The IT Nerd

GuidePoint Security today released new research which assesses with high confidence that the victims claimed by “0APT” are a blend of wholly fabricated generic company names and recognizable organizations that threat actors have not breached. 

At a high level, the report focuses on a new “scam” ransomware group, 0APT, which emerged as a Data Leak Site in late January 2026 and quickly claimed 200+ victims within a week – but GuidePoint Research and Intelligence Team (GRIT) finds these claims are largely fabricated. 

GRIT has observed no evidence that these victims were impacted by a threat actor associated with “0APT”, including through first-hand reporting.

0APT is likely operating in this deceptive manner to extort uninformed victims, re-extort historical victims from other groups, defraud potential affiliates, or garner interest in a nascent RaaS group. GRIT cannot rule out the possibility that 0APT or associated actors may conduct real attacks in the future.

After security reporting emerged highlighting the number of victim organizations and implausible or fabricated organization names, the Data Leak Site went offline on Feb 8, before returning on Feb 9, with a much narrower slate of 15+ very large multinational organizations.

Alleged victims of 0APT should consider activating internal investigative procedures, but are advised that in the absence of a ransom note, encrypted files, or any form of communication from the group, their post on 0APT is almost certainly entirely fabricated rather than representative of an undetected intrusion.

You can read the new research here: https://www.guidepointsecurity.com/blog/gritrep-0apt-and-the-victims-who-werent/

GuidePoint Security announced today the release of the GuidePoint Research and Intelligence Team’s (GRIT) annual Ransomware & Cyber Threat Report.

The GRIT 2026 Ransomware & Cyber Threat Report provides exclusive in-depth research, insights and analysis on a year of record-breaking ransomware activity, examining who cybercriminals are targeting (and why), the top tactics threat actors are using and how shifting ransomware group dynamics are redefining the threat landscape.

Findings from this year’s report include:

• Ransomware victim numbers hit a new all-time high. 2,287 ransomware victims were posted in Q4 2025 alone — the largest number recorded in a single quarter since the report’s inception.
• The number of threat groups has reached record levels. 124 distinct ransomware groups were active in 2025, the highest ever recorded and a 46% year-over-year increase.
• The United States remains a top geographic target for ransomware attacks. In 2025, more than half (55%) of ransomware victims were based in the U.S.
• A new RaaS leader has emerged. Qilin’s activity levels in 2025 were the highest of any group ever observed.
• The Manufacturing industry was most heavily impacted by ransomware, accounting for 14% of attacks. The Technology (9%) and Retail/Wholesale (7%) industries followed closely behind.
• High ransomware activity levels should continue in 2026. December 2025 was the most active month for claimed ransomware victims on record with 814 successful attacks — a 42% year-over-year increase.

The report also explores the growing use of AI in ransomware attacks, examines the impact of zero-day vulnerabilities on ransomware and takes an in-depth look at major ransomware operators throughout the year, including an analysis of ransomware payments made to the Qilin and Akira groups.

The GRIT 2026 Ransomware & Cyber Threat Report is based on data obtained from publicly available resources, vendor threat research, internal incident response case data and open-source intelligence collected from illicit forums and marketplaces.

GuidePoint Security released a 2025 State of Cyber Risk Management (CRM) Report, revealing that CRM has evolved from a siloed compliance function into a strategic discipline that informs executive decision-making.

Key findings include:

• Quantification has gone mainstream. Factor Analysis of Information Risk (FAIR) and cyber risk quantification (CRQ) are gaining momentum. Nearly 45% of organizations use or plan to use FAIR. Among adopters, 90% report success. 
• Automation, AI, and data are foundational. 72% of organizations have mostly or completely automated their CRM systems, and 48% are utilizing AI for CRM. Both CRM automation and the use of AI are strongly correlated with maturity and improved outcomes.
• Demand for CRM is growing, especially for those with mature programs. Nearly all (95%) respondents said internal demand for CRM is growing. Among those reporting high or very high CRM maturity, 23% indicate that demand will increase significantly. 

You can get more details here:  guidepointsecurity.com/resources/2025-state-of-cyber-risk-management-report. 

GuidePoint Security, a cybersecurity solutions leader enabling organizations to make smarter decisions and minimize risk, announced today the launch of its new Incident Response Maturity Assessment (IRMA), designed to help organizations evaluate, strengthen and mature their cybersecurity incident response capabilities.

As digital threats continue to grow in complexity and frequency, many organizations are struggling to build and maintain effective incident response programs, leaving them vulnerable to cyber attacks and regulatory risk. GuidePoint’s IRMA offering addresses these challenges head-on by providing a comprehensive, tailored assessment that benchmarks current incident response capabilities against industry standards,  provides actionable recommendations for improvement and sets an actionable roadmap for future development.

