City of Tulsa, Broward County Public Schools, Advantech, Exchange servers, using tools like AdFind, AnyDesk, NetScan, and
Ireland's Health Service Executive (HSE), and the Department of PowerView for lateral movement.
Health (DoH). Over time, Conti evolved into a cybercrime syndicate,
taking over the development of various malware operations, BlackByte employs version 2.0 of the ransomware, which removes
including TrickBot and BazarBackdoor. Kernel Notify Routines to bypass EDR protections, as revealed in an
October report by Sophos. The group follows typical ransomware
In May 2022, Conti began shutting down its operations while leaving tactics, such as deleting volume shadow copies to prevent easy
behind a facade of an active operation. However, the Conti brand's data restoration, modifying firewall settings to allow remote
shutdown did not signal the end of the cybercrime syndicate. connections, and injecting itself into a "scvhost.exe" instance for the
Instead, the gang members split into smaller cells that infiltrated or encryption phase. BlackByte has a broad target range, with 42% of
took over other ransomware operations, remaining loyal to the its victims in the last 12 months located in the U.S. and 27% in
central syndicate managed by a small group of managers. By Europe, spanning various industries.
spreading members among multiple groups, the operation became
more resilient against law enforcement takedowns.

Now, former Conti members are known to be involved in various

ransomware gangs, including Hive, AvosLocker, BlackCat, Hello
Kitty, and the revitalized Quantum operation. Additionally, some
members have launched their own data extortion operations that do
not encrypt data, such as Karakurt and the Bazarcall collective.

A BLACK KITE RESEARCH REPORT

ANNUAL REVENUE DISTRIBUTION
OF VICTIMS FOR EACH RANSOMWARE GROUP

A BLACK KITE RESEARCH REPORT

IN SUMMARY
TOP RANSOMWARE GROUPS AND KEY EVENTS: A 12-MONTH ANALYSIS
In summary, the ransomware landscape remains a significant and
Ransomware Most Targeted Most Targeted
evolving threat to organizations across industries and regions. The Most Targeted Industry
top ransomware groups, as discussed in the subsections above, Group Region Annual Revenue
showcase the diverse tactics, attack vectors, and targeted sectors. LockBit (2.0 & 3.0) Manufacturing North America ($50M-$60M]
Despite the differences in their approaches, these groups share a
common goal of causing significant disruption and financial gain. AlphaVM Professional, Scientific, and Technical
North America ($40M-$50M]
(BlackCat) Services

The table provided offers a comprehensive overview of the most Black Basta** Manufacturing
North
($50M-$60M]
America
targeted industries, regions, and annual revenue ranges for each
group, highlighting the importance of understanding the specific Professional, Scientific, and Technical
Royal** North America ($40M-$50M]
Services
threats posed by these groups. Organizations need to stay informed
about these evolving threats and adopt proactive cybersecurity North
Hive* Manufacturing ($40M-$50M]
measures to mitigate the risks associated with ransomware attacks. America

Vice
Educational Services Europe ($70M-$80M]
Overall, it is crucial for businesses to prioritize security, continuously Society

update and patch their systems, and invest in employee education North
BianLian** Manufacturing ($50M-$60M]
to prevent these ransomware groups from causing further damage. America
As these groups continue to adapt their tactics and focus on new
Karakurt Manufacturing North America ($50M-$60M]
targets, the collaboration between organizations, cybersecurity
professionals, and law enforcement will be essential in combating Royal**
Professional, North
($40M-$50M]
Scientific, and Technical Services America
the growing ransomware threat.
Professional, Scientific, and Technical
Play** Europe ($30M-$40M]
Services

Educational North
AvosLocker ($40M-$50M]
Services, Distributed America

Conti* Manufacturing North America ($80M-$90M]

BlackByte Distributed North America ($50M-$60M]

