GuidePoint Research and Intelligence Team (GRIT) Releases New Ransomware Trends Report

·3 min read

GuidePoint Security’s Threat Intelligence Team Shares Analysis of Ransomware Activity in Q2 2022

HERNDON, Va., July 21, 2022--(BUSINESS WIRE)--GuidePoint Security, a cybersecurity solutions leader enabling organizations to make smarter decisions and minimize risk, today announced the release of GuidePoint Research and Intelligence Team’s (GRIT) quarterly ransomware report. This report is based on data obtained from publicly available resources, including threat groups themselves, and provides an accurate representation of the ransomware threat landscape. In the second quarter, GRIT tracked 30 ransomware groups and 581 publicly posted victims.

The GRIT Ransomware Quarterly Report shows a slowdown of ransomware activity in June and a focus on manufacturing and construction verticals accounting for almost 20% of claimed victims. Out of the 30 groups tracked, 23 targeted the manufacturing and construction verticals.

"We saw a decrease in ransomware activity in Q2 compared to Q1 due to Conti’s operational changes in May, a significant dropoff of known Clop victims, and the complete revamp of Lockbit in June," said Drew Schmitt, GRIT operations lead, GuidePoint Security. "From an industry perspective, manufacturing and construction were hit hard largely due to targeting by Lockbit and Blackbasta, a new group that emerged in Q2 and maintained a high operational tempo throughout the quarter. "

Key Highlights of the report:

  • 34% decrease in ransomware victims from Q1 to Q2

  • Manufacturing, Technology, Construction, Government, and Healthcare were the top 5 most impacted industries in Q2

  • The U.S. was the most impacted country, accounting for almost 25% of all attacks

  • The top 4 ransomware groups by number of publicly posted victims were Lockbit2, Alphv, Conti, and Blackbasta

The second quarter of 2022 also saw the update from Lockbit2 to Lockbit 3.0 (aka Lockbit Black), which is a new release from the Lockbit Ransomware as a Service (RaaS) group. This group, which claims to operate from the Netherlands with origins in former USSR nations, allows affiliates to keep 80% of the ransoms and protects their infrastructure and organization through a bug bounty program and a thorough vetting process for new affiliates. Additionally, Lockbit offers multiple purchase options for each intrusion on their leak site to either delay the release for a small fee, destroy data, or download data.

"We expect to see an uptick of Lockbit 3.0 activity and potentially other restructuring and consolidation in affiliate-based ransomware operations," said Schmitt.

For more information or to download the report, go to:

About GuidePoint Security

GuidePoint Security provides trusted cybersecurity expertise, solutions and services that help organizations make better decisions that minimize risk. Our experts act as your trusted advisor to understand your business and challenges, helping you through an evaluation of your cybersecurity posture and ecosystem to expose risks, optimize resources and implement best-fit solutions. GuidePoint’s unmatched expertise has enabled a third of Fortune 500 companies and more than half of the U.S. government cabinet-level agencies to improve their security posture and reduce risk. Learn more at

View source version on


Danielle Ostrovsky