Ransomware continues to be a threat globally. While it is difficult to track complete ransomware statistics because criminals cannot be counted as a reputable reporting source, 2023 was the year that broke several records in ransomware according to what attacks were reported by both ransomware actor blog sites and publicly reported incidents.
According to the cyber threat intelligence industry and government metrics made publicly available, the United States remained the top targeted nation, with 55% of ransomware incidents targeting the country. In the majority of months, the number of monthly attacks soared, with November 2023 clocking in at 89 reported attacks, the record set for reported incidents within a month. But the number of incidents is not the only significant increase – ransomware data exfiltration rates exploded, with notable data exfiltration to China. Likely due to the increase in the use of the double extortion technique, payments also increased, with traceable payments exceeding one billion dollars for the first time. In this blog, we review the key ransomware trends of 2023 as well as the notable events.
Commonly observed ransomware trends throughout 2023 included:
LockBit ransomware gang were the top actors of 2023, with BlackCat/ALPHV coming in second as most active. The latter was temporarily taken offline by law enforcement operations in December 2023, while the former was also temporarily taken offline in February 2024. Both groups, however, came back online almost as quickly as they were removed, resuming operations under new infrastructure.
Originally observed in 2019, Cl0p ransomware gang began their use of the MOVEit vulnerability to target victims in May 2023, and continued this campaign all summer long. Also known as TA505, the ransomware group exploited SQL injection vulnerability CVE-2023-34362, the MOVEit transfer; MOVEit is used to manage file transfer operations in thousands of organizations. Cl0p’s use of this vulnerability impacted many big-name brands and firms and received a high level of media attention. One of the final estimates is that about 2,000 installations of the MOVEit vulnerability were installed impacting ~60 million individuals globally. Numbers will remain uncertain due to unreported incidents and entities trying to cover up the impact of a network intrusion (Figure 1). However, experts estimated that the group could receive $100 million in payments from exploiting this vulnerability.
ALPHV/Blackcat ransomware group were one of the most active ransomware groups throughout 2023. In September 2023 they claimed responsibility for the MGM cybersecurity incident that occurred through a post on their leak site. Down slot machines, non-functioning key cards, and more services were interrupted at MGM resorts and hotels nationwide. News articles broke Wednesday, 13 September, that ALPHV/Blackcat ransomware gang was responsible. On 14 September, new rumors emerged that “Scattered Spider” was also involved in the incident. Scattered Spider is assessed to be an English-speaking cybercrime group which is an affiliate of ALPHV. Additionally, Scattered Spider reportedly hit Caesars Entertainment on 7 September 2023. Caesars paid tens of millions to remain operational and did not experience an outage. Actors addressed the MGM outage on the ALPHV blog (Figure 2):
The healthcare sector was the most targeted sector of 2023. The healthcare industry is a valuable target, and in the words of cyber professionals is a “Target rich, security poor” industry, which is why some malicious actors so frequently target it. While some ransomware gangs swear off medical/healthcare industry entities, others actively go after this industry and view it as an easy target. Examples are not exhaustive and are only meant to provide a high level of observed trends:
The impact on healthcare as a whole was so large, CISA authored guidelines specifically for the health sector to improve cybersecurity practices and reduce the chances of becoming a victim.
While healthcare was the most targeted sector, the defense industrial base was not far behind as a ransomware target. Many large incidents involved governments as well as defense contractors who provide weapons and technology for world governments. As the Ukraine-Russia conflict continued, and then a new Middle East conflict emerged, in October 2023, the defense sector remains at an elevated risk for cyber-meddling and incidents. Examples are not exhaustive and are only meant to provide a high level of trends observed:
Whether to preserve their operations and profits, or because law enforcement finally caught up to them, several high-profile ransomware groups went offline throughout 2023, and this trend continued into the first part of 2024 (Table 1):
Date Observed Offline | LE Involvement? | Intentional Rebrand? | Sold Source Code? | Reestablished Operations? | |
---|---|---|---|---|---|
Hive | Jan 2023 | Y | N | Y | Y, as “Hunters Int’l“ |
Royal | Fall 2023 | N | Y | Unconfirmed if code was sold, but the overlap between Royal and Black Suit is publicly documented | Y, as “Black Suit” |
RansomedVC | Oct 2023 | N | Y | Y | Y, as “Raznatovic“ |
Ragnar Locker | Oct 2023 | Y | N | N | N |
BlackByte | Dec 2023 | ||||
ALPHV/BlackCat | Dec 2023 | Y | N | N | Y |
LockBit | Feb 2024 | Y | N | N | Y |
Knight | Feb 2024 | N | N | Y | TBD, as the post selling the code has been taken down, but no purchase or rebranding has yet been announced. |
ALPHV/BlackCat | Mar 2024 | N | N | TBD, affiliates could have access to what infrastructure was used post law enforcement takedown. If they aren’t paid part of their profits, they could expose what information they have for profit, revenge, or both. | No, exit scammed. |
In March 2024, ALPHV/BlackCat continued to make news when they shut down their onion site after their latest big victim, UnitedHealth’s Change Healthcare unit, purportedly paid their $22 million ransom (Figure 3):
More of the groups who shut down of their own volition issued public statements or sentiment on various platforms (Figures 4 and 5). RansomedVC announced their source code sale on Telegram after pulling out of the project for “…personal reasons” while Knight ransomware group offered their source code for sale on RAMP forums:
In October 2023, DarkOwl analysts identified a new darkweb ransomware forum when the admin of Ramp posted an in-depth advertisement and endorsement for Ransomed Forums. This forum advertises topics related to ransomware, such as RaaS offerings and more, advertised in Figures 6 and 7 below. DarkOwl analysts additionally identified Ransomed Forums chatter on other platforms has increased during the fall of 2023, so anticipation from the wider threat actor community is likely high as this forum gains users and momentum online.