(*) Inactive
(**) Appeared in the last 12 months

A BLACK KITE RESEARCH REPORT

RANSOMWARE INDICATORS IN
VICTIMS - BLACK KITE INSIGHTS
Black Kite is a vendor risk intelligence platform that continuously Public Remote Access Ports (42%): A significant number of
monitors hundreds of thousands of companies from an outside-in victims had at least one public remote access port open. Open
hacker-perspective mindset to provide an external cyber risk remote access ports can expose organizations to attacks, as
assessment for organizations and their vendors. cybercriminals can exploit these vulnerabilities to gain
unauthorized access to systems and networks. Regularly
By leveraging the insights obtained from Black Kite, we have scanning for open ports, restricting remote access to necessary
analyzed the ransomware indicators in victims (Chart 6) to identify personnel, and using VPNs with strong authentication can reduce
common vulnerabilities that ransomware groups exploit. the risk of unauthorized access.
Understanding these indicators can help organizations identify
potential weaknesses and take preventive measures to protect their Out-of-date Systems (31%): Nearly a third of the victims had
systems and networks against ransomware attacks. publicly visible out-of-date systems with potential critical
vulnerabilities. Outdated systems can be easily exploited by
Poor Email Configuration (67%): A significant majority of attackers, who take advantage of known vulnerabilities to infiltrate
victims had poor email configurations, such as missing DMARC networks and deliver ransomware payloads. Regularly updating
records. This can lead to successful phishing and spear- and patching systems, prioritizing critical vulnerabilities, and
phishing campaigns, allowing attackers to gain an initial foothold maintaining a robust vulnerability management program can help
in the organization's network. Ensuring proper email organizations stay protected against ransomware attacks.
configurations, including implementing DMARC, DKIM, and
SPF, is essential in mitigating the risk of email-based attacks. Organizations must be aware of these ransomware indicators and
take proactive measures to address the vulnerabilities. By doing so,
Leaked Credentials (62%): More than half of the victims had at they can significantly reduce the risk of falling victim to ransomware
least one credential leaked in the 90 days preceding the attack. attacks and minimize the impact on their operations, reputation, and
Leaked credentials can provide attackers with easy access to bottom line. It's crucial to note that many ransomware victims are also
systems and networks, enabling them to bypass security third-party vendors of other organizations.
controls and move laterally within the organization. Regular
monitoring for leaked credentials and implementing strong Monitoring ransomware indicators on third parties is equally
password policies, multi-factor authentication, and employee important, as it helps reduce the likelihood of being targeted by
education can help prevent unauthorized access. ransomware due to a compromised third-party vendor. Implementing
a comprehensive third-party risk management program, including
continuous monitoring of vendors' cybersecurity posture, can help
organizations better understand and mitigate the risks associated with
their supply chain and protect their sensitive data and systems.

A BLACK KITE RESEARCH REPORT

RANSOMWARE INDICATORS IN VICTIMS CHART 6

67%

62%

42%

31%

A BLACK KITE RESEARCH REPORT

HOW SUSCEPTIBLE WERE
RANSOMWARE VICTIMS
BEFORE THE ATTACK?
In today's rapidly evolving threat landscape, organizations must However, it is important to note that our methodology has its limits;
remain vigilant against the growing risk of ransomware attacks. Black we can only assess internet-facing assets, and we cannot account
Kite's Ransomware Susceptibility Index™ (RSI™) is a valuable for some other ransomware attack vectors such as obtaining access
metric designed to assess the likelihood of an organization information through social engineering with personal communication
experiencing a ransomware attack. channels or insider threats.

