GRIT Ransomware Report: January 2024

Additional contributors to this report: Nic Finn, Grayson North, Jason Baker

January saw a decrease in ransomware activity relative to the operations tempo observed throughout Q4 2023. This decrease is consistent with historical norms, and mirrors a similar slowdown observed in January of 2022 and 2023, both of which also followed heightened Q4 activity from the preceding year. Although January 2023’s victim volume decreased slightly from January 2022, this proves to be the outlier as January 2024 resulted in 271 observed victim posts, a 40% increase over January 2023’s 161 victims. 

Geographically, the global north remained the most impacted by ransomware, with Canada, France, and the United Kingdom receiving disproportionate ransomware impacts relative to other countries in this region. This goes in hand with the United States, accounting for 55% of all observed posts.

Similarly consistent, the Manufacturing industry continues to account for the highest volume of observed victims, with one in six posts impacting a manufacturing organization. Interestingly, the Retail and Wholesale industry was among the most impacted in January at 7% of observed victims, returning to its baseline share of victims after an anomalous “dip” in December 2023. The Technology, Consulting, Education, Healthcare, and Legal industries also placed high among the most impacted industries, likely reflecting the continued conduct of data exfiltration against victim organizations that house large volumes of sensitive data.

Our threat actor spotlight this month focuses on Black Basta, a longstanding “Established” group with origins in the since-disbanded Conti ransomware group that was surprisingly active during January. While the group may not claim victims at rates seen by the more prolific Established groups such as LockBit, Black Basta has continued a slow and mostly consistent stream of posted victims since their emergence in early 2022.

Total Publicly Posted Ransomware Victims	271
Number of Active Ransomware Groups	32
Average Posting Rate (per day)	8.74

Ransomware Trends

January 2024 showed a significant decline in the total number of posted victims by 33% and 60% relative to December and November 2023 respectively. This continued the downward trend from November’s high of 433, to December’s 361 before reaching January’s 271. 

This downward trend from November through January is consistent with the same pattern observed in 2021-2022 and 2022-2023, and thus is not anomalous. When compared to the same period year-over-year, January 2024 resulted in a 68% increase in observed victims relative to January 2023, which resulted in 161 observed victims. 

The first half of the month saw 88 claimed victims, compared to 183 during the second half. This increase in operational tempo could represent an emergence from a relatively dormant period following the New Year and Orthodox Christmas holidays commonly observed in Eastern Europe.

Ransomware Victims by Country

The United States remains the most impacted country in terms of observed ransomware victim volume, accounting for almost 10 times the victim count of the other “top 10” countries, and 55% of total observed victims overall. 

The United Kingdom saw a decrease in claimed victims, from 22 in December 2023 to 14 in January 2024, aligning with the overall observed decrease in posted victims from December to January.

France saw a significant increase in claimed victims, from nine in December to 15 in January. Notably, GRIT observed 3 additional groups claiming French victims in January compared to December, with Black Basta, Alphv, and Trigona claiming two, one, and one victims, respectively. This continues to demonstrate the correlation between diversity and volume of ransomware groups and overall observed victim volume.

Industry Trends

Manufacturing retained its position as the most-impacted industry, with more than double the next industry. Technology dropped 28% from 25 claimed victims in December 2023 to 18 in January 2024, tying Retail and Wholesale. Excluding Manufacturing, January displayed a progressive decline in victims per industry, with nine industries affected 10 or more times, 10 industries affected between five and nine times, and 11 industries affected less than five times.

This spread appears to correlate with expected opportunistic exploitation, as the more heavily impacted industries are a far larger share of organizations compared to the less-impacted industries, such as Agriculture, Government, and Defense and Military entities.

Threat Actor Trends

LockBit maintained its lead in terms of market share in January, accounting for 23% of posted victims. This stays within its typical range of 19-25% of total victim count observed over the past year. Approximately 2/3 of all reports attributed to LockBit occurred after January 15th, which were posted as batches of reported victims on January 19th and 21st.

8Base appears to post victims in batches, with an average of 4-8 posted approximately once per week. Despite its relative newcomer status among prolific ”Established” groups, 8Base has maintained its status among the “top five” most impactful groups since October 2023.

