Ransomware attacks continue to be one of the biggest contemporary cybersecurity threats, affecting organizations and individuals alike on a global scale. From high-profile breaches in healthcare and industrial sectors – compromising huge volumes of sensitive data or halting production entirely – to attacks on small businesses that have become relatively easy targets, ransomware actors are expanding their sphere of influence. As we approach International Anti-Ransomware Day, we have analyzed the major ransomware events and trends. In this report, we share our observations, research, and statistics to shed light on the evolving ransomware threat landscape and its implications for cybersecurity.
Ransomware landscape: rise in targeted groups and attacks
Kaspersky collected data on targeted ransomware groups and their attacks from multiple relevant public sources, for the years 2022 and 2023, filtered and validated it. The research reveals a 30% global increase in the number of targeted ransomware groups compared to 2022, with the number of known victims of their attacks rising by a staggering 71%.
Unlike random attacks, these targeted groups focus on governments, high-profile organizations, or specific individuals within an organization. Moreover, most of them distribute their malware under the Ransomware-as-a-Service (RaaS) model, which involves a number of smaller groups (called affiliates) getting access to the ransomware for a subscription fee or a portion of the ransom. In the graph below, you can see the ransomware families that were most active in 2023.
The ransomware most frequently encountered in organizations’ systems in 2023 was Lockbit 3.0. The reason for its remarkable activity may be its builder leak in 2022. That led to various independent groups using the builder to create custom ransomware variants, which they then used to target organizations all over the world. The group itself also has a large affiliate network. Second was BlackCat/ALPHV, which first appeared in December 2021. In December 2023, the FBI, together with other law enforcement agencies, disrupted BlackCat’s operations and seized several websites of the group. However, immediately after the operation, BlackCat stated that it had “unseized” at least some of the sites. The US Department of State offers a 10 million bounty for the group’s associates. The third most active ransomware in 2023 was Cl0p. This group managed to breach managed the file transfer system MoveIt to get to its customers’ data. According to New Zealand security firm Emsisoft, as of December 2023, this breach had affected over 2500 organizations.
Other notable ransomware variants
In our threat research practice, among the threats we analyze are various ransomware samples. This section shares brief descriptions of several noteworthy families that, although not being the most active in 2023, are interesting in some way or another.
- BlackHunt: Detected in late 2022 and updated in 2023, BlackHunt targets global victims using a C++ executable, which is based on Conti ransomware source code. It utilizes customizable attack vectors, including deceptive tactics like a fake Windows Update screen displayed to mask the file encryption process, and employs security measures for testing purposes, such as checking for “Vaccine.txt” before executing. If the malware author wants to test the executable without encrypting their own files, they create a Vaccine.txt file. If the malware finds this file in the system, it doesn’t proceed with encryption.
- Rhysida: Emerging in May 2023, Rhysida is a new RaaS operation initially targeting Windows but later expanding to Linux. Both versions use AES and RSA algorithms for file encryption, and the ChaCha stream cipher in the key generation process. The ransomware also implements token-based access to its hidden service for enhanced secrecy.
- Akira: A compact C++ ransomware compatible with both Windows and Linux, Akira has impacted over 60 organizations across various sectors. It employs a single key for encryption, and featured an encryption flaw in early versions, which made file decryption possible without the ransomware operators’ knowledge. However, this flaw was fixed in recent variants, which are not decryptable at the time of writing this report. For victim communication, Akira utilizes a minimalistic JQuery Terminal-based hidden service.
- Mallox: Also known as Fargo and TargetCompany, Mallox has been wreaking havoc since its appearance in May 2021. With an increase in attacks in 2023 and nearly 500 identified samples, it continues to evolve with frequent updates and an active affiliate program as of 2024. Operating through both clearnet and TOR servers, Mallox targets internet-facing MS SQL and PostgreSQL servers and spreads through malicious attachments. The most affected countries include Brazil, Vietnam, China, Saudi Arabia, and India.
