Cybersecurity companies have released a dozen ransomware reports in recent weeks and most of them show a significant increase in attacks.
Ransomware attacks continue to be highly profitable for cybercrime groups and the recent reports released by various cybersecurity firms show that they are increasing both in terms of volume and sophistication.
SecurityWeek has analyzed these reports and has created a summary of the most important findings and trends.
According to NCC Group’s July 2023 cyber threat intelligence report, the company saw over 500 attacks last month, an increase of 153% compared to one year ago, and a 16% increase compared to June, with the industrials sector continuing to be the most targeted. The company saw a 59% increase in ransomware attacks in Europe from June to July.
The surge recorded in recent months is in large part due to the Cl0p group, which targeted hundreds of organizations through the MOVEit hack. According to Emsisoft, 730 organizations and over 47 million people were hit directly and indirectly by the MOVEit attack as of August 19.
However, Guidepoint Security noted that the number of victims actually dropped in July if we exclude Cl0p’s MOVEit victims. On the other hand, the company saw 36 active groups in July, compared to 28 in the previous month.
In addition to Cl0p, the list of highly active groups includes LockBit, BlackCat (ALPHV) and an emerging group named 8Base.
Several companies have reported seeing new ransomware groups emerge in recent months, some of which are actually the result of the rebranding of existing gangs. Newcomers include NoEscape, Cactus, Knight, BlackSuit, DarkRace, and Rhysida. Malwarebytes has a summary on some of these groups.
BlackFog data showed that July 2023 saw the highest number of attacks compared to the same month over the past four years. Interestingly, the company noted, only 38 of the ransomware attacks that came to light in July were publicly disclosed, compared to 390 attacks that were not disclosed by victims.
ReliaQuest’s Q2 2023 report shows a record number of victims named on ransomware group leak websites — 1,400 organizations, up from 850 in the previous quarter.
CyberMaxx also has a report for the second quarter, revealing that while most gangs saw only a minor increase in attacks, groups such as ALPHV, 8Base, BianLian, Karakurt, Nokoyawa, Play, Qilin, and Snatch showed significant growth.
In terms of ransomware delivery attempts, SonicWall said it recorded 150 million attempts in the first half of 2023, which represents a 41% drop year-to-date. One key factor, according to SonicWall, is the shift to pure extortion attacks, which do not involve the distribution of file-encrypting malware.
Sophos recently published a report focusing on ransomware attacks on the education sector. The report reveals that attacks against this sector have been steadily increasing in recent years. A vast majority of organizations in this sector managed to recover encrypted data, but roughly half did so by accepting to pay a ransom.
Barracuda said the number of reported ransomware attacks against sectors such as education, municipalities and healthcare have doubled since last year and more than quadrupled since 2021.
In addition to an increase in attack volume, there has been an increase in sophistication. Akamai reported that ransomware groups are increasingly focusing on file exfiltration and the exploitation of zero-day and one-day vulnerabilities for initial access.
Once they have gained initial access to an organization’s systems, attackers are deploying what some call ‘precursor malware’, which paves the way for lateral movement and the actual ransomware payload. According to a report from Lumu, the top ransomware precursors in 2022 were Qbot, Phorpiex, Emotet, Cobalt Strike, Ursnif, and Dridex.
In terms of costs associated with ransomware attacks, Comparitech estimates that, between 2018 and 2023, nearly 500 manufacturing companies that got hit by ransomware lost an estimated $46.2 billion in downtime alone.