January 2024 presented a spike in victim volume for Akira, with its highest observed victim count since August 2023. Since we began monitoring Akira in April 2023, Akira has maintained monthly victim volumes in the double digits for all but a single month, September 2023.

Black Basta saw a very large increase in activity, more than tripling their volume of posted victims from December 2023 to January 2024. Notably, Akira and 8Base experienced modest increases in victim volume in January, while the most prolific groups, Alphv and LockBit, experienced a slight decrease. While slight ”dips” in claimed victims are not anomalous, increases in victim volume in January are less common based on historical data. 

Threat Actor Spotlight: Black Basta (Established)

Black Basta is a Ransomware-as-a-Service (RaaS) group that has been operating continuously since at least April 2022. The group demonstrated an increase in activity during January 2024, with 19 victims claimed on their data leak site, roughly doubling their 2023 average of 9.7 victim posts per month. Black Basta rarely leads among ransomware groups in terms of victims posted, but the group has sustained almost two years of operations and continues to compromise victim networks. Recent reporting from Elliptic indicates that the group has amassed over $100 million USD in ransom payments throughout their lifetime.

Black Basta is currently classified as an ”Established” ransomware group in accordance with GRIT’s ransomware taxonomy, though the group almost certainly began as a ”Splinter” group forming around the time of Conti’s disbandment in May 2022. The group maintains multiple similarities to Conti’s operations which support this assessment, including similarities between Black Basta’s early ransomware encryption and that of Conti’s. We note that the Conti source code was leaked several times during Conti’s operations, which could serve as a plausible alternative explanation. Black Basta’s data leak site is also reminiscent of Conti’s, employing a similar format with victim names, general information, view counters, and leaked data percentages for impacted victims. Finally, the use of the term “Basta News” is reminiscent of Conti’s “Conti News” branding on their historical data leak site. While these data points may indicate mimicry rather than direct descendance, they support our assessment of shared lineage between the two groups.

Black Basta has been known to utilize the QakBot (aka Qbot) malware to gain initial access into victim networks, similar to Conti’s reliance on TrickBot for a similar purpose. During post-exploitation activities, Black Basta affiliates have depended on the popular offensive security tool Cobalt Strike, as well as the exploitation of the PrintNightmare (CVE-2021-1675 and CVE-2021-34527), ZeroLogon (CVE-2020-1472), and NoPac (CVE-2021-42278 and CVE-2021-42287) vulnerabilities.

57% of the group’s total tracked victims (283) are located within the US, while Germany (37) and the United Kingdom (21) take a distant second and third. The group has primarily impacted victims in the Manufacturing industry, which account for 22% of observed victims over the past year. Black Basta’s disproportionate impacts on US-based organizations and the Manufacturing industry are consistent with trends observed among other longstanding “Established” groups tracked by GRIT.

Other Notable Ransomware Events

Recent Ransomware Disruptions

January saw multiple law enforcement and government operations directed against ransomware actors, maintaining an apparent increase in announcements of operations targeting the ransomware threat that began in Q4 2023. The most visible of these was the announcement of a coordinated series of sanctions from the United States, United Kingdom, and Australia placed on a Russian national named Aleksandr Gennadievich Ermakov. Ermakov was identified as a result of coordinated Australian government investigations, including the Australian Signals Directorate and Australian Federal Police, following a high-profile aggressive attack on the Australian health insurance company Medibank in late 2022. The attack was believed to have been carried out by members of the now defunct REvil ransomware group, which disbanded following the start of multiple law enforcement disruptions circa October 2021. The data and details of the attack were posted on a dark web blog believed to be linked to former REvil infrastructure, which contributed to assessments of REvil ties, though some early reporting opted to attribute the attack to “BlogXX” as an indication that the identity of the attackers was uncertain. The degree of coordination and decision to publicize Ermakov’s identification likely reflect the perceived significance of the Medibank attack, as well as an attempt to demonstrate continued and successful whole-of-government efforts to degrade ransomware operations. 

