Self Assessment

RANSOMWARE TRENDS : H1 2023 Part-2

Published On : 2023-08-10
Share :
RANSOMWARE TRENDS : H1 2023 Part-2

EXECUTIVE SUMMARY

This report is Part 2 of a comprehensive analysis of ransomware activity in 2023. Part 1 covered major ransomware attacks, the top five prolific ransomware families since January 2023, and the geographical distribution of ransomware, whereas, this publication will delve into targeted industries, industrial trends analysis for H1-2022 and H1-2023, the ongoing evolution of ransomware attacks, notable new ransomware groups, the vulnerabilities exploited in 2023, and trends comparison between H1 2022 and H1 2023. By examining these themes, organizations can gain valuable insights into the evolving threat landscape and enhance their cybersecurity strategies to mitigate ransomware risks effectively.

INTRODUCTION

Ransomware attacks continue to pose significant threats to organizations worldwide, causing severe financial and reputational damage. In the first half of 2023, a surge in ransomware activity has been observed, highlighting the need for heightened vigilance and proactive defense measures. This report aims to shed light on the key aspects of ransomware activity during this period, including the vulnerabilities exploited, industries targeted, geographic focus, and the emergence of new ransomware variants.

Understanding ransomware attack tactics, techniques, and trends is crucial for organizations to effectively mitigate risks, protect critical data, and ensure business continuity. By analyzing the ransomware landscape in the first half of 2023, this report aims to provide valuable insights that can empower organizations to strengthen their cybersecurity posture and stay ahead of evolving threats.

KEY POINTS

  • The Manufacturing industry experiences the highest number of reported incidents, making it the primary target for cyber-attacks, with a total of 279 recorded cases.
  • A concerning trend in the cybersecurity landscape is the emergence of several newly discovered ransomware variants that are leveraging the leaked ransomware source codes.
  • Recently emerged ransomware groups have been actively exploiting both new and old vulnerabilities, posing a significant threat to organizations’ cybersecurity.
  • Ransomware attacks witnessed a sharp increase of about 53% between H1 2022 and H1 2023, indicating a significant surge in cyber threats.

TARGETED INDUSTRIES

The report presents an overview of ransomware attacks from January 2023 to June 2023. The Manufacturing sector witnessed the highest number of incidents, reporting 279 attacks, followed by the Fast-Moving Consumer Goods (FMCG) sector with 216 attacks, with the IT industry reporting 202 incidents. The Health Care industry accounted for 173 victims, while the Banking and Finance sector faced 177 reported attacks.

Several factors contribute to the targeting of specific industries. Manufacturing may be targeted due to its reliance on operational continuity and potential vulnerabilities in industrial control systems, whereas, Healthcare is attractive due to the criticality of patient data, and the potential to disrupt essential services. The FMCG sector is targeted for its widespread consumer impact and potential supply chain disruptions, the IT industry is attractive due to its access to valuable data and networks, and Banking and Finance are targeted for their financial assets and sensitive customer information. The motives can include financial gains, disruption, theft of intellectual property, or leveraging data for future attacks.

INDUSTRIAL TRENDS ANALYSIS OF H1-2022 & H1-2023

Compared to H1 2022, H1 2023 reveals an overall increase in ransomware attack victims, with FMCG experiencing a substantial 63.6% surge, and IT encountering a notable 102% increase. Banking and Finance faced a significant 80.6% rise, while Health Care saw a 60.2% upswing.

THE EVER-ADAPTING THREAT: ON-GOING EVOLUTIONS OF RANSOMWARE ATTACKS- H1 2023

Sr No Ransomware Updates
1 ALPHV/BlackCat
  • A new version called Sphynx emerged.
  • Use of signed malicious Windows kernel in attack.
2 Play Ransomware Two new custom software tools named Grixba and VSS Copying Tool developed
3 Vice Society Automation of Data Theft.
4 Royal Started Encrypting Linux OS.
5 LockBit
  • New encryptor named ‘LockBit Green’ emerged.
  • Started Targeting macOS systems.

