Two recent studies highlight the continuing threat of ransomware.
The continuing threat of ransomware: some trends.
ReliaQuest released its quarterly RansomWare and Data-Leak Extortion report for Q1 2023 and reports that this last quarter was the most active quarter observed in 2020. Over 800 organizations had fallen victim to ransomware and extortion with LockBit, Clop and ALPHV being the most active ransomware groups. Guidepoint security notes in their Q1 2023 ransomware report that there has been an increase of “exfiltration-only” attacks where cyber threat actors will forgo encrypting a victims files. This method is significantly faster and easier for attackers and allows them to apply pressure to the victim to pay attackers to prevent the stolen information from being published and sold.
Ransomware at a 2 year high.
ReliaQuest notes that a key event was Cl0p’s exploitation of the GoAnywhere MFT zero-day vulnerability (CVE-2023-0669), which “resulted in more than 130 organizations being breached.” They explained “By skipping encryption, Cl0p was able to conduct the attacks at lightning speeds; reportedly, it took Clop only ten days to steal data from the 130 organizations using GoAnywhere MFT.” For the entire quarter however ReliaQuest reports that LockBit was by far the most active, leaking the information of 273 victims to Cl0p’s 102. Lastly, ReliaQuest notes “Despite the rise in ransomware activity, we observed a 90.7% decrease in extortion-only attacks. This shift demonstrates that threat actors placed a high focus on ransomware and double extortion in Q1 2023.” Guidepoint Security writes that “GRIT has observed an uptick in "exfiltration-only" ransomware attacks. In situations where a known Ransomware threat actor has been unable to encrypt a victim's network, either because of defenses or lack of access, they have continued with the extortion process, relying solely on the leverage of data they have successfully exfiltrated.”
ReliaQuest reports that there was a 22% increase in Q12023 compared to Q4 2022, however there seems to be a “large decrease in the number of extortion-only attacks.” Additionally, “Activity by extortion-only groups decreased by 90.7% during the past quarter, likely due to the extortion group “Karakurt” having a quiet quarter.” The most affected country this quarter was The United States by a wide margin, with The United Kingdom and Canada taking second and third place respectively. This is backed up by GuidePoint which states “US-based organizations remained the most heavily impacted by ransomware, making up 46% (395 out 851 total) observed victims in Q1. This is consistent with the ratio observed in Q4, where US victims accounted for 45% of victims (301 out of 676). The current ratio appears to be holding steady since first increasing from approximately 40% in Q2-Q3 2022.”
Industrial goods & services, technology, and healthcare are targeted en masse.
ReliaQuest and GuidePoint Security both point out that Industrial Goods and Services is by far the most affected sector with ReliaQuest citing 177 incidents which more than doubles the second most targeted sector, Technology, with 62. The report also finds that Healthcare was targeted en masse this last quarter with “More than 30 healthcare organizations were named on ransomware data-leak sites in March 2023. This number is the highest we have observed over the past year.”
GuidePoint Research and Intelligence Team (GRIT) also added that it is seeing an increase in attacks on the legal and engineering sectors. “GRIT assesses with moderate confidence that the Legal and Engineering industries continue to be heavily impacted based on the probable perception by threat actors that they often maintain sensitive personal data or intellectual property which they are contractually obligated to protect… The Legal and Engineering industries, combined, accounted for 31 posted victims in March, a rate of 1 post per day. This represents an over 250% increase from an average of .377 posts per day during 2022.”
Recommendations.
GRIT remarks that “Community and law enforcement information sharing will be vital in stymying the effectiveness of new techniques.”
ReliaQuest recommends several actions organizations can take to defend against these attacks. Here are a some of note:
“- Segment networks: Ensure proper network segmentation of devices so they can only communicate with other devices needed to support their specific business functions.
- Use application control. Where appropriate and, if possible, only permit the execution of signed scripts. Consider redirecting the default application for JavaScript, Visual Basic, and other executable script formats to open by default in notepad.exe instead of wscript.exe. The use of weaponized script files is used heavily by initial access malware.
- Inventory accounts: Service and other privileged accounts in the environment should be accounted for. Ensure that they follow the principle of least privilege and are configured with long, complex passwords. Service accounts are highly targeted in ransomware intrusions given that they are often configured improperly with domain admin rights.”