- 3AM: A new RaaS variant, 3AM features a sophisticated command-line interface, and an “access key” feature for protection against automatic sandbox execution: to be executed, the ransomware requires an access key. As is the case with most human-operated ransomware, 3AM affiliates get an initial foothold in the target infrastructure using Cobalt Strike. In Cobalt Strike, they use the watermark option, which allows the attackers to uniquely identify beacon traffic associated with a specific Cobalt Strike team server. This may suggest that 3AM affiliates share access to the target with other ransomware groups, and use the watermark to separate their traffic from the others. The ransomware employs efficient file-processing techniques, such as reverse traversal (processing strings from the end to quickly identify file paths and extensions) and integration with Windows API, and terminates various processes before encryption to complicate recovery efforts. Communication with victims is through a TOR-based hidden service, though with operational security misconfigurations such as real IP exposure.
Trends observed in our incident response practice
This section contains trends and statistics based on the incidents our incident response service dealt with in 2023. The figures in this section may differ from those obtained from public sources, because they don’t cover all ransomware-related incidents that occurred last year.
According to our incident response team, in 2023, every third incident (33.3%) was related to ransomware, which remained the primary threat to all organizations, whatever sector of economy or industry they belonged to.
Another important trend observed in 2023: attacks via contractors and service providers, including IT services, became one of the top three attack vectors for the first time. This approach facilitates large-scale attacks with less effort, often going undetected until data leaks or encrypted data are discovered. If speaking about ransomware, trusted relationship attacks were among four of the main initial infection vectors. Another three were: compromise of internet-facing applications, which accounted for 50% of all ransomware attacks; compromised credentials (40%), of which 15% were obtained as a result of brute force attacks; and phishing.
Among the ransomware families most frequently encountered in our incident response practice in 2023 were Lockbit (27.78%), BlackCat (12.96%), Phobos (9.26%), and Zeppelin (9.26%). Most of the data encryption attacks ended within a day (43.48%) or days (32.61%). The rest lasted for weeks (13.04%), while only 10.87% lasted for more than a month. Practically all the long ransomware attacks (those lasting weeks and months), in addition to data encryption, also featured data leakage.
Ransomware groups’ tactics and techniques
Ransomware groups have continued to employ previously identified strategies for intrusion, utilizing similar tools and techniques. Adversaries have targeted internet-facing applications vulnerable to remote command execution (RCE), such as those supported by vulnerable versions of log4j. Exploiting vulnerabilities in these applications, adversaries have gained unauthorized access and compromised infrastructures.
Once exploitation is confirmed, adversaries typically proceed by manipulating local privileged accounts responsible for application execution. They execute commands to modify user passwords and upload a set of tools, such as Meterpreter and Mimikatz, to the compromised system. By executing Meterpreter and creating or modifying system processes, adversaries gain additional access and establish persistence on the compromised system.
In some instances, adversaries exploit vulnerabilities in public-facing applications within the organization’s infrastructure and utilize tools like BloodHound and Impacket for lateral movement within networks and gaining knowledge of the target infrastructure. However, to evade endpoint controls, they also have adopted different techniques, such as using the Windows Command Shell to collect event logs and extract valid usernames.
Additionally, adversaries leverage native Windows SSH commands for command and control (C2) communications and data exfiltration. After identifying paths to reach remote systems with internet access, they configure SSH backdoors and establish reverse tunneling for data exchange.
Overall, ransomware groups demonstrate a sophisticated understanding of network vulnerabilities and utilize a variety of tools and techniques to achieve their objectives. The use of well-known security tools, exploitation of vulnerabilities in public-facing applications, and the use of native Windows commands highlight the need for robust cybersecurity measures to defend against ransomware attacks and domain takeovers.
Ransomware: becoming a matter of national and international security
Over the past few years, the impact of ransomware attacks on public and private organizations has escalated to the point of threatening national security. This growing threat has led to ransomware being highlighted in national cybersecurity strategies, annual reports from cybersecurity regulators, and intergovernmental discussions at forums like the UN Open-ended Working Group (OEWG) on cybersecurity. The frequency and disruptive character of ransomware attacks has become unsustainable for governments, prompting them to pool resources and develop both national and multi-country initiatives to combat ransomware groups.