New websites and forum offerings such as these will give alternatives to the traditional onion websites used to advertise victims as well as data for sale. Actors have espoused, on multiple platforms, that onion websites may no longer be safe, and that certain forums or online communities are better options for malicious operations. These include direct messaging platforms, such as Tox or Jabber (Figure 8).
When the notorious ransomware group Conti ceased operations in 2022 and one of their disgruntled affiliates leaked internal documents and chats, the CTI community gained important insight into ransomware processes and operations. Their setup as a business with recruitment operations was confirmed; they had penetration testers and coders, as well as financial incentives for their employees.
In a similar vein, LockBit 3.0’s ransomware builder leaked in 2022 but 2023 was the year that cybercrime groups and threat actors alike put hundreds of new variants out using the builder. Variants were sold to other cybercriminals and used against multiple victims. This new version was more evasive, able to escape detection tools, than its predecessors. The CTI community noticed that it also shared overlap with BlackCat source code.
After these series of events, the community was able to take a few observed incidents and confirm them as trends moving forward:
A new group, NATIONAL HAZARD AGENCY (NHA), debuted using a new kind of ransom note, a Tox ID and an email address (Figure 10). As National Hazard Agency continues to define their operations and TTPs, the community will inevitably monitor and learn more about preferred communication methods and platforms, and best operational practices for newly formed ransomware groups who have ties to older groups no longer operating:
While 2023 witnessed several high-profile ransomware gangs shutdown operations, the context and intelligence gained from these events better informs future possibilities and trends surrounding ransomware activities. Based on observed conversations on DDW forums and DDW adjacent chat platforms such as Telegram, the criminal underground wants to continue to capitalize on the fear caused by ransomware. Actors know that financial opportunities abound by going after large companies and organizations, and they are especially encouraged by large payments. Furthermore, geopolitical conflicts allow hacktivist groups to choose sides and further their beliefs and values by targeting their opponents; so, ransomware leads to both fruitful financial opportunities as well as fame and attention for hacktivism.
After reviewing online discussions and exchanges between malicious cyber actors, analysts expect continued reuse and repurposing of ransomware source code from older groups that is purchased or stolen, with actors making their own tweaks to said code to both personalize and capitalize on their operations and campaigns. On platforms such as Telegram, actors have been openly discussing reuse of groups’ source code who are no longer active, the pricing that this code should have, and generally sharing ideas about gaining entry to desired sectors such as healthcare, tech, and supply chains of weapons providers as well as the global defense industrial base.
Ransomware remains an efficient criminal operation yielding high profits. Even with increased disruption of ransomware groups, throughout 2023 and into 2024, the criminal actors stay informed and move infrastructure to protect their profits and operations. Critical infrastructure, academic, technology, and government sectors must all raise awareness and assist in protection from ongoing ransomware campaigns. With the advent of AI, ransomware operations will become even more robust due to the automation of spear phishing templates and emails being able to reach several thousand, versus several hundred, of possible entry points into organizations. Continuous monitoring allows for identifying events like ransomware attacks earlier. By detecting your brand, employee name, intellectual property, or other material on a leak site before the actors auction it off to the highest bidder or make it publicly available, you can reduce the reputational damage and avoid the degradation of trust that occurs during cyber incidents.
DarkOwl Vision allows organizations to monitor these ransomware groups on the darknet, to identify more information about their tactics, techniques, and procedures and the sectors they are targeting. DarkOwl analysts continuously monitor the darknet to identify emerging new groups and who the most recent victims are to best track and predict potential attacks.
Products
Services
Use Cases