November 2023 experienced an increase in the number of victims of ransomware attacks, as compared to the quieter month of October. The number of victims increased by 29% month-over-month, climbing from 336 in October to 433 in November. However, the November's numbers were only 16% higher than the average for the calendar year 2023, and just 6% higher than the average since the beginning of March, showing a sustained pace of operations. Interestingly, the number of active ransomware groups saw a marginal drop, and the prolific established ransomware entities — LockBit, Alphv, and Play — remained the primary contributors towards the total number of ransomware victims. In fact, 82% of the victims were targeted by ransomware groups that had been operational for at least six months.
Geographically, ransomware attacks primarily targeted the global north, with US-based organisations being the predominant victims, followed by Western European countries, Canada, and Australia. Conversely, the month witnessed an unusually high impact on Chinese organisations with nearly 25% of the year's ransomware attacks executed against China occurring in November. Earlier, these attacks were primarily focused on China's manufacturing industry, but November witnessed victims from the energy, automotive, legal, and pharmaceutical industries. Historically, Eastern Europe-based cybercrime entities — the majority within the global ransomware landscape — refrained from targeting Chinese organisations. As such, this sudden spike calls for careful monitoring, as it could point towards a strategic shift.
In the United States, the healthcare sector continued to bear the brunt of ransomware attacks, pointing towards a disconcerting disregard for human life. The focused targeting of healthcare organisations, mainly by longstanding ransomware groups, is likely driven by their potential to extract high ransoms. The resilience demonstrated by organisations in stepping up their security measures against ransomware has witnessed the active exploit of vulnerabilities — most notably seen in VPNs and storage services. As a result, it is expected that the ransomware groups will continue to prioritise the exploit of vulnerabilities.
While the ransomware groups continue to exploit known vulnerabilities, they also adapt their strategies and tactics to overcome defensive measures. Established ransomware group LockBit, for example, continued to dominate the ransomware ecosystem, impacting healthcare organisations and recording its most active month in November since August. The Alphv ransomware group also illustrated a shift in strategy, recovering from a dip in October to add 46 victims in November. The group's ongoing impact on healthcare groups and use of media statements likely aimed to shame its victims and deter non-compliance in the future. Furthermore, the month of November also observed an anomalous increase in ransomware cases in China, indicating an exploratory approach by ransomware groups.
Manufacturing continues to be the most impacted industry, while certain distinctive trends have been noticed in threat actor behaviours, with some groups ramping up their operations and others showing significant reductions. An interesting phenomenon is the periodic emergence of new players in the field, which tends to fluctuate the dynamics of the threat landscape. Meow Leaks, for instance, emerged in late November and has claimed six victims thus far, primarily in the United States and one in Ireland. In another interesting development, Alphv has attempted to exploit legal proceedings to put pressure on its victims, which could become a trend to watch out for.
The crowd-sourced threat data collected by GRIT has helped categorise ransomware groups into Emerging, Ephemeral, Developing, Splinter, Rebrand and Established, offering more detailed insights into their progression and modifications in operational strategies. As the end of the year approaches, a continuation or increase in operations is expected, with ransomware groups likely to capitalise on opportunities to exploit undiscovered vulnerabilities or unattended defensive systems over the holiday period.