State of Ransomware: 2023 Midyear Review

August 2, 2023

Each year, ransomware continues to pose a critical threat to organizations worldwide in all industry verticals. The first half of 2023 has been no different, as ransomware remains a top threat for organizations. Thus far in 2023, ransomware groups have partnered with multiple cybercriminal groups and disrupted thousands of business operations, costed organizations millions of dollars between ransom demands and recovery costs, and continued to name and shame victims on the Telegram application and data leak sites.

This blog post covers ransomware activity, trends, and mitigations during the first half of 2023, as well as what we expect looking forward. The numbers discussed throughout this blog only include victims listed on data leak sites. It is Almost Certain that the number of overall victims is significantly higher, as data leak sites do not typically list victims who pay a ransom within a certain timeframe.

Headlines, Headlines, Headlines

Like previous years, ransomware news continued to make headlines each week in 2023. One of the top stories included the takedown of the Hive ransomware operation, where law enforcement seized the group’s data leak site and servers in January 2023. As Lawrence Abrams reports, “The U.S. Department of Justice and Europol announced that an international law enforcement operation secretly infiltrated the Hive ransomware group’s infrastructure in July 2022, when they secretly began monitoring the operation for six months. The operation allowed them to learn about attacks before they occurred and warn targets, and to obtain and distribute decryption keys to victims, preventing nearly $130 million in ransom payments.” In the seizure of the group’s servers, law enforcement collected affiliate, victim, and malware information. Abrams writes, “The ransomware gang’s Tor web sites now displays a seizure notice listing a wide range of other countries involved in the law enforcement agencies, including Germany, Canda, France, Lithuania, Netherlands, Norway, Portugal, Romania, Spain, Sweden, and the United Kingdom. Unlike other seizure notices, this one is an animated GIF that rotates the seizure notice in English and Russian.” The gTIC supports Abrams’ assertion that this GIF is Likely an attempt to warn other ransomware operations.

Along with Hive, the Clop ransomware operation (often associated with the TA505 or FIN11 cybercriminal groups) continued to make headlines. In February 2023, Clop claimed responsibility for the attacks targeting CVE-2023-0669 (CVSS score 7.2), affecting the GoAnywhere MFT software. The group claimed to have stolen data from more than 130 organizations. In April 2023, Clop ransomware operators reportedly targeted two vulnerabilities, CVE-2023-27350 (CVSS score 9.8) and CVE-2023-27351 (CVSS score 8.2), affecting PaperCut servers to target additional organizations. In May 2023, Clop ransomware operators claimed responsibility for targeting the MOVEit vulnerability, CVE-2023-34362 (CVSS score 9.8) and purportedly targeted more than 380 organizations; the group has listed 188 victims on their data leak site at the time of writing. This type of targeting has become an integral part of Clop’s operations. In 2021, the group targeted four vulnerabilities in the Accellion MFT software and stole data from those victims. This suggests that file transfer services and software are becoming targets of focus for ransomware operators and will Likely continue to be targeted over the next 12 months.

Clop operators have been observed skipping the encryption process during attacks, which allows them to spend more time collecting sensitive data and holding it for ransom. In May 2023, BianLian operators also skipped the encryption step and moved directly to exfiltration and extortion only attacks. This move was Likely in reaction to Avast security researchers releasing a ransomware decryptor and the proven success of groups like Clop.

The LockBit ransomware operation has been the most active variant month after month. However, in March 2023, the group fell to number two for the first time since September 2021. Clop surpassed the LockBit group with 100 victims posted to their data leak site and 99 posted by LockBit operators. Again, in June, LockBit fell to number two with 62 victims listed on their data leak site and 91 victims listed by Clop. These two instances are Likely due to the Clop group targeting the GoAnywhere MFT and MOVEit vulnerabilities.

