Ransomware attacks have only increased in sophistication and capabilities over the past year. From new evasion and anti-analysis techniques to stealthier variants coded in new languages, ransomware groups have adapted their tactics to effectively bypass common defense strategies.
Cyble, a renowned cyber threat intelligence company recognized for its research and findings, recently released its Q3 Ransomware Report. This article delves into the significant developments from the third quarter of 2023, as detailed in the Q3 Ransomware Report, and offers predictions for upcoming quarters. The primary objective is to provide a comprehensive recap of the major targets, both sector-wise and by nation and region. Additionally, the article will highlight new techniques used, emphasizing major incidents and developments that potential targets should be aware of. We will also discuss anticipated trends in the future evolution of ransomware.
The increased weaponization of Vulnerabilities to deliver Ransomware:
Cyble has observed increased instances of vulnerabilities being used as a vector to deliver ransomware and other malware in recent months, with a particular emphasis on Networking devices. This marks a shift from the previously observed focus on weaponizing Managed File Transfer (MFT) software and applications.
This was observed in the impact it had high-impact vulnerabilities that led to the compromise of industry titans, as was observed in the case of the MOVEit vulnerability and the supply chain attack Barracuda Networks. All indications for Q3 and the months show that ransomware operators will continue to weaponize vulnerabilities and exploit zero-days to deliver ransomware payloads to compromise their targets.
While zero days are, by definition, unknown till they are exploited, organizations can take steps to ensure their vulnerability to an exploitable zero-day is minimized. Organizations also need to ensure that the software and products they use are up to date and implement cyber-awareness strategies to ensure that potentially exploitable vulnerabilities are identified and secured against on a priority basis.
While this is a significant finding to keep an eye on, Cyble Research & Intelligence Labs (CRIL) discovered several other trends in the ransomware space that are worth keeping an eye on:
1. Sectoral focus shift – Healthcare industry in the crosshairs
While the first half of the year saw an increase in ransomware attacks on the Manufacturing sector, recent trends point to a shift in focus towards the Healthcare sector. This has pushed Healthcare into the top 5 most targeted sectors by Ransomware groups, accounting for nearly a quarter of all ransomware attacks. These attacks have a specific motive – to gather Protected Health Information (PHI) and other sensitive data that healthcare providers and institutions have access to and sell this data on the darkweb.
According the Cyble’s ransomware report, the Healthcare sector is particularly vulnerable to ransomware attacks as it has an extremely large attack surface spanning several websites, portals, billions of IoT medical devices, and a large network of supply chain partners and vendors. A standardized cybersecurity plan for this sector is thus imperative to keep this critical data secured and ensure the smooth operation of critical healthcare functions.
2. High-income organizations remain the primary focus
Ransomware operators can often seem indiscriminate when it comes to their targets; however, it is a known fact that they prefer to target high-income organizations dealing with sensitive data. This not only helps boost the Ransomware operator’s profile as a serious threat but also ensures a higher chance of ransomware payments being made.
The reason for this is twofold: high-income organizations have the means to pay the exorbitant ransoms demanded, and they also have a greater susceptibility to their image being tarnished with regards to appearing incompetent at handling sensitive data and retaining their reputation as a reputed firm.
Along with Healthcare, the most targeted sectors in the previous quarter were Professional Services, IT & ITES, and Construction due to their high net worth and the expanded attack surfaces.
3. The United States remains the most targeted nation
While several trends around Ransomware victims and tactics have evolved on a quarterly basis, the established pattern of the United States being the most targeted region by ransomware operators is a constant. This is evidenced by the fact that in Q3-2023 alone, the United States faced more ransomware attacks than the next 10 countries combined.
The reasoning for this can be attributed to the US’s unique role in being a highly digitized nation with a massive amount of global engagement and outreach. Due to geopolitical factors, the United States is also a prime target for Hacktivist groups leveraging ransomware to achieve their goals due to perceived social injustice or to protest foreign and domestic policies.
A distant second, in terms of the volume of ransomware attacks in Q3, was the United Kingdom, followed by Italy and Germany.
4. LOCKBIT remains a potent threat – while newer Ransomware groups are rapidly creating a name for themselves
While LOCKBIT’s total attacks were slightly lower than the previous quarter (a 5% drop), they still targeted the highest number of victims, with 240 confirmed victims in Q3-2023.
Newer players on the ransomware scene have not been idle, however. Q3-2023 witnessed a surge in attacks from newer groups such as Cactus, INC Ransom, Metaencryptor, ThreeAM, Knight Ransomware, Cyclop Group, and MedusaLocker, indicating that these groups, while not having the same profile and global presence as major players like LOCKBIT, remain potent threats.
5. The increasing adoption of Rust and GoLang in newer ransomware variants
Ransomware groups have always tried to make their activities harder or even impossible to detect or analyze. This makes it tricky for victims, cybersecurity experts and governments to analyze and study the ransomware, its infection vector, and mode of operation – after which corrective actions are accordingly implemented.