ALPHV/ BlackCat

In February 2023, the BlackCat group introduced a new version called Sphynx, aimed at enhancing their evasion capabilities. This iteration includes various enhancements to strengthen their tactics against detection. One notable change is the replacement of a specific parameter with a more complex set of arguments, posing a greater challenge for detection, as defenders can no longer rely on standardized commands, making it harder to identify and combat the ransomware effectively.

In May, researchers made a significant discovery concerning the ALPHV Ransomware Group. The group employed signed malicious Windows kernel drivers to bypass security software detection. The malware, named ‘POORTRY,’ had been previously detected in ransomware attacks by Microsoft, Mandiant, Sophos, and SentinelOne. To evade detection, the hackers created an improved version of the POORTRY driver, signing it with a stolen or leaked cross-signing certificate, after the original Microsoft-signed driver’s code-signing keys were revoked due to extensive publicity. With this updated driver, the hackers could elevate their privileges on compromised machines and disable security agents, enabling them to execute their malicious activities without raising suspicion.

Play Ransomware:

In April, Researchers observed the Play ransomware group creating two custom software tools using .NET framework, called ‘Grixba’ and ‘VSS Copying Tool’, which they utilize to enhance the efficiency of their cyberattacks.

Grixba:

Grixba is a network-scanning tool used for identifying users and computers within a domain. It leverages the Costura framework, a popular .NET development tool that allows developers to package application dependencies into a single executable file. The “costura.commandline.dll” DLL file, embedded by Costura, enables Grixba to parse command lines effectively.

The threat actors employ this .NET info stealer to enumerate software and services using various methods like WMI, WinRM, Remote Registry, and Remote Services. Once enumerated, the malware checks for the presence of security and backup software, remote administration tools, and other programs, collecting this valuable information. The collected data is then stored in CSV files, compressed into a ZIP archive, and finally sent to the attackers’ C2 server. This provides them with crucial insights to plan their next steps in the attack.

VSS Copying Tool:

The VSS Copying Tool, developed using the Costura tool, embeds the AlphaVSS library, a .NET framework that facilitates interaction with the Volume Shadow Copy Service (VSS). This library simplifies VSS tasks for .NET programs by providing controlled APIs to generate, manage, and delete shadow copies, as well as access information about existing shadow copies. With AlphaVSS, the tool effectively copies files from VSS snapshots to a target directory, allowing attackers to access and copy files from VSS volumes on compromised machines, even when the operating system has them locked, before initiating encryption. This capability empowers the Play ransomware to steal files from existing shadow volume copies, even when those files are actively used by applications.

Vice Society

In early 2023, the Vice Society ransomware gang implemented an advanced PowerShell script to automate data theft from compromised networks. This new data exfiltrator operates seamlessly by utilizing “living off the land” binaries and scripts, ensuring that security software remains unaware of their activities. Before the final step of encrypting data, the script efficiently carries out data exfiltration through a series of functions such as Work(), Show(), CreateJobLocal(), and fill(). By employing these functions, the script scans for suitable directories, processes groups of directories, and ultimately exfiltrates the data via HTTP POST requests to the servers controlled by Vice Society.

Royal Ransomware:

  • In February, researchers found that Royal Ransomware developed new malware variants for encrypting Linux devices, specifically targeting VMware ESXi virtual machines.
  • When encrypting files, the ransomware will append the .royal_u extension to all encrypted files on the VM.
  • It also comes with support for multiple flags that will give the ransomware operators some control over the encryption process:
    • -stopvm > stops all running VMs so they can be encrypted
    • -vmonly – Only encrypt virtual machines
    • -fork – unknown
    • -logs – unknown
    • -id: id must be 32 characters.

LockBit:

Throughout its history, the LockBit operation has undergone various iterations of its encryptor. It started with a custom encryptor and later transitioned to LockBit 3.0 (also known as LockBit Black), which was derived from the source code of the BlackMatter gang.

