Ransomware RoundUp: 2023

March 26, 2024

Ransomware continues to be a threat globally. While it is difficult to track complete ransomware statistics because criminals cannot be counted as a reputable reporting source, 2023 was the year that broke several records in ransomware according to what attacks were reported by both ransomware actor blog sites and publicly reported incidents.

According to the cyber threat intelligence industry and government metrics made publicly available, the United States remained the top targeted nation, with 55% of ransomware incidents targeting the country. In the majority of months, the number of monthly attacks soared, with November 2023 clocking in at 89 reported attacks, the record set for reported incidents within a month. But the number of incidents is not the only significant increase – ransomware data exfiltration rates exploded, with notable data exfiltration to China. Likely due to the increase in the use of the double extortion technique, payments also increased, with traceable payments exceeding one billion dollars for the first time. In this blog, we review the key ransomware trends of 2023 as well as the notable events.

Commonly observed ransomware trends throughout 2023 included:

  • Ransomware actors intentionally use two different ransomware variants in the same attack on the same victim, which often results in data destruction at various, close-together time periods.
    • Double extortion, where threat actors demand a payment or threaten to release data, has been a trend for years; this new trend of a different ransomware variant entering an already-compromised network results in significantly more financial loss, reputational damage, data loss, and exfiltration, making recovery even more difficult.
  • Extortion increased
    • Multiple layers of extortion, including triple and quadruple, became part of regular ransomware operations instead of only sporadically included in ransomware campaigns.
  • Encryption Decreased
    • Intermittent encryption became more common than complete encryption to reduce the time needed for successful operations. Encryption is a time-consuming process. Partially encrypting data allows for less time needed in malicious operations, and less time for possibly exposing malicious actor presence in a network. By reducing the amount and frequency of encryption, actors can exfil data more quickly and then exit the network.
  • PII continues to appear on data leak and ransomware victim Leak sites, and a increase in other documents being shared has also been observed.
    • Ransomware actors are increasingly targeting Critical Infrastructure/Key Resources (CI/KR) blueprints and documents to move towards damaging physical structures and sectors needed for everyday life services, such as water, power, electric, food supplies, and more.

LockBit ransomware gang were the top actors of 2023, with BlackCat/ALPHV coming in second as most active. The latter was temporarily taken offline by law enforcement operations in December 2023, while the former was also temporarily taken offline in February 2024. Both groups, however, came back online almost as quickly as they were removed, resuming operations under new infrastructure.

Originally observed in 2019, Cl0p ransomware gang began their use of the MOVEit vulnerability to target victims in May 2023, and continued this campaign all summer long. Also known as TA505, the ransomware group exploited SQL injection vulnerability CVE-2023-34362, the MOVEit transfer; MOVEit is used to manage file transfer operations in thousands of organizations. Cl0p’s use of this vulnerability impacted many big-name brands and firms and received a high level of media attention. One of the final estimates is that about 2,000 installations of the MOVEit vulnerability were installed impacting ~60 million individuals globally. Numbers will remain uncertain due to unreported incidents and entities trying to cover up the impact of a network intrusion (Figure 1). However, experts estimated that the group could receive $100 million in payments from exploiting this vulnerability. 

Figure 1: Cl0p actors communicate with the public via one of their many messages on their leaks site, from summer 2023

ALPHV/Blackcat ransomware group were one of the most active ransomware groups throughout 2023. In September 2023 they claimed responsibility for the MGM cybersecurity incident that occurred through a post on their leak site. Down slot machines, non-functioning key cards, and more services were interrupted at MGM resorts and hotels nationwide. News articles broke Wednesday, 13 September, that ALPHV/Blackcat ransomware gang was responsible. On 14 September, new rumors emerged that “Scattered Spider” was also involved in the incident. Scattered Spider is assessed to be an English-speaking cybercrime group which is an affiliate of ALPHV. Additionally, Scattered Spider reportedly hit Caesars Entertainment on 7 September 2023. Caesars paid tens of millions to remain operational and did not experience an outage. Actors addressed the MGM outage on the ALPHV blog (Figure 2):

Figure 2: Actors discuss the summer 2023 MGM incident, for which Scattered Spider, an ALPHV affiliate, took responsibility; Source: DarkOwl Vision 

Healthcare

The healthcare sector was the most targeted sector of 2023. The healthcare industry is a valuable target, and in the words of cyber professionals is a “Target rich, security poor” industry, which is why some malicious actors so frequently target it. While some ransomware gangs swear off medical/healthcare industry entities, others actively go after this industry and view it as an easy target. Examples are not exhaustive and are only meant to provide a high level of observed trends:

