RANSOMWARE THREAT LANDSCAPE OVERVIEW

During this reporting period, there was another notable realignment among the top ransomware groups in the ecosystem with a new hierarchy of threat groups emerging. Safepay rose to the top, claiming 20 victims, while a new actor, Cephalus, made a powerful debut, claiming 19 victims. Meanwhile, Qilin maintained its prolific activity with 19 victims, but last week's dominant actors, such as Warlock and Akira, saw a sharp decline in their activity, indicating a major shakeup in the threat landscape.

Manufacturing reclaimed its position as the hardest-hit industry, with 25 victims, a significant increase from the previous week. Contrary to the prior period, attacks on the Technology sector reduced from 26 to just 8 victims. Other hard-hit industries included Education which rose to 10 victims, Financial Services which rose to 9 victims, and Healthcare which reduced to 8 victims. The high number of victims in the Unknown category, with 17 cases, continues to obscure the full scope of industrial targeting

The United States remained the primary target with 55 victims, reaffirming its status as the most attractive market for threat actors. One important point in the geographical changes was Canada moving up to the second position with 11 victims, which is a significant change. Germany also remained a top target with 9 victims, maintaining its consistent exposure to ransomware.

OBSERVATIONS

• A new group Cephalus emerged during the reporting period and appeared in the top ranks. This indicates the presence of a new and capable threat actor and as such, security teams should monitor this crucial development closely.
• The ransomware ecosystem continues to be highly dynamic, with no single group maintaining sustained dominance for more than a week. The rapid decline of Warlock and Akira, and the equally fast ascent of Safepay, highlights the fluidity of the ransomware-as-a-service (RaaS) market and the short life cycles of major campaigns.
• The sharp decrease in attacks on the Technology sector and the corresponding spike in attacks on Manufacturing marks a significant recalibration. This implies that threat actors are opportunistically moving towards industries that are perceived as having lower defenses or tend to pay more, such as manufacturing and business services.
• The most prominent Ransomware group for the reporting period (Warlock) appears to have focused more on the Technology industry.
• While the U.S. continues to be the primary target, the rise of Canada to the pack of top victim countries shows that threat actors are now targeting the North American continent.
• The consistently high number of victims in the Unknown category (industries and countries) is a recurring observation. This intelligence gap creates a barrier to fully comprehending the targeting of threat actors and points to the necessity for improved data sharing.

RECOMMENDATIONS

• Organizations should leverage real-time threat intelligence on these groups' TTPs (Tactics, Techniques, Procedures), to ensure early detection.
• The targeted sectors should reinforce endpoint detection and response (EDR), patch management, and segmented backups to reduce ransomware impact. They should also enforce strict monitoring for Infostealer malware, which is a primary source of initial access for many ransomware groups
• Organizations with operations in North America, particularly the U.S. and Canada, should conduct a heightened risk assessment. This includes reinforcing controls for remote access, VPNs, and internet-facing services that are often exploited by threat actors.
• Organizations should constantly assess the security posture of suppliers and partners because supply chain compromises are the becoming a common way for threat actors to gain access.
• Organizations should practice timely sharing of attack data among industry peers to improve situational awareness and defense coordination.