As digital threats continue to grow in complexity and frequency, many organizations are struggling to build and maintain effective incident response programs, leaving them vulnerable to cyber attacks and regulatory risk. GuidePoint’s IRMA offering addresses these challenges head-on by providing a comprehensive, tailored assessment that benchmarks current incident response capabilities against industry standards,  provides actionable recommendations for improvement and sets an actionable roadmap for future development.

“Too often, organizations don’t realize their response processes are fragmented, outdated, or insufficient until they’re in the middle of a serious incident,” said Mark Lance, Vice President, DFIR and Threat Intelligence at GuidePoint Security. “IRMA gives security teams a clear view of their posture, along with practical steps to build a more mature, effective and resilient response program over time.”

GuidePoint Security’s new IRMA offering includes: 

• Risk Evaluation: Assess your organization’s inherent risk and align it with your unique incident response capabilities. 
• Control Domain Assessment: Evaluate incident response across six critical lifecycle phases—preparation, detection, containment, eradication, recovery and post-incident activity. 
• Maturity Evaluation: Analyze your current maturity level and define a clear, measurable path to a stronger future state.
• Custom Reporting: Receive a detailed report highlighting strengths, weaknesses, and actionable recommendations—prioritized to address the most pressing risks and capability gaps.
• Debrief and Recommendations: Participate in a post-assessment debrief to review findings and define next steps.

Unlike generic security assessments, IRMA is specifically designed for incident response and uses a custom control framework built around industry standard sources like NIST and SANS. The offering also evaluates both the strategic and operational aspects of response programs for a holistic evaluation—ensuring a thorough, accurate assessment that touches on policies, tools, team readiness and real-world application.

For more information on the new Incident Response Maturity Assessment:

• Visit the website
• Download the data sheet
• Read the blog for more incident response insights

A new report released today by GuidePoint Security, in partnership with the Ponemon Institute, found that most organizations are falling short in their Identity and Access Management (IAM) strategy—leaving them vulnerable to identity-based threats.

Although 75% of cyberattacks leveraged identity-based threats last year, GuidePoint Security’s State of Identity and Access Management (IAM) Maturity Report has unveiled that IAM remains under-prioritized compared to other IT security investments, with most organizations still in the early to mid-stages of IAM maturity. Only half of respondents rate their IAM tools as effective, and even fewer (44%) express high confidence in their ability to prevent identity-based incidents.

The report also highlights significant gaps in IAM technology, expertise and resources—factors that are stalling programmatic maturity and making it more difficult for organizations to secure identities across today’s complex environments.

Key findings from The State of Identity and Access Management (IAM) Maturity Report include:

• IAM is underfunded and underdeveloped. Only 50% of respondents believe their IAM tools and investments are effective. Investments in IAM trail behind other security priorities.
• Manual processes and expertise gaps are barriers to maturity. A lack of appropriate technologies (54%), in-house expertise (52%) and resources (45%) are cited as top challenges to achieving IAM maturity. Many organizations still rely on spreadsheets, scripts and other manual efforts.
• IAM maturity is a path to enhanced security. A small group (23%) of organizations that have invested in automation and advanced IAM technologies report fewer security incidents and stronger identity controls. They lead in adopting biometric authentication, identity threat detection and integrated governance platforms.
• IAM implementation is misaligned with security goals. Surprisingly, 45% of respondents say the primary driver for IAM investments is to improve user experience—not security.
• There is a disconnect in program perception and reality. While most organizations report having policies in place or in development (83%), only 28% have these policies integrated into their IAM platforms.

The State of Identity and Access Management Maturity Report is based on responses from a comprehensive survey of 625 U.S.-based IT and IT security professionals involved in their organizations’ identity and access management program.

Click here to download The State of Identity and Access Management (IAM) Maturity, 2025

GuidePoint Security, a cybersecurity solutions leader enabling organizations to make smarter decisions and minimize risk, announced today the release of the GuidePoint Research and Intelligence Team’s (GRIT) annual Ransomware & Cyber Threat Report.

The GRIT 2025 Ransomware & Cyber Threat Report provides exclusive in-depth research, insights and analysis on the evolving ransomware ecosystem, exploring who cybercriminals are targeting (and why), the top tactics threat actors are using and what the future may hold for emerging ransomware groups in 2025. 