  • Rhysida ransomware, a group that emerged in August 2023, targeted Prospect Medical Holdings (PMH) in early August 2023, and recently released the claim that they procured upwards of 500,000 corporate documents and patient information, including social security numbers.
    • This incident established Rhysida as a serious ransomware gang, as this is a notable target and the data procured is quite sensitive.
  • AlphV/BlackCat ransomware attacked Henry Schein Healthcare for the second consecutive month. The first incident was in October 2023, and in November 2023, they remained a victim. Henry Schein declined to speak to reporters about the multiple incidents but did acknowledge (after each incident, and after each appearance on the ransomware blog) that they were working quickly to reestablish the customer-facing services which were impacted.
  • 30 hospitals in the Ardent Health Services system were successfully targeted by a ransomware attack in November 2023 by an unknown group, resulting in all emergency services being redirected. While Ardent is headquartered in Tennessee, the impact has been felt throughout six states. Ardent Health issued a public statement about their “around the clock” efforts to restore services. For the initial three days after the incident, ambulances were re-routed to other providers and Ardent Health also advised patients to call their providers directly for any help. In January 2024, they began mailing letters directly to impacted patients.

The impact on healthcare as a whole was so large, CISA authored guidelines specifically for the health sector to improve cybersecurity practices and reduce the chances of becoming a victim.

Defense

While healthcare was the most targeted sector, the defense industrial base was not far behind as a ransomware target. Many large incidents involved governments as well as defense contractors who provide weapons and technology for world governments. As the Ukraine-Russia conflict continued, and then a new Middle East conflict emerged, in October 2023, the defense sector remains at an elevated risk for cyber-meddling and incidents. Examples are not exhaustive and are only meant to provide a high level of trends observed:

  • UK-based Zaun Ltd, which specializes in physical and perimeter security, revealed on 1 September 2023 they were a victim of LockBit ransomware. 
  • LockBit further claimed to have infiltrated Boeing’s systems using a zero-day. Boeing appeared on the LockBit leak site at the end of October 2023, but they offered no proof of data or material belonging to Boeing.
  • Australia-based Austal USA, a shipbuilding company, revealed it was the victim of a cyberattack as of December 6, 2023. Austal USA itself is a subsidiary of Austal and has contracts and multiple programs working with the US Navy. Ransomware gang Hunters International group claimed responsibility for the incident. 

Whether to preserve their operations and profits, or because law enforcement finally caught up to them, several high-profile ransomware groups went offline throughout 2023, and this trend continued into the first part of 2024 (Table 1):

Date Observed OfflineLE Involvement?Intentional Rebrand?Sold Source Code?Reestablished Operations?
HiveJan 2023YNYY, as “Hunters Int’l
RoyalFall 2023NYUnconfirmed if code was sold, but the overlap between Royal and Black Suit is publicly documentedY, as “Black Suit”
RansomedVCOct 2023NYYY, as “Raznatovic
Ragnar LockerOct 2023YNNN
BlackByteDec 2023    
ALPHV/BlackCatDec 2023YNNY
LockBitFeb 2024YNNY
KnightFeb 2024NNYTBD, as the post selling the code has been taken down, but no purchase or rebranding has yet been announced.
  ALPHV/BlackCatMar 2024NNTBD, affiliates could have access to what infrastructure was used post law enforcement takedown. If they aren’t paid part of their profits, they could expose what information they have for profit, revenge, or both.No, exit scammed.

In March 2024, ALPHV/BlackCat continued to make news when they shut down their onion site after their latest big victim, UnitedHealth’s Change Healthcare unit, purportedly paid their $22 million ransom (Figure 3):

Figure 3: ALPHV affiliates discuss the shutdown of BlackCat/ALPHV operations; Source: DarkOwl Vision

More of the groups who shut down of their own volition issued public statements or sentiment on various platforms (Figures 4 and 5). RansomedVC announced their source code sale on Telegram after pulling out of the project for “…personal reasons” while Knight ransomware group offered their source code for sale on RAMP forums:

Figure 4: Ransomed VC goes offline, sells source code via Telegram; Source: DarkOwl Vision
Figure 5: Knight ransomware source code is offered for sale on RAMP forum. The post remained available for under 24 hours, and then was taken down. It is unknown if the source code was purchased.

In October 2023, DarkOwl analysts identified a new darkweb ransomware forum when the admin of Ramp posted an in-depth advertisement and endorsement for Ransomed Forums. This forum advertises topics related to ransomware, such as RaaS offerings and more, advertised in Figures 6 and 7 below. DarkOwl analysts additionally identified Ransomed Forums chatter on other platforms has increased during the fall of 2023, so anticipation from the wider threat actor community is likely high as this forum gains users and momentum online.

