Skip to content
Grit Blog

GRIT Ransomware Report Spotlight: Government

Posted by: Drew Schmitt

3 min read

Recently, the GuidePoint Research and Intelligence Team (GRIT) published a report looking at ransomware trends so far in 2022, with a specific focus on how the Russian invasion of Ukraine might impact ransomware operations. We hypothesized in that report that the conflict would result in a slowdown of ransomware operations, based on the premise that many of the major ransomware groups operate from within eastern Europe and Russia. We also hypothesized that recent, large-scale leaks of operational and source code data would negatively impact the rate at which attacks occurred. If you want to see the final conclusions of that report, you can check it out here. But those final conclusions are not what we’re here to talk about today. 

So why are we here right now? As part of our analysis, we took a look at publicly available ransomware data collected from ransomware leak sites. That data gave us a view into what countries and industries tend to be targeted the most, and by which ransomware groups.

In 2021, we saw a spike in high-profile attacks targeting critical industries. What many in the cybersecurity field already knew suddenly became a hot topic: it’s imperative that we start taking the cybersecurity of our infrastructure seriously. With that in mind, we decided to dig a little deeper into a few of the top ten industries we saw in our report. Specifically, what we want to talk about today is what we found regarding ransomware attacks within the Government space.

Government agencies and organizations have always been prime targets for attackers, whether they’re state-sponsored or not. So while it makes sense that Government organizations were in the top ten industries with publicly posted victims, it is interesting that they didn’t fall higher on the list given world affairs at the time of our research. Diving into that data a little more, while US government organizations were highly impacted, Italy saw an equal number of posted attacks, and France just slightly less. After that there’s a steep fall-off with most countries we observed seeing only one posted attack each. This is again interesting given current events, as we would have expected a larger spike targeting countries that could influence the conflict in Ukraine.

As for who is responsible for the publicly posted attacks, LockBit far outstrips every other threat actor on the list when it comes to volume. This is somewhat interesting, given LockBit’s statements regarding attacking critical infrastructure or getting involved in international affairs. While their messaging takes a decidedly non-aggressive stance–they bill themselves as “post-paid pentesters” operating as something closer to a business–their dominant presence in the attacks against government organizations could be seen as counter to their statements. That being said, across all threat actors, LockBit accounted for less than half of the posted attacks.

Finally, as would be expected for an industry as important as Government, leak site postings were fairly consistent across 2021 and 2022, showing a steady stream of attacks. There was a significant spike in November, and a small bump in early 2022, but for the most part the rate of attacks seems to follow a somewhat steady baseline. 

So what does this mean for cybersecurity organizations within the government? In the full report, we talked quite a bit about Threat Intelligence and its importance to your cybersecurity programs. If you operate within the Government sphere, and specifically if you’re within the US or a western European country, it’s important to recognize that your organization is currently–and will likely always be–an extremely valuable target, and you should use this data as a way to bolster your defenses. If you aren’t already using one, you may want to consider investing in a Threat Intelligence Platform (TIP) and threat intelligence feeds relevant to LockBit’s known Tactics, Techniques, and Procedures. Operationalized threat intelligence may be the difference between stopping LockBit or another group, or becoming a statistic in GRIT’s next report.

Categories: Blog Cybersecurity GRIT Blog Incident Response & Threat Intelligence
Tags:governmentGRITransomware

Drew Schmitt

Practice Lead, GRIT,
GuidePoint Security

Drew Schmitt is the Practice Lead for the GuidePoint Research and Intelligence Team (GRIT), where he engages in malware reverse engineering, threat intelligence development, and incident response investigations on behalf of the firm’s clients. His career background includes cybersecurity operations for several clients over various verticals.

Drew joined the GuidePoint team from Palo Alto Networks/The Crypsis Group where he was a Senior DFIR Consultant and a member of the Threat Intelligence team and specialized in malware analysis, threat hunting, and DFIR investigations. Prior to that, Drew spent time working as an incident responder, SOC analyst, and IT administrator across several industries including healthcare and manufacturing.

In addition to various roles in the security community Drew has experience as an adjunct professor teaching cybersecurity courses at Metropolitan State University in St. Paul, MN, acting as a mentor for the Metro State CCDC team, and has created an PowerShell based open source incident response framework called Power-Response.

Drew holds a Master of Science degree in Security Technologies from the University of Minnesota, a Graduate Certificate in Incident Response from the SANS Technology Institute, and has obtained a several GIAC certifications.

Related Articles

View All

  • Incident Response & Threat Intelligence
Your Files Have Been Encrypted!: Ransomware Trends in 2022 and Why Threat Intelligence Matters
Read More < 1 min read
  • Incident Response & Threat Intelligence
The Brick House – Ransomware Readiness
Read More < 1 min read
  • GRIT Blog
GRIT Ransomware Report: May 2022
Posted by: Drew Schmitt
Published 06/09/22, 08:00am
Read More 5 min read