This article looks at ransomware trends of 2023, such as an increase in supply chain attacks, the use of double extortion, law enforcement actions against large networks, a focus on small and medium-sized businesses more than ever and calls for payments to be banned in lieu of ransomware.
1. Double Extortion Became a Key Tactic
The traditional ransomware tactic of file encryption remained one of the main tactics used by many ransomware groups to restrict access and encourage ransom payments in 2023. But within the last year double extortion techniques have become increasingly common, with hackers not only encrypting the data but also stealing confidential data beforehand and threatening to release it if their demands are not fulfilled.
Data exfiltration was present in approximately 91% of all publicly recorded ransomware attacks in 2023. When data is stolen during an attack, the consequences are heightened, with the risk of sensitive and confidential information belonging to customers, employees, suppliers, and other groups being leaked.
The CL0P ransomware group, in particular, employed this strategy when they developed ways to methodically extract private information from systems like client lists, HR files, and financial records before launching their malware. CL0P put more pressure on victims by disclosing stolen information on leak websites if the ransom demands were not fulfilled.
2. Law Enforcement Takedowns were Successful
Law enforcement agencies, most notably the FBI, have achieved great progress despite the continuous difficulties presented by different threat groups. One of the best instances of this was the January 2023 successful infiltration and disruption of the Hive ransomware network. The FBI’s long-term covert operation successfully neutralized Hive’s tools and infrastructure. Consequently, ransom payments—which were projected to be worth over $130 million—were stopped.
Notably, Hive had caused damage to over 1,500 organizations in 80 different countries, extorting large ransomware payments and amassing more than $100 million in total over time. However, while these disruptions produce significant gains, we ought to remember that they frequently result in the emergence of new threat actors to fill the void left by the wiped-out groups. The Hive network, known for its ransomware-as-a-service business model, had a significant impact on a variety of industries, including finance, healthcare, and education.
But unfortunately, as we have seen in December, ransomware groups have their ways of avoiding these takedowns. News broke that the servers belonging to notorious ransomware gang BlackCat had been seized by the FBI, and a decryptor created to help their victims. Days later BlackCat re-emerged seemingly unscathed and has since been carrying out attacks.
3. Small and Medium Businesses were Highly Targeted
Small and medium-sized enterprises (SMEs) found themselves in the crosshairs in 2023 when it came to ransomware attacks. These smaller businesses typically don’t have the comprehensive security systems that large corporations do, making them sitting ducks for ransomware attacks. Shockingly, 66% of small business owners surveyed said they experienced a cyberattack last year.
To hackers, these businesses look like attractive, easy targets. Ransomware groups in particular take part in what’s known as “big game hunting,” deliberately going after entities like local governments, hospitals, and small businesses that they believe will pay up. The thinking is that because these organizations provide critical data, services, or products, they’ll be extra motivated to pay ransoms to get back up and running.
4. Supply Chain Attacks Surged
Supply chain or “third-party” ransomware attacks became more common in 2023; one well-known example is the MOVEit file transfer software vulnerability that the CL0P ransomware group exploited. This zero-day SQL injection vulnerability, known as CVE-2023-34362, was present in MOVEit, a popular managed file transfer program used in many different industries. CL0P took advantage of this vulnerability and was able to retrieve sensitive data from the underlying databases and systems.
Attackers CL0P were able to affect thousands of users at once by focusing on popular platforms and software like MOVEit, thereby expanding the scope and severity of their attacks. Recent figures suggest that the MOVEit attack impacted 2611 organizations and around 85.1 million individuals. With some organizations still investigating the breach, it may still be some time before the true impact is known.
The extensive use of MOVEit for file transfer operations in many organizations made CL0P’s exploitation of the MOVEit vulnerability noteworthy, but there were many others.
5. Regulatory Responses were Challenging
The Securities and Exchange Commission announced that from December 18th 2023 companies were required to report material cyber incidents within four business days. This not only adds reporting pressures to organizations but has also become an extortion tool for cybercriminals.
Ransomware groups started using regulatory disclosure requirements to put more pressure on their victims. A prominent instance of this strategy concerned the ALPHV/BlackCat ransomware group. This group complained to the U.S. Securities and Exchange Commission (SEC) about MeridianLink, one of their victims, for neglecting to notify the SEC of a breach as required by law.
MeridianLink was accused by ALPHV/BlackCat of failing to disclose a “significant breach” in accordance with Form 8-K, Item 1.05, which mandates that publicly traded companies notify the public of cyberattacks that have a material impact within four business days.
6. More Calls for Ransomware Payment Bans
Calls for outright banning ransomware payments peaked in 2023. Although there had been discussion about banning payments in the past, a large quantity of articles covering the controversy this past year caused the discussion to explode. Even the White House chimed in, contemplating possible adjustments.
The administration investigated options like a complete ban on payments with only a few exceptions requiring approval from the government. The exclusions were meant to cover the odd situations in which ransomware could bring down important systems.
But will a ransomware ban really work? Some suggest it could act as a deterrent but, without it passing as law, organizations may feel it is the only option in protecting data from being leaked and recovering systems.
Prevent Ransomware with ADX
Cyberthreats are growing more advanced, from sophisticated malware to insider attacks. Our Enterprise solution uses behavioral analysis and anti data exfiltration (ADX) to detect and prevent insider threats and ransomware across all endpoints. For additional information, please visit this page to learn about our plans and prices.