Noteworthy findings from this year’s report include: 

• A record high of ransomware victims, with 1,600+ ransomware victims in Q4 2024 alone—the largest number recorded in a single quarter since the report’s inception. 
• A 40% YoY increase in active threat groups, illustrating a continually-developing threat landscape. GRIT identified 88+ total active threat groups in 2024, including 40 newly observed adversaries.
• An average of 92 ransomware victims were posted per week on the dark web. RansomHub claimed the largest number of victims in 2024, displacing LockBit as the most active ransomware group for the first time since 2021.
• The United States remains a top geographic target for ransomware attacks. In 2024, more than half (52%) of ransomware victims were based in the U.S. 
• An average of 110 Common Vulnerabilities and Exposures (CVEs) published per day,underscoring the overwhelming volume and velocity of information which cybersecurity teams are facing. Almost 40,000 CVEs were reported in 2024, a 43% increase from 2023.
• Nearly 44% of vulnerabilities were rated “High” or “Critical” severity. However, threat actors continue to rely on historical vulnerabilities from preceding years.
• The Manufacturing industry was most heavily impacted by ransomware, followed by the Technology and Retail/Wholesale industries. Interestingly, despite several high-profile attacks in 2024, the Healthcare sector dropped out of the top three most affected industries by the end of the year.

The report also explores the impacts of ransomware on critical infrastructure, examines threat actor deception and misinformation efforts in 2024 and examines major ransomware events throughout the year, including the continued fallout from Operation Cronos. 

The GRIT 2025 Ransomware & Cyber Threat Report is based on data obtained from publicly available resources, vendor threat research, internal incident response case data and open-source intelligence collected from illicit forums and marketplaces.

For more information:

• Download the The GRIT 2025 Ransomware & Cyber Threat Report
• Register for GRIT’s upcoming webinar
• Explore more GRIT reports and other resources

Today, GuidePoint Security published its quarterly GRIT Ransomware report, diving into the evolving ransomware ecosystem and the top tactics and procedures threat actors are leveraging. Additionally, research unveils a rise in social engineering tactics by an emerging Ransomware-as-a-Service (RaaS) “middle class.”  

Highlights of the report:

• Ransomware remains a threat, with 49 active groups impacting more than 1,000 publicly posted victims in Q3 2024.
• A strong “middle class” has surfaced in the RaaS ecosystem, distributing ransomware victims across a greater number of diverse groups.
• The industries most impacted by ransomware in Q3 2024 were manufacturing, technology and healthcare, respectively. Manufacturing remains the most impacted industry.

You can download the report here: https://www.guidepointsecurity.com/resources/ransomware-cyber-threat-insights-the-rise-of-ransomwares-middle-class/

GuidePoint Security has released its monthly GRIT Ransomware Report, unveiling that May resulted in a 33% increase overall in ransomware activity compared to April 2024, indicating a degree of seasonality given a similar increase month-over-month in May 2023 relative to April 2023.

May 2024 closed with an increase in overall victim volume. However, a deep review reveals that the rise was driven disproportionately by LockBit’s 175 posted victims, accounting for 37% of the month’s total publicly posted ransomware victims.

Active Groups Rise: GRIT continues to observe YOY increases in the number of distinct ransomware groups operating, with 38 unique groups claiming victims in May 2024, denoting a 35.7% increase from May 2023, representing increased dispersion of activity from small versus big groups like Alphv/LockBit. 

Four Notable Newcomers: GRIT began tracking four newly observed ransomware groups, which distinguish themselves with relatively quick starts, posting nearly ten victims in May 2024, which places them in the middle of the pack amongst competitors by victim volume and exceeding operational tempo.

Threat Actor Spotlight: GRIT assesses Hunters International intends to continue to increase its victim volume, implementing triple extortion operations or escalated coercive tactics as it becomes better resourced and more mature.

You can read the full report here.

GuidePoint Security has published its April 2024 GRIT (GuidePoint Research and Intelligence Team) Ransomware report.

Last month, research revealed one of the year’s biggest takeaways thus far: Play, a typically smaller ransomware group, has overtaken Alphv and LockBit for the top spot in April 2024. 

Additional key highlights include vertical trends as manufacturing remains the most impacted industry, with technology resurging as a frequent target, healthcare and retail/wholesale continue to be in the Top 5 most impacted industries, a notable change from previous years.

With regards to geographical distribution, the US remains the most targeted country, while attacks in the south worldwide are increasingly attributed to newer, developing groups.

Additionally, the report explores the operations of emerging ransomware groups and their innovative tactics, including using lower-quality malware and exploiting historical vulnerabilities. 

You can read the report at https://www.guidepointsecurity.com/blog/grit-ransomware-report-april-2024/.