The recent patterns we have observed, however, showcase the growing popularity of Rust and GoLang amongst high-profile ransomware groups such as Hive, Agenda, Luna, and RansomExx. The reason for this is, again, twofold: programming languages like Rust make it harder to analyze the ransomware’s activity on a victim system. They have the additional benefit of being easier to customize to target multiple Operating Systems, increasing the lethality and target base of any ransomware created using these languages.
How have Organizations reacted to these Developments?
Every news cycle seems to contain at least one incidence of a high-profile organization or industry leader falling victim to Ransomware at some point, with the recent breaches of Caesar’s Palace and MGM Casino by BlackCat/ALPHV Ransomware being prime examples.
This has even caught the attention of Government and Regulatory bodies worldwide, who have rolled out measures to help mitigate the impact and incidence of ransomware attacks. Firms have taken matters into their own hands as well by implementing practices to prevent the risk and mitigate the impact of ransomware attacks. Some notable steps we have observed are:
1. Emphasis on employee training
An organization’s workforce is often the first line of defense against any attack, and Ransomware is no exception. Firms have accordingly stepped up their cybersecurity training and awareness programs, rolling out mandatory cybersecurity training sessions and fostering a culture of cyber-awareness. Prime examples of this include training on how to identify phishing attempts, handling suspicious attachments, and identifying social engineering attempts.
2. Incident Response Planning
Despite efforts to prevent them, Ransomware attacks can still occur due to various factors. Organizations have accounted for this and increased their focus on developing a comprehensive response to such incidents. These include legal protocols to notify authorities, internal security next steps, infosec team responses, and quarantining any affected systems/products.
3. Enhanced Recovery and Backups
Ransomware attacks have two primary aims: To gain access to sensitive data and encrypt this data to render it unusable to the target organizations. To address this risk, organizations have started placing a greater focus on backing up sensitive data and creating comprehensive recovery processes for the same.
4. Implementation of Zero-Trust Architecture and Multi-Factor Authentication
Ransomware groups have previously exploited the human element to enable or enhance ransomware attacks via Initial Access Brokers, phishing attacks, etc. As a response, firms have implemented Zero-Trust Architecture and MFA across all critical platforms and data, requiring multiple verified levels of authentication to grant access to sensitive data.
5. Intelligence sharing and collaboration with Law Enforcement
Organizations in the same industries have created Information Sharing and Analysis Centers (ISACs) to help pool their resources and intel to help combat future ransomware attempts. They are also working closely with Law Enforcement and regulatory bodies to report ransomware attempts and help diagnose security shortcomings.
6. Increased adoption/use of Threat Intelligence Platforms
Due to their specific competency in this space, as well as their advanced AI and machine learning capabilities, organizations are increasingly using Threat Intelligence Platforms for their expertise, anomaly detection, and behavioral analysis to gain real-time threat intelligence to help mitigate ransomware attacks.
7. Focus on Vulnerability Management
Vulnerabilities have come into the limelight over the past few years in major incidents such as the recent MoveIT and PaperCut vulnerabilities enabling exploits and cyberattacks. Organizations have accordingly implemented vulnerability management and protocols to ensure all critical software is up-to-date and regularly patched.
8. Securing supply chains and vendor risk management
In the event that a Ransomware operator cannot breach an organization, it is not atypical for them to target its supply chain via vendors, partners, and third parties who may not be as cybersecure. Organizations have accordingly rolled out vendor risk assessments to ensure that their entire supply chain is airtight and uniformly protected against potential ransomware attempts.
Discover key insights and understand how ransomware groups are evolving their tactics to target victims. Download the Q3-2023 Ransomware Report now.
How can Cyble’s AI-powered threat intelligence platform, Cyble Vision, assist you?
With a keen view into both the surface and deep web, Cyble Vision can keep you a step ahead of Ransomware operators.
- Through keen Threat Analysis, Cyble Vision can help identify weak points in your organization’s digital risk footprint and guide you on how to secure these gaps that ransomware groups could potentially exploit.
- Cyble Vision has the ability to scan your entire attack surface, extending to your vendors, partners, and third parties as well, giving you the ability to secure your entire supply chain and ecosystem from attacks.
- Being powered by AI allows Cyble Vision to scan vast quantities of data from all parts of the surface, deep and dark web, allowing real-time updates into Threat actor behavior.
- With a focus on Darkweb Monitoring, Cyble Vision can let you track Threat Actor patterns and actions on the Darkweb. From discussing a new variant to monitoring affiliate programs, you can stay one step ahead of Ransomware operators.
If you’re interested in exploring how Cyble Vision can enhance your organization’s security, reach out to Cyble’s cybersecurity experts for a free demo here.