A second law enforcement victory in January came with the arrest of a 19-year-old man from Florida named Noah Michael Urban. Urban is reported to have been associated with the group Scattered Spider, which gained infamy for a number of high-profile attacks during mid-2023 as an affiliate of the Alphv ransomware group, including the attacks on Caesar’s and MGM Resorts. Evidence presented by law enforcement shows that Urban was heavily involved with conducting numerous “SIM-swapping” attacks against victim cell phones, a known initial access tactic associated with Scattered Spider. Similarly to the case of Aleksandr Ermakov, Urban’s arrest may serve to signal continued and successful law enforcement operations directed against high-profile ransomware actors, and may yield additional insight into the group over time. The age of Urban at the time of his arrest confirms the participation of young adults as part of the group’s operations, an element explored in recent security reporting and tied to the group’s aggressive, often violent, approach to operations.

LockBit Accused of Scamming Initial Access Broker

In late January 2024, dramatic infighting broke out on the dark web forum XSS, with a user alleging that LockBit’s administrator persona, LockBitSupp, refused to fairly share ransom payment profits in exchange for access the user had provided to a target network. According to the posts, LockBitSupp communicated with a user who was claiming access to multiple networks. The user provided credentials before arranging an explicit profit-sharing agreement, which LockBit subsequently used to conduct ransomware operations on the victim network. The dispute led to the XSS and Exploit forums banning LockBitSupp’s account, with the assignment of the “Ripper” characterization as the cause of the ban. As highlighted by recent reporting from Analyst1, “Ripper” carries a particularly undesirable connotation–implying community distrust and maliciously deceitful actions taken by the actor. It remains to be seen whether these disagreements will impact LockBit’s operations in the long term, though the dispute could reduce the number of initial access brokers willing to work with LockBit in the near term or shift requirements for profit-sharing and cooperation arrangements. To date, we have observed deliberate efforts by the LockBitSupp persona to “fight back” against recent allegations and appeal similar characterization on other platforms, at least some of which have been adjudicated in LockBitSupp’s favor.

Alphv Continues Operations

Alphv posted its lowest number of ransomware victims over the past six months in January, following December 2023’s temporary operational disruption by the FBI and data leak site takedown. In the wake of the operation, the FBI also announced the availability of decryption keys for over 900 Alphv victims. Alphv’s recent decreased operational volume may be attributable to decreased affiliate operations, which we would expect from more risk-averse affiliates in the wake of targeted law enforcement operations. In sum, while Alphv may be experiencing the longer-term negative impacts of December’s operations, it does not appear to have prevented the group’s willingness or ability to continue operations in the near term. We assess that the group will continue to conduct Ransomware-as-a-Service operations for the foreseeable future and that victim volume will increase or return to baseline in the mid-term, barring additional successful disruption attempts by law enforcement.

Hypothesis Follow-up – Ivanti

In our 2023 Annual Ransomware Report, GRIT highlighted the increased likelihood of mass vulnerability exploitation by ransomware groups as the groups become more adept at rapidly adapting publicly known high-impact vulnerabilities and publicly available Proof-of-Concept exploits. This threat has already been observed in early 2024 through the widespread exploitation of vulnerabilities in Ivanti Connect Secure VPN, CVE-2023-46805 and CVE-2024-21887. These vulnerabilities remain under active exploitation by a range of threat actors in a chained attack, resulting in the deployment of web shells and credential stealers to impacted devices. While we have not seen a clear link to specific ransomware groups at this time, we assess that at least some of the compromised devices and associated compromised credentials may be used by initial access brokers or ransomware affiliates to support future ransomware operations in the mid-to-long term.

Final Thoughts

On a surface level, January resulted in lower observed victim volume relative to the preceding months, but a more expansive analysis reveals that January’s decrease is consistent with similar slowdowns observed in 2022 and 2023. Moreover, January’s observed victim volume actually increased 40% year-over-year, reflecting the continued overall upward trajectory of ransomware operations. Further, the repetition of these trends and increase in activity through the second half of January suggest seasonally consistent trends likely driven in part by the Eastern European holiday season, as well as repeated seasonal trends. If similar mirroring of 2023 continues with year-over-year increases, 2024’s overall observed victim volume will likely become the highest to date. 

