RANSOMWARE THREAT LANDSCAPE OVERVIEW

Pear and Qilin led the chart with 18 victims each, mostly in the Business Services and Manufacturing industries. Blacknevas and Play followed closely indicating a dominance shift. The reporting period also witnessed attacks by emerging groups suggesting new actors are seeking to establish reputation and market share.

During the reporting period, Manufacturing emerged as the most targeted industry with 20 reported incidents, reflecting the industry's continued vulnerability due to operational technology dependencies and potential for costly downtime. The Business Services sector followed with 18 incidents, highlighting the value attackers place on disrupting service-based operations that often serve multiple downstream clients.

The United States accounted for nearly half of all reported incidents (60), highlighting its continued status as the primary target for ransomware groups. The United Kingdom followed with 12 incidents, while Germany (6), Japan (5), and Italy (4) recorded moderate activity. Australia, Brazil, Canada, and Thailand each reported three incidents, while most other countries experienced one or two attacks. Four victims could not be attributed to a specific country, reflecting gaps in reporting.

OBSERVATIONS

• Pear and Qilin ransomware groups had 18 victims each, surpassing some well-established groups and indicating a potential shift in dominance.
• The United States remained the most targeted country with 60 incidents, far ahead of other nations, underscoring its continued attractiveness to threat actors.
• The continuous targeting of Business Services and Manufacturing reflects a calculated focus on industries with high-stakes operations.
• Four incidents had unknown country attribution, which may indicate deliberate anonymization by the attackers or incomplete public disclosure by victims.

RECOMMENDATIONS

• Prioritization of cybersecurity investments in industries frequently targeted, including Business Services, Manufacturing, and Construction.
• Organizations should actively monitor for indicators of compromise (IOCs) related to Beast, Akira, Incransom ransomware and other ransomware.
• Enhancement of detection and response capabilities, including anomaly detection and rapid containment measures.
• Organizations should practice timely sharing of attack data among industry peers to improve situational awareness and defense coordination.
• Organizations should maintain appropriate backups and regularly test restoration processes.
• Organizations should assess security posture of suppliers and partners to prevent supply chain entry points.