Figures 6 and 7: Ransomed forums, a new ransomware focused online community, emerged in October 2023 and had an advertisement on similar forum Ramp.

New websites and forum offerings such as these will give alternatives to the traditional onion websites used to advertise victims as well as data for sale. Actors have espoused, on multiple platforms, that onion websites may no longer be safe, and that certain forums or online communities are better options for malicious operations. These include direct messaging platforms, such as Tox or Jabber (Figure 8).

Figure 8: An actor discusses not using onion websites for certain kinds of hacking activities; Source: DarkOwl Vision.
Figure 9: Actors discuss Tox being a safe chatting option on the DDW; Source: DarkOwl Vision

When the notorious ransomware group Conti ceased operations in 2022 and one of their disgruntled affiliates leaked internal documents and chats, the CTI community gained important insight into ransomware processes and operations. Their setup as a business with recruitment operations was confirmed; they had penetration testers and coders, as well as financial incentives for their employees.

In a similar vein, LockBit 3.0’s ransomware builder leaked in 2022 but 2023 was the year that cybercrime groups and threat actors alike put hundreds of new variants out using the builder. Variants were sold to other cybercriminals and used against multiple victims. This new version was more evasive, able to escape detection tools, than its predecessors. The CTI community noticed that it also shared overlap with BlackCat source code.

After these series of events, the community was able to take a few observed incidents and confirm them as trends moving forward:

  • Tox was confirmed as the preferred method of contact versus DDW forums, even the messaging options contained in those forums.
  • Ransomware actors appear to want to sell their ransomware operations to other actors for financial gain and are less willing to carry out operations themselves due to law enforcement actions and the possibility of unhappy affiliates leaking sensitive information or turning in the primary operators of ransomware.
  • Other groups reusing complete or partial source code of famous ransomware operations will likely continue. They can take source code and improve it on their own, adding language exceptions, tool evasion techniques, and more personalized instructions to improve speed and efficiency of ransomware campaigns instead of starting from scratch coding their own operations.

 A new group, NATIONAL HAZARD AGENCY (NHA), debuted using a new kind of ransom note, a Tox ID and an email address (Figure 10). As National Hazard Agency continues to define their operations and TTPs, the community will inevitably monitor and learn more about preferred communication methods and platforms, and best operational practices for newly formed ransomware groups who have ties to older groups no longer operating:

While 2023 witnessed several high-profile ransomware gangs shutdown operations, the context and intelligence gained from these events better informs future possibilities and trends surrounding ransomware activities. Based on observed conversations on DDW forums and DDW adjacent chat platforms such as Telegram, the criminal underground wants to continue to capitalize on the fear caused by ransomware. Actors know that financial opportunities abound by going after large companies and organizations, and they are especially encouraged by large payments. Furthermore, geopolitical conflicts allow hacktivist groups to choose sides and further their beliefs and values by targeting their opponents; so, ransomware leads to both fruitful financial opportunities as well as fame and attention for hacktivism.

After reviewing online discussions and exchanges between malicious cyber actors, analysts expect continued reuse and repurposing of ransomware source code from older groups that is purchased or stolen, with actors making their own tweaks to said code to both personalize and capitalize on their operations and campaigns. On platforms such as Telegram, actors have been openly discussing reuse of groups’ source code who are no longer active, the pricing that this code should have, and generally sharing ideas about gaining entry to desired sectors such as healthcare, tech, and supply chains of weapons providers as well as the global defense industrial base.

Ransomware remains an efficient criminal operation yielding high profits. Even with increased disruption of ransomware groups, throughout 2023 and into 2024, the criminal actors stay informed and move infrastructure to protect their profits and operations. Critical infrastructure, academic, technology, and government sectors must all raise awareness and assist in protection from ongoing ransomware campaigns. With the advent of AI, ransomware operations will become even more robust due to the automation of spear phishing templates and emails being able to reach several thousand, versus several hundred, of possible entry points into organizations. Continuous monitoring allows for identifying events like ransomware attacks earlier. By detecting your brand, employee name, intellectual property, or other material on a leak site before the actors auction it off to the highest bidder or make it publicly available, you can reduce the reputational damage and avoid the degradation of trust that occurs during cyber incidents.


DarkOwl Vision allows organizations to monitor these ransomware groups on the darknet, to identify more information about their tactics, techniques, and procedures and the sectors they are targeting. DarkOwl analysts continuously monitor the darknet to identify emerging new groups and who the most recent victims are to best track and predict potential attacks.


Interested in learning more? Contact us to learn about our Ransomware API.

See why DarkOwl is the Leader in Darknet Data

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.