This CYFIRMA Monthly Ransomware report thoroughly analyses ransomware activity in December 2023, covering significant attacks, the top five ransomware families, geographical distribution, targeted industries, evolution of attacks, and trends. Organizations can leverage these insights to enhance their cybersecurity strategies and mitigate ransomware risks.
Welcome to the December 2023 Ransomware Report. This report offers a detailed analysis of ransomware events during this period. We explore the top 5 most active ransomware groups and the industries they targeted, as well as the locations that experienced the most attacks. We also discuss the evolution of ransomware groups intending to equip organizations with crucial insights to bolster their cybersecurity measures and combat the evolving threat landscape effectively.
In December 2023, multiple ransomware groups were active. Below, we outline trends concerning the top 5 ransomware groups.
The decline in the number of victims for LockBit, Play, ALPHV, and 8base indicates potential success in ransom negotiations, or fewer targets. New entrants, referred to as ‘hunters’, emerged in December, making a significant impact, and securing a position in the top 5 list.
LockBit- Manufacturing stands out as the primary industry targeted, with the United States being the most focused nation for LockBit. The group disclosed victim organizations with revenue ranging from less than $5 million to $7.5 billion, implying that the attackers did not focus solely on specific financial tiers, and instead impacted organizations across a wide spectrum of revenue scales.
Between November and December, the Manufacturing sector experienced a 17.5% reduction in incidents, while FMCG remained relatively stable with a 2.4% increase. Real Estate & Construction saw a significant decline of 32.6%, and Healthcare experienced an 18.9% decrease. Finance witnessed an increase of 8.3% and Government & Law Firms increased by 30%. Education faced a 17.4% decrease, Hospitality increased by 5.9%, and Energy surged by 142.9%. and Transportation had a 40% decrease, while Media witnessed a 66.7% increase. E-Commerce & Telecommunications faced a substantial 76.9% reduction, and Metals & Mining saw a 66.7% decrease.
There is a decrease of approximately 14.14% in the number of victims from November 2023 to December 2023, but looking at the year as a whole from January to December 2023, known ransomware incidents are 75% higher than in 2022, suggesting an alarming escalation in global cybersecurity threats.
The trend of ransomware attackers targeting the above nations persists due to their economic prosperity, robust technological infrastructure, and possession of high-value data, creating lucrative opportunities for extortion and ransom payments.
Qilin devised Linux version:
A new variant of the Qilin ransomware has been discovered, targeting Linux, FreeBSD, and VMware ESXi servers, designed to encrypt virtual machines and delete their snapshots. Qilin’s encryptor includes embedded configurations for file extension, processes to terminate, and specifications for files and folders to encrypt or exclude. The ransomware provides extensive customization through command-line arguments, allowing features like debug mode, dry run without encryption, and tailored encryption processes for virtual machines and snapshots.
Group Collaboration:
Researchers found significant collaboration among ransomware groups, namely BianLian, White Rabbit, and Mario, who joined forces for an extortion campaign targeting publicly traded financial services firms by employing a ‘password spraying’ attack with Residential IP Proxies and utilizing Business Email Compromise.
CACTUS Ransomware Spreading Malvertising:
Researchers found a fresh wave of CACTUS ransomware attacks utilizing malvertising lures to deploy DanaBot for initial access. The Microsoft Threat Intelligence team identified hands-on-keyboard activity by the ransomware operator, leading to the deployment of CACTUS ransomware.
Hunters International:
A new ransomware player – ‘Hunters International’ – has emerged, allegedly inheriting code from the notorious Hive ransomware. Unlike traditional ransomware, Hunters focuses on data theft, using stolen information to pressure victims into paying. Their encryptor appends “.LOCKED” to encrypted files, accompanied by a “Contact Us.txt” file instructing victims on communication.
Dragon Force:
The DragonForce ransomware gang, though recently emerged, operates with a level of expertise evident in their tactics, negotiation methods, and the design of their data leak site. Despite being a new entity, their conduct suggests a seasoned and proficient extortion group.