One notable initiative is the formation in 2021 of the international Counter Ransomware Initiative (CRI), which brings together 49 countries and INTERPOL. Through the CRI, there has been a concerted effort to share cybersecurity information, disrupt attackers’ operations, and tackle the financial mechanisms that fuel ransomware attacks. CRI members have also endorsed a statement advocating against ransom payments by institutions under national government authority, signaling the need for a new global norm and standard around ransomware payments. Countries like Singapore and the United Kingdom have played pivotal roles within the CRI, focusing on understanding the ransomware payment ecosystem and advocating for policies that counter ransomware financing.
Legislative measures and policy actions are central to the fight against ransomware. In the United States, legislation like the Cyber Incident Reporting for Critical Infrastructure Act of 2022 aims to enhance incident reporting and resilience against attacks. In early 2023, France implemented a law that conditioned insurance coverage on the prompt reporting of cybersecurity incidents.
State agencies reporting on ransomware indicates that fighting against this threat is a priority for authorities. In its latest IT Security Report 2023, the BSI (Germany) identifies ransomware as the biggest cybersecurity threat to Germany, noting the shift from “big game hunting” to targeting smaller companies and municipal administrations.
Last but not least, law enforcement agencies around the globe are joining forces in operations aimed at dismantling ransomware networks. In 2023, international operations seized infrastructures of such ransomware groups as Hive, BlackCat, and Ragnar. Early 2024 saw Operation Cronos disrupt Lockbit and get access to their decryption keys, and in May 2024, the group’s leader was unmasked and sanctioned. Although cybercriminals usually rebuild their infrastructure afterwards, these efforts at the very least make ransomware maintenance much more expensive and shorten their income by decrypting their victims for free. These and other efforts underscore a comprehensive approach to fighting ransomware. By combining international cooperation, legislative action, and financial oversight, countries aim to mitigate the global threat and impact of ransomware attacks effectively.
Ransomware – what to expect in 2024
As we look ahead to 2024, we observe a significant shift in the ransomware ecosystem. While many prominent ransomware gangs have disappeared, smaller and more elusive groups are emerging. This rise can be attributed to leaked source code and tools from disbanded or deceased larger groups.
As officials discuss counter-ransomware measures and law authorities around the globe link up to combat cybercrime, ransomware operations are becoming increasingly fragmented. Larger, more coordinated groups are breaking down into smaller fractions, making it more challenging for law enforcement to target them. Moreover, each of these smaller groups has less impact and is of less interest for law enforcement, thus having a reduced likelihood of being tracked and prosecuted, giving independent ransomware actors a higher chance of escaping arrest.
In conclusion, ransomware attacks remain a significant and evolving threat in the realm of cybersecurity. From high-profile breaches affecting critical sectors to attacks on small businesses, the impact of ransomware continues to expand. As we reflect on the state of ransomware, several key observations and trends emerge.
To mitigate the risk of ransomware attacks, individuals and organizations should prioritize cybersecurity measures.
- Use robust, properly-configured security solutions like Kaspersky NEXT.
- Implement Managed Detection and Response (MDR) to proactively seek out threats.
- Disable unused services and ports to minimize the attack surface.
- Keep all systems and software up to date with regular updates and patches.
- Conduct regular penetration tests and vulnerability scanning to identify and address vulnerabilities promptly.
- Provide comprehensive cybersecurity training to employees to raise awareness of cyberthreats and best practices for mitigation.
- Establish and maintain regular backups of critical data, and test backup and recovery procedures regularly.
- Use Threat Intelligence to keep track of the latest TTPs used by groups and adjust your detection mechanisms to catch these.
- Pay special attention to any “new” software being run and installed on systems within your network (including legitimate software).
State of ransomware in 2024
Daniel Chien
There is an easy method to stop ransomware, just won’t let it run. For example, on the Lunux based system, it will not allow any one, including root user and SUDO, to add X attributes. Files with X attributes, will be read-only. By this rule, ransomware will not be able to run. In order to modify X attributes, the system must boot into safe mode without networking.
Jennifer Tiang
Requesting report
Kaspersky
Hi Jennifer!
The report is this post. To get more insights into trends and attacker TTPs based on our incident response practice, you can find our incident response report here: https://securelist.com/kaspersky-incident-response-report-2023/112504/
If you want more data on ransomware, you can read articles under this tag: https://securelist.com/tag/ransomware/