By analyzing various indicators such as open critical ports,

vulnerabilities with remote code execution, leaked credentials, email
security, phishing/fraudulent domains, endpoint security,
susceptibility following a ransomware incident, company country, It is crucial to note that many ransomware victims are also third-party
company size, and company industry, RSI™ offers crucial insights
into potential weaknesses and helps organizations prioritize their
vendors for other organizations. Monitoring ransomware indicators on third
cybersecurity efforts. parties is essential to reduce the risk of being targeted by ransomware due
to a third-party vendor's vulnerabilities.
When examining ransomware victims' RSI™ values (Chart 7), 716
received a value between 0.2 and 0.4, 1,227 received a value
between 0.4 and 0.6, 542 received a value between 0.6 and 0.8, and
Take advantage of Black Kite's vendor risk intelligence platform and RSI™
138 received a value between 0.8 and 1.0. Over 70% of these metric to significantly reduce your organization's likelihood of falling victim
victims had an RSI value above the high-risk threshold of 0.4, to ransomware attacks, ensuring the protection of your critical data and
with many over the critical threshold of 0.6, highlighting the operations. Gain valuable insights into your risk exposure and take the
importance of proactively addressing vulnerabilities.
necessary steps to safeguard your organization against ransomware
Most victims who received low RSI values (e.g., below 0.4) are attacks. Don't leave your organization's cybersecurity to chance.
companies with very limited external-facing assets.

REQUEST A FREE
RSI™ RATING
A BLACK KITE RESEARCH REPORT
Take action now.
RSI™ DISTRIBUTION OF RANSOMWARE VICTIMS CHART 7

A BLACK KITE RESEARCH REPORT

RANSOMWARE PREVENTION AND RESPONSE:
RECOMMENDATIONS FOR ORGANIZATIONS
Ransomware attacks are evolving, and it is crucial to understand that they involve both data encryption and data breaches. Data encryption can
cause significant business interruption, especially if proper backups are not in place or if recovering systems from backups takes a substantial
amount of time. Furthermore, with the increasing regulatory fines for data protection breaches, data breaches can result in substantial financial
penalties for companies.

Ransomware groups are well aware of this and leverage this information during negotiations. Some groups, like BianLian and Karakurt, have even
shifted towards encryption-less ransomware, focusing more on holding data hostage.

With this in mind, we provide recommendations for several phases to help organizations better prepare for, respond to, and recover
from ransomware attacks.

A BLACK KITE RESEARCH REPORT

PREVENTION AND MINIMIZING
RANSOMWARE RISK
INTERNAL SECURITY MEASURES FOR RANSOMWARE PREVENTION

Monitor your Ransomware Indicators incident response plan

Keep track of your ransomware indicators to avoid being on Develop and maintain a comprehensive incident response
the radar of ransomware groups. Regularly check for open plan to address potential ransomware attacks, including
critical ports, leaked credentials, email security clear roles and responsibilities, communication protocols,
configurations, and phishing/fraudulent domains. and recovery strategies.

patch management email security

Ensure all systems, applications, and software are up-to-date Strengthen your email security by implementing SPF,
with the latest patches, focusing on those with known remote DKIM, and DMARC records, and conduct regular security
code execution vulnerabilities. awareness training to educate employees on how to
identify and report phishing attempts.

endpoint security
Implement strong endpoint security measures, including data and system backup
antivirus and anti-malware software, and consider deploying Regularly back up critical data and systems to allow for
advanced solutions like micro VMs to prevent malware from quick recovery in the event of an attack. Store backups
spreading. both on-site and off-site, and consider using air-gapped
storage for added protection. Test your backup and
recovery processes periodically to ensure their
network security effectiveness.
Restrict remote access to your network by closing
unnecessary ports, using VPNs, and employing strong
authentication methods like multi-factor authentication (MFA).
By implementing these internal security measures, you can
reduce the likelihood of falling victim to a ransomware attack and
A BLACK KITE RESEARCH REPORT
minimize the potential damage if an attack does occur.
MITIGATING THIRD-PARTY
RANSOMWARE RISK
TO MITIGATE THE RISK OF RANSOMWARE ATTACKS DUE TO
THIRD-PARTY VENDORS, ORGANIZATIONS SHOULD:

1. Evaluate the cybersecurity posture of third-party vendors using tools

like Black Kite's Ransomware Susceptibility Index™ (RSI™).

2. Require vendors to adhere to industry best practices

and implement robust cybersecurity measures.