In July 2023, the Clop ransomware operation took a chapter out of the Alphv ransomware playbook. Clop operators purportedly created internet-accessible websites dedicated to specific victims, which makes it easier to leak stolen data and apply additional pressure to the victims. This tactic, started by Alphv ransomware operators in 2022, makes it easier to leak the data and facilitate greater public visibility. Threat actors often use TOR browsers to host data leak sites. Many non-technical users do not know how to access these sites, search engines do not index the leaked data, and data downloads take longer. A clear web site allows anyone to visit the data, which could allow the data from victim organizations to be searched by employees, accessed by journalists, and indexed by search engines. The success of this tactic is unknown, as it is easier to take down these sites and, at the time of writing, all of the Clop-created sites have been taken down. Historically, ransomware groups have played follow the leader, and it is Likely that Clop attempted to follow a tactic that had proven successful for the Alphv group.

In February 2023, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) released an advisory documenting tactics, techniques and procedures (TTPs) associated with North Korean ransomware operations targeting health care and critical infrastructure verticals. According to Bill Toulas, the document notes that “the funds extorted this way went to support North Korean government's national-level priorities and objectives.” These threat actors targeted Log4Shell (CVE-2021-44228), as well as the SonicWall (CVE-2021-20038) and TerraMaster NAS (CVE-2022-24990) vulnerabilities. Several of the variants observed were publicly available ransomware variants, and others were ransomware-as-a-service (RaaS) programs.

Ransomware Activity by Variant

In addition to the major headlines, 16 new ransomware operations operating a data leak site emerged in the first half of 2023, bringing the total active variants to 51 operations.

In the first half of 2023, 2,300 organizations were listed as victims on ransomware data leak sites, which represents an increase of over 70% compared to the first half of 2022. When comparing the first half of 2022 to the first half of 2023, the variants with the highest increase included Clop (a 774% increase from 23 victims to 201 victims), RansomHouse (a 400% increase from 6 victims to 30 victims), and Black Basta (a 136% increase from 50 victims to 118 victims). The highest decrease included Hive (a 94% decrease from 62 victims to 4 victims), Everest (a 88% decrease from 25 victims to 3 victims), and Cuba (a 88% decrease from 24 victims to 3 victims). Hive’s decrease in victims is Likely due to the group’s shutdown.

The most active groups in the first half of 2023 include LockBit with 528 listed victims, Alphv with 224 listed victims, and Clop with 201 listed victims. The graph below includes only the variants that posted more than 15 victims for the first half of 2023. The groups that were active but not included are: 0mega, Abyss, Bl00dy, Black Suit, CrossLock, Cryptnet, Cuba, Cyclops, Daixin, Dark Power, DarkBit, DarkRace, Donut, Dunghill Leaks, Everest, Hive, La Piovra, Lorenz, Money Message, Monti, NoEscape, NoName, Ra Group, Ragnar Locker, Rancoz, RansomEXX, Unsafe, and Vendetta.

Image

Figure 1: Ransomware activity January 01-June 30, 2023

Geographic Numbers

In the first half of 2023, all geographies saw an increase in targeted attacks when compared to the first half of 2022. The top increases include Africa with 21 victims in the first half of 2022 and 48 victims in the first half of 2023 (a 129% increase), Oceania with 22 victims in the first half of 2022 and 48 victims in the first half of 2023 (a 118% increase), and North America with 627 victims in the first half of 2022 and 1,197 victims in the first half of 2023 (a 91% increase). The most targeted geography was North America, which has been the trend observed over the previous 24 months. 88.3% (1,057) of those victims were in the United States. Other increases included Asia (90%), South America (72%), and Europe (34%).

Image

Figure 2: Victims by geography January 01-June 30, 2022, compared to January 01-June 30, 2023

Vertical Numbers

Like the geographies, all verticals observed an increase in ransomware targeting in the first half of 2023. Verticals with the largest increases included Institutions and Organizations with 14 victims in the first half of 2022 and 41 victims in the first half of 2023 (a 193% increase) Insurance with 21 victims in the first half of 2022 and 59 victims in the first half of 2023 (a 181% increase), and Telecommunications with 17 victims in the first half of 2022 and 39 victims in the first half of 2023 (a 129% increase). Financial Services also observed a 129% increase, from 93 to 213 victims. However, this increase is Likely due to the increase in insurance victims, as Insurance is a sub-vertical of Financial Services.

