Last Week in Ransomware: 10.30.23
Last Week in Ransomware News we saw ransomware attack volumes reach an all-time high, Cl0p ransomware operations go quiet, and the US host a 50 nation anti-ransomware summit...
Most Targeted Sectors and Active Attack Groups
Researchers have revealed that the number of organizations publicly exposed as victims of ransomware attacks has reached an all-time high in 2023. In the first three quarters of the year, a staggering 3,385 organizations were identified as victims, marking an alarming 83 percent increase compared to the previous year.
The manufacturing, technology, retail, and wholesale sectors have been the primary targets of these malicious attacks. Notably, several notorious ransomware groups have been actively involved in these incidents, with Lockbit, Clop, and BlackCat/ALPHV being the most prominent culprits.
"Q3 of 2023 marked the largest volume of public ransomware victims that GRIT has observed since we began tracking the ransomware ecosystem for the last two plus years." This observation underscores the growing threat that ransomware poses.
A significant portion of these attacks targeted vulnerabilities that had existed for several years, typically low to medium severity vulnerabilities. These vulnerabilities remained unpatched or were neglected by organizations, making them vulnerable to exploitation. Additionally, attackers began incorporating more advanced attack sequences into their operations.
It's essential to note that the actual number of ransomware attacks may be significantly higher than reported, as private organizations and individuals are not obliged to disclose such incidents. A startling revelation from 2022 indicates that only about 20% of ransomware attacks were reported to law enforcement.
This underreporting implies that the ransomware threat is even more substantial than it appears, and existing security solutions are not completely effective in countering these attacks. Ransomware-as-a-Service (RaaS) operators and data extortion attackers continually innovate, making it challenging to defend against them.
Exploitation of Zero-Day Vulnerabilities
A recent incident involving Cisco underscores the severity of the ransomware threat. Cisco discovered active exploitation of a zero-day vulnerability in their software. This vulnerability enabled attackers to create high-privilege accounts and execute malicious code.
The attackers also exploited another zero-day vulnerability to escalate their privileges to root access, allowing them to compromise network hardware fully.
This alarming trend suggests that ransomware attackers are increasingly leveraging zero-day vulnerabilities, which were traditionally reserved for nation-state operations. The attackers are also creating specialized tools to enhance data exfiltration and ransom negotiation processes.
High Cost of Ransomware Attacks on Healthcare
A study reveals the staggering economic toll of ransomware attacks on the United States' healthcare sector. Over the past seven years, 539 attacks have affected nearly 10,000 healthcare facilities and compromised over 52 million patient records. The downtime resulting from these attacks ranged from minimal disruption to months of recovery.
The year 2023 saw an average of 18.7 days of downtime in the healthcare sector, signifying the significant impact of ransomware on patient care and the financial stability of healthcare providers.
Ransomware attacks on healthcare providers pose a substantial threat to human life. Contrary to the perception that the healthcare industry is financially robust, it is primarily operated by non-profit entities with limited budgets and resources. Ransomware attacks can disrupt critical medical services and patient care.
The ransomware threat to healthcare providers is particularly alarming because these attacks can directly affect patients, whose needs cannot be delayed. The time required for healthcare organizations to recover from ransomware attacks, approximately three weeks or more, is detrimental to patients in need of immediate care.
International Efforts to Combat Ransomware
In response to the escalating ransomware threat, the Biden administration is convening a global coalition of security leaders from 50 nations to discuss cyber threat intelligence sharing and anti-ransomware policies. While international cooperation is a positive step, it is unlikely to fully mitigate the ransomware threat.
A critical challenge in combating ransomware attacks is the ambiguity surrounding attribution. The most active ransomware groups have ties to Russia and potentially receive support from the Russian government. This overlap between cybercriminal activity and nation-state operations provides a degree of plausible deniability for Russia.
The involvement of ransomware gangs as proxies allows nations like Russia to conduct cyberattacks with geopolitical implications while maintaining deniability. This makes it difficult for the United States and its allies to take decisive action against ransomware actors.
To effectively combat the ransomware threat, the United States must consider imposing sanctions on governments that provide safe harbor to ransomware operators. Until this occurs, the spate of ransomware attacks is unlikely to abate, and critical infrastructure remains at risk.
Clop Ransomware's Mysterious Disappearance
The Clop ransomware gang, known for its sophisticated attacks, saw a sudden decline in activity in August and disappeared entirely in September.
Cl0p is a RaaS platform first observed in 2019 which displayed advanced anti-analysis capabilities and anti-virtual machine analysis to prevent investigations in an emulated environment.
Cl0p had dedicated a lot of resources to automating aspects of the attack progression by exploiting known vulnerabilities for initial access, by improving stealthy payload delivery, fine tuning evasion techniques, and to exponentially improving encryption speeds.
Cl0p attacks had typically included the delivery of a ransomware payload, but the group had more recently been observed shifting to straight data exfiltration and extortion in some of their more recent operations.
Whether or not Cl0p has been successful in effectively monetizing these compromises to collect the ransom demands is still unclear, and perhaps this respite is an attempt by the group to basically “catch up” with all the compromised victims.
Akumin Ransomware Attack
An alarming example of the ransomware threat's real-world impact is the recent attack on Akumin diagnostic medical imaging centers in South Florida. The attack forced the cancellation of patient appointments and the shutdown of medical imaging services. Additionally, the personal health information of numerous patients may have been compromised.
A recent study revealed that ransomware attacks against the healthcare sector have bled the US economy of tens of billions of dollars in over the past seven years, with 539 attacks reported impacting nearly 10,000 healthcare facilities and over 52 million patient records compromised.
Ransomware attacks are one of the biggest threats facing every organization today, and healthcare providers have been hit particularly hard. There is no way to argue against the fact that ransomware attacks on healthcare providers pose a significant threat to human life.
The surge in ransomware attacks and the increasing complexity of these operations highlight the critical need for enhanced cybersecurity measures, not just in the healthcare sector but across all industries.
International cooperation and the imposition of sanctions may help mitigate the threat, but a comprehensive approach involving cybersecurity awareness, patch management, and proactive defenses is essential to combat the evolving ransomware menace.
Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.
Related Posts
See Halcyon in action
Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!