WereWolves:
The WereWolves ransomware group, active since the fall of 2023, targeted victims mainly in Russia and the USA. Their ‘double extortion’ approach involves demanding ransom for data decryption and exposing victim data on their site. Notably, they break the tradition of sparing Russia, usually adhered to by cyber gangs, signaling a shift in the usual conduct. The group encourages global security researchers and hackers, both ethical and unethical, to join their bug-finding bounty program, offering rewards ranging from $1,000 to $1 million for discovering vulnerabilities in websites, doxing, software, TOX, and TOR.
Akira strikes:
The Akira ransomware gang claims responsibility for breaching Nissan Australia, stealing 100GB of data. The cyberattack occurred on December 5, with the company advising customers to be vigilant for suspicious online activity.
The GRTC fell victim to Play:
The Greater Richmond Transit Company (GRTC) in central Virginia faced a cyberattack by the Play ransomware gang over the Thanksgiving holiday, causing a temporary network disruption. While services are unaffected, the group demanded an undisclosed ransom. Similar attacks on municipal services, including public transit systems, have been on the rise in 2023, impacting cities like Oakland, Dallas County, and Lowell. The incident underscores the vulnerability of automated transportation systems to cyber threats.
Xeinadin suffered ransomware attack:
The LockBit ransomware group claims the attack on Xeinadin, an accountancy firm with clients in the UK and Ireland. The ransomware group claims to have stolen 1.5 terabytes of Xeinadin customer data, including internal databases, customer financials, access to personal accounts of Companies House, customers of Xeinadin, Client legal information, and much more.
King Edward VII’s Hospital faced a cyber-attack:
The Rhysida ransomware group claimed responsibility for hacking London’s King Edward VII’s Hospital, a prestigious private healthcare facility, publishing stolen medical documents, including data from patients and employees, even asserting possession of information about the Royal Family.
Dragon trapped Ohio:
The Ohio Lottery faced a cyberattack on Christmas Eve, disrupting some internal applications. While the gaming system remains operational, mobile and prize-cashing services were affected. The incident, claimed by the DragonForce ransomware gang, involved encrypted devices and stolen data, including Social Security Numbers and dates of birth. The gang threatened to leak over 3 million entries, comprising personal information of lottery customers and employees.
Impact Assessment
Ransomware is a major threat, creating problems for both companies and individuals by the theft of vital data and subsequent ‘ransom’ for its return These attacks can cause huge financial loss due to either payment of the ransom, or on a cyber security solution to restore it, as well as loss of earnings from disrupted services, loss of customer faith and emotional distress. Besides these immediate financial issues, these attacks can breach data regulation laws, affecting reputation, consumer trust, and market confidence, making combating ransomware a top priority for businesses and government organizations.
Victimology
Currently, hackers focus on businesses possessing valuable data, including personal information, financial details, and intellectual property. Industries such as Manufacturing, Real Estate, Healthcare, FMCG, E-commerce, Finance, and Technology are particularly vulnerable, due to their data richness. Cybercriminals strategically target countries with robust economies and advanced digital infrastructures to maximize ransom returns. Their objective is straightforward: identify vulnerabilities, encrypt data, and demand substantial ransoms for its release, all with the aim of securing significant profits.
In December 2023, the ransomware landscape witnessed notable shifts, with LockBit’s focusing on manufacturing, and the Linux-targeting Qilin group emerging. Collaboration among groups intensified, with a rise of new and evolving players such as Hunters International, Dragon Force, and WereWolves. Notable attacks on entities like Nissan Australia, GRTC, Xeinadin, King Edward VII’s Hospital, and the Ohio Lottery underscored the pervasive threat. Despite a decline in victim counts from November to December, the overall rise in incidents in 2023 compared to 2022 signals a concerning escalation in global cybersecurity threats.