In February 2023, a new encryptor named ‘LockBit Green’ emerged, revealing that it was based on the leaked source code of the disbanded Conti gang.

A noticeable change in LockBit Green is the utilization of a random extension instead of the typical .lockbit extension for encrypted files.

By April 2023, a significant milestone was marked as LockBit expanded its focus to target macOS systems, making it the first major ransomware operation to do so. This development represents a notable expansion in their target range and poses a heightened security threat to Mac users.

NOTABLE NEW RANSOMWARE GROUPS IN 2023

MalasLocker

The MalasLocker is a ransomware group that started its operation at the end of March 2023, which encrypts files and appends a “This file is encrypted, look for README.txt for decryption instructions” message at the end of every encrypted file.

This ransomware operation has been targeting Zimbra servers, infiltrating them to steal emails and encrypt files. Surprisingly, instead of the typical ransom payment demands, the threat actors have taken a unique approach, claiming that in order to receive an encryptor and prevent data leakage, a donation to a specified charity is required. This unconventional demand introduces an element of humanitarianism, albeit, within the context of a criminal act.

At the time of this report’s publication, the ransomware had added 169 victims to its list.

Akira

Akira’s ransomware operation is targeting corporate networks globally. The ransomware’s peak function is not immediately after its launch in March 2023. Instead, it occurs at the end of April and in May 2023. The Group will add the file extension “.akira” to the encrypted files’ name during the encryption process. Upon encrypting the files on a computer, the ransomware generates a ransom note named “akira_readme.txt” in every folder, explaining the situation to the victim and providing links to the Akira data leak and negotiation sites. At the time of this report’s publication, the ransomware had added 76 victims to its list.

RA Group Ransomware

RA Group, a ransomware group, is rapidly spreading their C++-based ransomware by leveraging leaked Babuk ransomware source code. They employ double extortion tactics, threatening to expose stolen data unless victims pay the ransom or contact them within a specified timeframe. Upon activation, the ransomware places a personalized ransom note named “How To Restore Your Files.txt” on the victim’s computer and even includes the victim’s name in the executable itself, a unique approach. Encryption is done using curve25519 and hc-128 algorithms, targeting specific portions of files rather than the entire content. The ransomware appends the “.GAGUP” extension to encrypted files. It deletes Recycle Bin contents and utilizes vssadmin.exe to remove volume shadow copies. It scans logical drives and exploits APIs to encrypt files on network shares. As of now, ten victims have been identified.

Rhysida

Rhysida is a recently emerged ransomware family, written in C++. The team presents itself as a “cybersecurity team” aiming to assist their targets by identifying vulnerabilities in their systems and emphasizing the potential consequences of these security issues. Ransomware is employed through various means, with the primary methods being deployment via Cobalt Strike or a similar framework, as well as through the utilization of phishing campaigns.

The group adopts a similar approach to modern-day multi-extortion groups by coercively warning victims of potential public distribution of the exfiltrated data, aiming to pressure them into compliance. When executed, the ransomware initiates a cmd.exe window, scanning through all files on local drives. Once the files are encrypted, the ransomware appends the “.rhysida” extension to them. The ransom notes generated by the ransomware are created as PDF documents with the name “CriticalBreachDetected.pdf” and are saved within the affected folders on the targeted drives. At the time of this report’s publication, the ransomware had added 23 victims to its list.

NoEscape:

NoEscape is an emerging ransomware group that has recently gained momentum. Written in C++, NoEscape operates as a prominent Ransomware-as-a-Service (RaaS) platform, catering to affiliates and customers in the criminal ecosystem. The ransomware builder interface provides extensive customization options, enabling affiliates to create personalized ransomware executables. The ransomware encrypts the files, appends a unique string of characters to filenames, and generates a ransom note file called “HOW_TO_RECOVER_FILES.txt.” NoEscape executes commands to delete shadow copies and system backups to hinder recovery efforts, eliminating potential restoration options.

NOTABLE VULNERABILITIES THAT WERE EXPLOITED BY RANSOMWARE FROM THE BEGINNING OF 2023.

