RANSOMWARE THREAT LANDSCAPE OVERVIEW

There was a notable decline in ransomware activity during the reporting period, with 104 victims recorded, down from 179 in the last week. The Qilin group, while remaining the most active, had its victim count decline from 32 to 23. Play also maintained strong activity, moving up in rank due to the dramatic drop of other active groups Incransom (which fell from 27 to 6). The presence of Killsec and Worldleaks within the top five highlights the dynamic and evolving nature of the RaaS ecosystem.

The Business Services industry remained the most targeted, with victims declining from 36 to 20. Manufacturing and Construction once again featured in the top five, showing a more extensive but still concentrated, targeting approach across high-value enterprise industries.

Geographically, the United States remained the epicenter of ransomware activity, though it witnessed a decline in the number of victims from 92 in the previous week to 58. Other countries saw minor activity, with only South Korea remaining in the top five from the previous week, indicating a showing an unstable geography outside of the primary US focus.

OBSERVATIONS

• Significant Volume Dip: The week recorded a 42% reduction in ransomware activity. This reduction, following a surge in the previous week, suggests either a temporary operational break among major groups, an international law enforcement action, or a lag in affiliate reporting cycles.
• Qilin and Play's Consistent Threat: Despite the overall dip in volume of ransomware activity, Qilin and Play have reaffirmed their positions as the two most active groups, indicating their RaaS platforms are stable and their affiliate networks are highly functional, utilizing reliable initial access techniques.
• Extended Targeting of Business Services: The Business Services Industry returned as the most-targeted. This is attributed to the fact that Business Services firms are likely to have a treasure trove of information on their customers, including confidential financial information, intellectual property, and personally identifiable information (PII) thereby making them a target for double-extortion tactics.
• United States remains the Epicenter: The consistent and overwhelming focus on the United States (55.7% of all victims) confirms that the country remains the most profitable and preferred target for ransomware organizations, aligning with previous observations regarding its wealth concentration and willingness to pay.

RECOMMENDATIONS

• Organizations should develop a well-defined incident response plan. This plan should include not only technical recovery steps but also communication and public relations strategies to manage the reputational fallout.
• Organization should develop a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location.
• Organizations should implement a strong foundational security posture now more than ever. This involves implementation of Multi-Factor Authentication (MFA), exhaustive patch management, vulnerability scans, and robust identity and access control.
• Organizations should leverage real-time threat intelligence on the ransomware groups' TTPs (Tactics, Techniques, Procedures), to ensure early detection.
• Organizations in the targeted industries must undertake a detailed security control audit with a focus on protecting core operating technology and intellectual property.
• Organizations in the United States should consider additional protective measures, such as enhanced monitoring of network traffic and a comprehensive incident response plan, to mitigate the higher risk of attack.
• Organizations should constantly assess the security posture of suppliers and partners because supply chain compromises are the becoming a common way for threat actors to gain access.
• Organizations should practice timely sharing of attack data among industry peers to improve situational awareness and defense coordination.