More Ransomware Attacks in H1-2023 Than All of 2022

The first half of 2023 saw more victims impacted by ransomware attacks than in the entirety of 2022 as threat actors continue to leverage Ransomware-as-a-Service (RaaS) platforms to execute their attacks, according to a new report.

‍

“Russia has become one of the leading threat actors in the world... after several cyberattacks in 2022, including on Ukrainian government websites, organizations and companies, several Russian groups such as Sandworm, Callisto and Gamaredon continued their campaigns against the Eastern European nation in H1 2023,” Security Magazine reports.

‍

“In addition to Russia, the report identified a new command and control framework, named PhonyC2, which has been used by the Iranian-based MuddyWater group since at least 2021. The threat lab also observed and analyzed a previously undocumented and undetected new variant of BPFdoor by Red Menshen, a Chinese threat actor.”

‍

Takeaway: More than 2,300 organizations succumbed to ransomware attacks in just the first half of 2023, with the vast majority carried out by only three ransomware operators: LockBit (35.3%), BlackCat//ALPHV (14.2%), and Cl0p (11.9%).  

‍

Overall, ransomware attacks were up 74% in Q2-2023 over Q1. Ransomware attacks continue to be extremely lucrative, with ransom demands and recovery costs bleeding victim organizations for millions of dollars.  

‍

RaaS operators and other data extortion attackers are developing custom tooling and implementing novel evasion techniques into their payloads designed to evade or completely circumvent traditional endpoint protection solutions.

‍

Ransomware operators are expanding their addressable target range with additional Linux variants emerging, as well as one of the first viable variants targeting macOS.

‍

Furthermore, ransomware attacks are creating liability issues and intellectual property loss for organizations as attackers focus on the exfiltration of sensitive data prior to delivering the ransomware payload.

‍

The Halcyon team of ransomware experts publish a quarterly RaaS and extortion group power ranking guide as a quick reference. The Q2-2023 report is available here: Power Rankings: Ransomware Malicious Quartile Q2 2023 (PDF).

‍

Some interesting trends emerged in the first half of 2023, evidence that ransomware operators are investing heavily in development and are improving operational efficiencies through automation:

• The precipitous decline in attacks observed in 2022 was short lived with attack volume records smashed in March 2023
• Attackers are expanding their addressable targets with more groups developing Linux variants
• Some ransomware groups are shifting tactics to straight data exfiltration extortion attacks with no encryption payload
• 8Base ransomware gang ramps up with a whopping 67 attacks as of May 2023
• Dish Network is just one of the victim organizations facing class action lawsuits stemming from ransomware attacks that exposed sensitive data
• Attackers introduced custom tooling like AuKill & Backstab to bypass security solutions
• Ransomware operators developed custom Grixba & VSS Copying tools for data exfiltration
• Attackers observed using Living-off-the-Land (LotL) techniques by way of a custom PowerShell-based tool to automate data exfiltration on targeted networks
• What may be the first variant observed targeting MacOS was released detected in the wild
• Semi-autonomous ransomware strain dubbed Rorschach emerges with advanced automation, fast encryption speed and stealthy DLL side-loading for security evasion and persistence
• BlackCat/ALPHV released variant dubbed Sphynx that dramatically increases both encryption speed and stealth in bypassing security solutions
• Attackers are increasingly automating exploits of known vulnerabilities like MOVEit; PAN Cortex XDR; GoAnywhere; IBM Aspera Faspex; VMWare ESXi; PaperCut; MS SQL  
• Ransomware gangs are increasingly exposing sensitive data such as the leaking compromising clinical photographs of breast cancer patients
• The Cl0p gang claimed more than 100 victims in a massive attack spree by exploiting a vulnerability in in GoAnywhere software – a precursor to an even bigger campaign that leveraged a vulnerability in MOVEit software to compromise hundreds more victims
• Ransomware operators are increasingly using advanced techniques like DLL Side-Loading which are more typical of APT-type operations
• A new double extortion tactic was observed where attackers instruct victims to provide details of their cyber insurance coverage to set the ransom demand
• Nokoyawa dropped Windows CLFS zero-day - it is highly unusual to see ransomware operators leveraging zero-days, a tactic more common to APT operations
• Ransomware attacks abused Microsoft SharePoint without first compromising an endpoint via compromised Global SaaS admin account
• Novel Cactus ransomware exploits common vulnerabilities found in VPNs to gain persistence on the network

Ransomware attacks continue to be extremely lucrative, with ransom demands and recovery costs bleeding victim organizations for millions of dollars.  

‍

Until the US government directly sanctions Russia for their direct and/or tacit support of ransomware and data extortion operations, we will not see attacks subside any time soon.

‍

‍

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile (PDF).