In the first half of 2023, Industrials remained the most targeted vertical, with 873 listed victims. This is Likely due to the fact that this vertical includes organizations in the Manufacturing, Construction & Engineering, Transportation, and Industrial Services verticals. These organizations are often targeted due to the inability to suffer significant downtimes, the amount of sensitive information stored on clients and partners, and the greater likelihood of a ransom payout. Technology and Consumer Cyclicals were the top two and three verticals targeted—with 284 and 264 victims named, respectively.

Image

Figure 3: Victims by vertical January 01-June 30, 2022 compared to January 01-June 30, 2023

Looking Forward

When ransomware groups adopted the double extortion method from 2019-2020—arguably pioneered by the Maze Team ransomware cartel—they began operating in a business-like model. Trust was a core value of the groups, who operated by the model of “pay the ransom and get the decryption key.” However, by 2022, ransomware groups began showing less interest in building trust or a reputation. Groups come and go, rebrand, affiliates have little regard for the type of organization they target, and many do not follow the rules put in place by the earlier ransomware groups. Affiliate members and developers have reportedly been involved with multiple ransomware strains and campaigns, thus undermining the attribution to any particular group or operator(s).

Clop’s exploitation of multiple zero-day vulnerabilities to target hundreds of organizations at a time Likely had a significant effect on the number of ransomware incidents in the first half of 2023. While the shutdown of the Hive ransomware operation had a temporary effect on the landscape, the introduction of new operations and shifting affiliates Likely aided in softening that impact. The consistent shifting of affiliates and the emergence of new groups renders post-incident attribution less valuable and emphasizes the need to focus on a proactive and risk-based intelligence and defensive measures. It is Likely that Clop operators will continue to target high-profile zero-day vulnerabilities to conduct large scale extortion attacks over the next 12 months.

Ransomware groups have historically used phishing to gain initial access to victims’ networks and took advantage of global events to lure victims into interacting with the email. This technique will Likely remain a top intrusion vector throughout 2023. As uncertain times continue – remote working, the Russia/Ukraine war, economic instability, etc. – ransomware groups will use these events to exploit the fear and curiosity of employees to lure victims.

The gTIC assesses with High Confidence that ransomware will Likely remain a prevalent threat over the next 12 months. Despite high-profile ransomware incidents and government and law enforcement attention on ransomware operations, there is currently little motive for ransomware operations to cease. Ransomware operators have continued to operate and adapt throughout 2022-2023. Over the next 12 months, they are assessed to continue building infrastructure and capabilities around themselves as one-stop shops, with less reliance on marketplaces and forums. Critical verticals like Healthcare, Energy, Industrial Services (like Transportation), and Government are Likely to remain attractive opportunities for ransomware operators due to their high-value information, inability to have significant downtime, and likelihood of a ransom payment.

If attackers continue to make and profit from extortion payments, then targeted ransomware attacks will Very Likely continue over the next 12 months. More ransomware groups will Likely emerge as groups rebrand, fly-by-night operations increase, and relationships between affiliates and developers change. The double-extortion method will Very Likely remain the primary procedure across the ransomware threat landscape. Multiple groups have been observed conducting extortion-only attacks, where data is stolen but not encrypted. Given the history of ransomware groups following tactics that have proven successful, it is Likely that additional groups will begin extortion-only attacks over the next 12 months.

It is Likely that ransomware operators will increasingly partner with initial access brokers (IABs) to gain initial access and use remote access markets, which are automated stores that allow threat actors to sell and exchange access credentials. These roles and markets play an essential role in the ransomware landscape, as they allow quick access to victim environments.

Mitigations

Optiv’s gTIC makes the following mitigation recommendations for the threats highlighted in this report: