Cybersecurity company Mandiant has a new report confirming a considerable increase in ransomware activity from 2023 to 2022. The report also mentioned that the small drop in ransomware and extortion activity in 2022 was an abnormality caused, in part, by the war in Ukraine and the exposed Conti conversations.
Mandiant has been monitoring the activities of the ransomware groups. It reported an increase of 75% in the number of victims included on the groups’ data leak websites in 2023, which was highest in Q3 of 2023 when about 1,400 new victims were added. The number of cyberattacks due to ransomware increased by 20% in 2023 according to Mandiant. Mandiant’s results are in line with other reports. For instance, a report from Chainalysisthat confirmed that ransomware groups got a record $1 billion in payments in 2023.
In 2023, police agencies all over the world increased their efforts to break up the activities of ransomware groups, which include global law enforcement activities against the LockBit and ALPHV/Blackcat ransomware groups. Although those operations led to seized infrastructure and interruptions, just a few people were detained, the primary members of the groups remained free, and the majority of affiliates still carried out attacks together with the same group or another ransomware-as-a-service (RaaS) operations.
The attacks monitored by Mandiant were reported from 110 countries involving over 50 new ransomware families and variants. One different thing seen in 2023 was a higher percentage of new variants to new families, suggesting that ransomware groups are focusing on updating current ransomware families instead of developing new families from scratch. Most of the new discoveries have codes from other ransomware families, actor overlaps, or rebrands of current ransomware groups. Mandiant likewise noticed more systems targeted by ransomware attacks as the number of ransomware variants able to encrypt information on Linux and ESXi systems grew in 2023.
After systems are exposed, the majority of ransomware actors employ commercially accessible, legitimate resources for their post-breach activities before implementing their ransomware payloads. Mandiant has noticed a drop in using Cobalt Strike BEACON as attackers favor legitimate remote access resources. In 2023, 41% of attacks involved legitimate remote access and management tools. It was only 23% in 2022. In 2023, the primary initial access vectors include the exploitation of identified vulnerabilities, brute force attacks, stolen credentials, phishing, and website compromise, such as malvertising and SEO poisoning. 30% of cyberattacks exploited vulnerabilities for preliminary access including the CitrixBleed vulnerability CVE-2023-4966. 25% of attacks used stolen credentials, 14% of attacks used brute force tactics, and another 14% used phishing. About 59% of ransomware attacks involved verified or alleged data theft.
The median dwell time from initial access to ransomware deployment increased from 5 days in 2022 to 6 days in 2023. In 2023, about 33% of attacks involved ransomware deployment within 48 hours of the preliminary exposure, and most attacks were timed to overlap with times of reduced vigilance. 76% of attacks used ransomware beyond working hours when there is the least number of employees to increase the likelihood of the attack going unnoticed. Ransomware is commonly deployed early in the morning.
Mandiant reports various reasons for the rise in attacks.
- A restart of the cybercriminal ecosystem after a disruptive year in 2022,
- An increase in new actors performing attacks
- New associations between current groups
- Members of disrupted, high-profile ransomware groups like Conti began their own RaaS operations
Although the attacks in 2023 mostly adopted similar patterns as the prior year, there were several significant changes with various groups testing new tactics, techniques, and procedures. For instance, to put more pressure on ransom victims to pay, patients whose protected health information was stolen get extortion demands, threatening to expose their health information when they don’t pay a ransom. The ALPHV group made a searchable data source to make stolen information easily accessible and released threats to report cyberattacks on publicly traded firms to the Securities and Exchange Commission (SEC).