Sr No CVE ID CVSS Score NAME Affected Product Associated Ransomware
1 CVE-2023-27350 CVSS 9.8 PaperCut MF/NG Improper Access Control Vulnerability PaperCutMF: before
22.0.9; PaperCut NG:
before 22.0.9
Bl00dy Ransomware, Cl0p Ransomware, LockBit Ransomware.
2 CVE-2022-47986 CVSS 9.8 IBM Aspera Faspex Code Execution Vulnerability IBM Aspera Faspex for
Windows: 4.4.1 – 4.4.2
PL1
&
IBM Aspera Faspex for
Linux: 4.4.1 – 4.4.2 PL1
Buhti Ransomware
3 CVE-2023-27351 CVSS 8.2 PaperCutMF/NG Improper Authentication Vulnerability PaperCut NG: before
22.0.9
PaperCutMF: before
22.0.9
Bl00dy Ransomware, Cl0p Ransomware, LockBit Ransomware.
4 CVE-2022-41352 CVSS 9.8 Zimbra Collaboration (ZCS) Arbitrary File Upload Vulnerability Zimbra Collaboration (ZCS) 8.8.15 and 9.0 Rorschach/BabLock Ransomware.
5 CVE-2021-27876 CVSS 8.1 Veritas Backup Exec Agent File Access Vulnerability Veritas Backup Exec before 21.2. BlackCat Ransomware.
6 CVE-2021-27877 CVSS 9.8 Veritas Backup Exec Agent Improper Authentication Vulnerability Veritas Backup Exec before 21.2. BlackCat Ransomware.
7 CVE-2021-27878 CVSS 8.8 Veritas Backup Exec Agent Command Execution Vulnerability Veritas Backup Exec before 21.2 BlackCat Ransomware.
8 CVE-2023-28252 CVSS 7.8 Microsoft Windows Common Log File System (CLFS) Driver Privilege Escalation Vulnerability Windows: 10 – 11
22H2
& Windows Server:
2008
– 2022 20H2
Nokoyawa Ransomware.
9 CVE-2023-0669 CVSS 7.2 Fortra GoAnywhere MFT Remote Code Execution Vulnerability Up to (excluding)
7.1.2
Clop Ransomware.
10 CVE-2023-24880 CVSS 4.4 Microsoft Windows SmartScreen Security Feature Bypass Vulnerability Windows SmartScreen Security Feature Bypass Vulnerability Up to (excluding)
10.0.14393.5786
Magniber ransomware.
11 CVE-2023-27532 CVSS 7.5 Vulnerability in Veeam Backup & Replication Backup & Replication: before 12.0.0.1420 P20230223 BlackBasta.
12 CVE-2023-34362 CVSS 9.8 Vulnerability in MOVEit Transfer file transfer software MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), Cl0p Ransomware.
13 CVE-2016-0099 CVSS 7.8 Microsoft Windows Secondary Logon Service Privilege Escalation Vulnerability The Secondary Logon Service in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 Trigona Ransomware.
14 CVE-2021-21974 CVSS 8.8 ESXi OpenSLP heap-overflow vulnerability Vmware ESXi
Vmware vCenter Server (vCenter Server)
Vmware Cloud Foundation (Cloud Foundation)
ESXiArgs Ransomware 
15 CVE-2022-24682 CVSS 6.1 Zimbra Webmail Cross-Site Scripting Vulnerability Zimbra Collaboration Suite 8.8.x before 8.8.15 patch MalasLocker

TRENDS COMPARISON OF H1 2022 & H1 2023.

A significant surge in ransomware attacks is evident, with a rise of approximately 53%. This increase may be attributed to evolving attack techniques, intensified use of ransomware-as-a-service (RaaS) models, and more sophisticated targeting of industries with valuable data. Additionally, remote work practices and the proliferation of connected devices have expanded the attack surface, making organizations more vulnerable to ransomware threats.

EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW:

Impact Assessment

Ransomware presents a highly critical threat to both organizations and individuals within the external threat landscape, causing significant harm by encrypting data and demanding extortion payments. The potential consequences are far-reaching, including severe financial losses, data recovery expenses, and business disruptions, leading to downtime and decreased productivity. Moreover, ransomware attacks can result in data breaches, exposing sensitive information and customer data, leading to potential regulatory compliance challenges and legal consequences. Reputational damage can also be substantial, with organizations facing public scrutiny, loss of customer trust, and reduced market confidence.

Victimology

Ransomware operators are strategically attracted to companies that house high-value sensitive data, such as personally identifiable information (PII), financial records, and valuable intellectual property. Industries like manufacturing, healthcare, finance, and technology are prime targets due to the substantial worth of the data they possess. These cybercriminals specifically seek out sectors with critical information that can fetch significant profits on the dark web or through extortion.

Moreover, ransomware attackers are known to target countries with robust economies and thriving digital infrastructures. These nations become alluring targets due to their financial prosperity, making them more likely to possess lucrative assets that warrant sizable ransom demands. The potential for immense financial gain drives cybercriminals to exploit vulnerabilities in both organizations and countries, encrypting critical data, and demanding hefty ransoms for its safe release.

CONCLUSION

This report highlights the ever evolving and persistent threat posed by ransomware attacks. The emergence of new ransomware variants and the adaptability of established ransomware groups demonstrate the need for continuous vigilance and proactive cybersecurity measures, such as comprehensive defence strategies, continuous monitoring, employee education, and rapid incident response to effectively combat the rising ransomware menace and safeguard organizations against potentially devastating consequences.

The Manufacturing industry remains a primary target, emphasizing the necessity for robust security practices in critical sectors. Additionally, the top 5 ransomware families’ widespread impact underscores the global nature of these cyber threats.

STRATEGIC RECOMMENDATIONS:

  • Strengthen Cybersecurity Measures: Invest in robust cybersecurity solutions, including advanced threat detection and prevention tools, to proactively defend against evolving ransomware threats.
  • Employee Training and Awareness: Conduct regular cybersecurity training for employees to educate them about phishing, social engineering, and safe online practices to minimize the risk of ransomware infections.
  • Incident Response Planning: Develop and regularly update a comprehensive incident response plan to ensure a swift and effective response in case of a ransomware attack, reducing the potential impact and downtime.
  • Vendor Risk Assessment: Evaluate and enforce cybersecurity standards for third-party vendors and partners to prevent potential ransomware attacks through supply chain vulnerabilities.
  • Regular Backups: Implement a robust data backup strategy, including offline and offsite backups, to ensure quick data recovery in the event of a ransomware incident.

MANAGEMENT RECOMMENDATIONS:

  • Cyber Insurance: Evaluate and consider cyber insurance policies that cover ransomware incidents to mitigate financial losses and protect the organization against potential extortion demands.
  • Security Audits: Conduct periodic security audits and assessments to identify and address potential weaknesses in the organization’s infrastructure and processes.
  • Security Governance: Establish a strong security governance framework that ensures accountability and clear responsibilities for cybersecurity across the organization.
  • Legal and Regulatory Compliance: Stay informed about evolving data protection laws and regulations and ensure compliance to avoid potential legal repercussions in the aftermath of a ransomware incident.

TACTICAL RECOMMENDATIONS:

  • Patch Management: Regularly update software and systems with the latest security patches to mitigate vulnerabilities that threat actors may exploit.
  • Network Segmentation: Implement network segmentation to limit lateral movement of ransomware within the network, isolating critical assets from potential infections.
  • Multi-Factor Authentication (MFA): Enable MFA for all privileged accounts and critical systems to add an extra layer of security against unauthorized access.
  • Web Filtering and Email Security: Utilize web filtering and email security solutions to block malicious links and attachments, reducing the risk of phishing-based ransomware attacks.
  • Endpoint Security: Deploy advanced endpoint security solutions that can detect and block ransomware at the endpoint level, preventing its spread across the network.