LockBit and similar prolific “Established” groups continued their dominance of the observable ransomware ecosystem, claiming victims at substantially higher rates relative to their competition and accounting for over 70% of all observed victims. We continued to observe surges and drops in victim volume among leading groups from month to month, though such incremental shifts do little to impact the overall standing and prevalence of the groups and their affiliates. These shifts may indicate ongoing negotiations or shifting priorities of ransomware affiliates, particularly as most of the leading groups operate under the RaaS model. RaaS operations have proven to be particularly resilient to law enforcement disruption and even public decryptor availability, as demonstrated by Alphv’s continued operations post-law enforcement disruption and Akira’s continued operations post-decryptor publication, respectively. Successfully combating the ransomware problem and entrenched ransomware groups will likely require continued whole-of-government and multinational solutions, including sanctions, law enforcement disruption of wider operator networks, and exploitation of associated infrastructure to impose meaningful setbacks on adversaries. 

While still early, 2024 will almost certainly continue to present increased ransomware challenges to Defenders, ranging from traditional and commodity intrusion techniques to the detection and response of emerging vulnerabilities at high risk of exploitation at scale. The plethora of recently discovered vulnerabilities within Ivanti’s applications, and similar vulnerabilities to come, will almost certainly attract a diverse range of threat actors, possibly leading to increased ransomware victims in the coming months. While 2023 will be difficult to “beat” in terms of operational tempo and victim volume, we have not yet seen any indications of successful long-term disruption and degradation of the ransomware economy and expect 2024 to continue the upward trajectory of the preceding year.

The GRIT Ransomware Taxonomy

​​By subdividing ransomware groups, GRIT can obtain more detailed insights into how ransomware groups progress in their level of operational maturity and can classify and identify potential rebranding activity.

We distinguish ransomware groups by placing them into these six categories:

EMERGING

This category is reserved for new ransomware groups within their first three months of operations. These organizations may be short-lived, resulting in an Ephemeral group; may be determined to have Splintered or Rebranded from an Established group; or may move on to further develop their operations and TTPs over time.

EPHEMERAL

These groups are short-lived, with varied but low victim rates. Observed victims are usually posted in a single or short series of large postings rather than a continuous flow over time. Ephemeral groups, by definition, terminate operations, spin-off, or rebrand within three months of formation. These groups may or may not have dedicated infrastructure (i.e., data leak sites and chat support) as part of their operations.

DEVELOPING

These groups have conducted operations for three months or longer, resulting in a recurring flow of victims. Developing groups do not appear to be directly linked to other ransomware groups as a Splinter or Rebrand but may include some experienced ransomware operators. Developing groups generally improve their people, processes, or technology over time by recruiting additional members, refining TTPs, or improving the quality of their associated ransomware and encryption. These groups generally have dedicated infrastructure (i.e., data leak sites and chat support) as part of their operations.

SPLINTER

These groups consist of a plurality of members from previously Developing or Established groups and may have formed either by choice or due to exclusion. These groups may be identified by very similar or overlapping TTPs and tooling or through HUMINT gathered through interactions with personas on the deep and dark web. Splinter groups differ from Rebrands by the continued existence of the original organization as the Splinter group operates.

REBRAND

These groups consist in whole, or in part, of former Developing or Established groups. Rebrands often maintain the same people, processes, and technology as the original group. Rebrands are generally undertaken in order to minimize attention from law enforcement or intelligence officials or to avoid negative publicity. 

ESTABLISHED

These groups have operated successfully for at least nine months and have well-defined and consistent tactics, techniques, and procedures. Established groups often possess functional business units that enable sustained ransomware operations, with specialists focused on areas such as personnel, encryption, negotiations, etc. These organizations successfully employ technology and redundant infrastructure to support their operations. 

There are multiple routes a group can take through the various classifications, and no one route is standard. While one group may begin as “Ephemeral” and move their way through the ranks to “Full-time,” another group may enter as a “Rebrand” as part of a larger obfuscation strategy to avoid attention from law enforcement.