3.
Perform regular audits of vendors' security practices
and provide guidance for improvement if necessary.

4.
Foster a culture of collaboration and information sharing among
vendors to enhance overall cybersecurity.

A BLACK KITE RESEARCH REPORT

RESPONDING TO A RANSOMWARE ATTACK
IN THE EVENT OF A RANSOMWARE ATTACK, TAKING IMMEDIATE
ACTION IS CRITICAL TO MITIGATE THE DAMAGE.
STEPS TO TAKE WHEN HIT BY A RANSOMWARE ATTACK INCLUDE:

1. Isolate affected systems to prevent the spread of the ransomware.

2. Notify relevant authorities and stakeholders.

3. Engage with cybersecurity experts to assess the situation

and explore potential remediation options.

4. Preserve evidence and document the incident for future

reference and potential legal actions.

A BLACK KITE RESEARCH REPORT

POST-ATTACK RECOVERY
AFTER A RANSOMWARE ATTACK, IT IS CRUCIAL TO LEARN FROM
THE EXPERIENCE AND STRENGTHEN YOUR ORGANIZATION'S
CYBERSECURITY DEFENSES.
POST-ATTACK STEPS INCLUDE:

1. Conduct a thorough analysis of the incident to identify root causes and

vulnerabilities.

2.
Implement recommended security measures to prevent similar
attacks in the future.

3.
Review and update your incident response plan based on the lessons
learned.

4. Share information about the attack with relevant parties and

collaborate with industry peers to improve overall cybersecurity.

By understanding the complex nature of ransomware attacks and taking

a proactive approach to prevention, response, and recovery, your
organization can significantly reduce the likelihood of falling victim to
A BLACK KITE RESEARCH REPORT
ransomware and better protect its critical data and operations.
IN CONCLUSION
RANSOMWARE RISK:
STAYING ONE STEP AHEAD
In this report, we've explored the current state of ransomware attacks, delving into
the tactics and targets of the most notorious ransomware groups. We've
discovered that organizations of all sizes and industries can fall victim to
ransomware attacks, with many becoming collateral damage due to third-party
vendor breaches.
ABOUT BLACK KITE
One in four organizations suffered from a cyber attack in the last year,
Through our analysis, we've identified key ransomware indicators and resulting in production, reputation, and financial losses. The real
demonstrated the importance of proactively monitoring and addressing them, both problem is adversaries attack companies via third parties, island-
internally and externally. By utilizing Black Kite's Ransomware Susceptibility hopping their way into target organizations. At Black Kite, we're
Index™ (RSI™) metric, organizations can better understand their susceptibility to redefining vendor risk management with the world’s first global third-
ransomware attacks and take appropriate actions to mitigate risk. party cyber risk monitoring platform, built from a hacker's perspective.

We've provided recommendations for mitigating ransomware risk in three phases: With 500+ customers across the globe and counting, we're committed
prevention, response, and recovery. By implementing a combination of internal to improving the health and safety of the entire planet's cyber
security measures and third-party risk management, organizations can stay off the ecosystem with the industry’s most accurate and comprehensive cyber
radar of ransomware groups, protect sensitive data, and minimize the potential intelligence. While other security ratings service (SRS) providers try to
damage caused by ransomware attacks. narrow the scope, Black Kite provides the only standards-based cyber
risk assessments that analyze your supply chain's cybersecurity
In the face of an evolving threat landscape, it's crucial to stay vigilant and posture from three critical dimensions: technical, financial, and
continuously improve your cybersecurity posture. Black Kite's vendor risk compliance.
intelligence platform offers comprehensive insights and actionable
recommendations to help organizations stay one step ahead of ransomware
threats. Don't wait for a ransomware attack to happen—take control of your CONTACT US [email protected]
Copyright © 2023 Black Kite
cybersecurity today by requesting a free RSI™ score for your organization.
800 Boylston Street, Suite 2905
Boston, MA 02199

REQUEST A FREE RSI™ RATING www.blackkite.com

A BLACK KITE RESEARCH REPORT