The CyberMaxx team of cyber researchers conduct routine threat research independent of client engagements. The purpose of our research is to help foster collective intelligence among the cybersecurity community.

While conducting their research, the team discovers and analyzes ongoing ransomware attacks occurring in the wild.

Video Transcript

Hi, everyone. I’m Connor. I’m the security research manager here at CyberMaxx and the author of this quarterly report.

We believe that by sharing the intelligence available to us within the broader community, other organizations can also stay ahead of the same threats that we’re all facing.

Why We’re Doing This

This report is a summary of all the activity within the ransomware industry over the past quarter. It also provides trend analysis on a regular frequency, which allows us to identify changes within the ransomware vertical.

For example, the numbers we observed last quarter 1,030 successful attacks, and in this quarter 909. So that’s less total activity, but the big names have had a noticeable increase in their efforts.

What We Do at CyberMaxx

We track multiple ransomware groups, and we log all their activity, their attacks, and the organizations they’ve successfully attacked when they did it, and then we provide that data for you every quarter in this report.

We Aren’t Making This Up

The raw data that we use for these reports will also be released alongside the report itself. The purpose of that is basically just to allow other teams to do their own work using the same data set that we use. That way, we can see what conclusions they can come up with on their own, or they can identify.

How is this Data Useful?

Looking at this data, we can identify new trends that start to emerge. For example, we might see new groups emerge onto the scene. Take Royal, who made headlines last year. They’re largely rumored to have several members from the now-absolved Conte Group. And that would also explain how they were able to make such a big impact out of seemingly nowhere, which also, in turn, shed some light on what tactics they’re using, particularly for such a new group.

Identifying inactive groups and their TTPs also helps us to ensure that we have appropriate coverage against their operations. We’re being proactive instead of reactive here. This feeds into our threat hunt program as well, so that we can start to our client base for any indicators found for this intelligence.


We see Lockbit take the top position yet again. We talk about the 3CX supply chain attacks. And we provide a sample SentinelOne EDR detection for that. We also discuss a common evasion tactic that we’re seeing across all groups, whereby they’re evading existing security measures. In this case, we’re talking about measures to bypass Mark of the Web protections within their initial access efforts.

There’s a link to a full technical breakdown in the report if anyone is interested, and we do a deep dive into how that works.

Plans for the Future

This report will be released every quarter along with the accompanying data set showing trends compared to previous quarters. We’re also providing measures and information to help defend against these real-world threats that we’re seeing.