Euro Security Watch with Mathew J. Schwartz

Fraud Management & Cybercrime , Ransomware

Known Ransomware Attack Volume Breaks Monthly Record, Again

Ransomware Groups Listed 514 Victims in Total on Their Data Leak Sites Last Month
Known Ransomware Attack Volume Breaks Monthly Record, Again
Image: Shutterstock

The volume of known ransomware attacks surged last month to record-breaking levels, security researchers report.

See Also: Webinar | Enhancing Cyber Resilience and Regulatory Compliance for OT Systems EMEA

Ransomware groups collectively listed 514 victims on their data-leak sites in September, breaking the previous record in July of 502 victims, said U.K. cybersecurity firm NCC Group. The firm reports that "major drivers of this activity" include newer groups such as LostTrust, Cactus, and RansomedVC.

LostTrust listed 53 victims in September, accounting for 10% of listed attacks, placing it second only to LockBit, which counted 72 victims, cybersecurity firm Malwarebytes reported. Cactus and RansomedVC each listed 33 victims in September, it said, with RansomedVC notching up an especially high-profile victim in the form of Sony.

Two other notable groups - ThreeAM with 10 victims listed last month, and CiphBit with eight victims listed - are also newcomers, Malwarebytes said.

All of the aforementioned groups practice double extortion, meaning they attempt to steal data from a victim before forcibly encrypting files and folders, then demand ransom payments for the promise of a decryptor as well as a promise to not leak stolen data (see: Ransom Realpolitik: Paying for Data Deletion Is for Suckers).

The recent rise in attacks appears to have disproportionately affected the healthcare and life sciences sectors, with the number of such victims increasing by 86% from August to September, NCC Group said. "Healthcare continues to be an attractive target for threat actors because of the financial impact that a ransomware attack on companies in the pharmaceutical industry can have," it said.

Public Displays of Infection

The surge in September ransomware activity followed many groups apparently taking the summer off, as is typical. Only 25 groups posted victims in August, compared to 36 in July and September, cybersecurity firm Guidepoint Security reported.

While counting how many ransomware victims get listed is one way of attempting to track this type of crime, caveats apply. Such an approach fails to count or account for:

  • Non-listing groups: Not all ransomware groups run data-leak sites where they list victims to pressure them into paying;
  • Victims who pay: Some victims - perhaps one-third - pay quickly, precisely to avoid getting listed by groups that do run leak sites;
  • Incomplete listings: Ransomware groups with data leak sites rarely list every nonpaying victim;
  • Outright lies: Ransomware groups sometimes lie by inflating their victim count to seem more fierce, and sometimes they make mistakes.

Forecast: Bad Year for Victims

Such caveats aside, the volume of known ransomware victims has been increasing over the course of this year. Cyber insurer Resilience reports that based on current trends, including claims received, "2023 is set to be one of the most extensive years for ransomware on record."

Ransomware groups overall are penetrating and crypto-locking victims' networks more quickly than before. Security firm Sophos found that over the first six months of the year, the median dwell time for ransomware incidents fell from nine days to five days.

Sophos has also seen an uptick in attackers repurposing leaked crypto-locker source code, including "multiple LockBit knock-off attacks" involving that group's leaked version 3 source code. In one attack, criminals attempted to exploit known vulnerabilities in WS_FTP Server, built by Progress Software, for which the vendor has issued security updates (see: Why Criminals Keep Reusing Leaked Ransomware Builders).

In a more recent attack, Sophos saw a group calling itself "BlackDog 2023" attempt to exploit known vulnerabilities in outdated versions of Adobe's ColdFusion server software to gain access to a Windows network, after which the group planned to demand a ransom worth $30,000 in Monero.

While both of those attack attempts failed, Sean Gallagher, principal threat researcher at Sophos, said any firms using unpatched or outdated software remain at heightened risk from hackers, including ransomware groups, even after they upgrade or patch. "With things like unprotected ColdFusion servers and WS_FTP, companies need to also check to make sure none of their servers are already compromised, otherwise, they're still at risk from these attacks."

Clop Looms Large

In recent months, many victims of ransomware groups - a term that encompasses groups that only practice data extortion - trace to Clop's latest mass compromise campaign targeting users of Progress Software's MOVEit secure file-transfer software, which it launched in late May. While Clop, aka Cl0p, exploited a zero-day vulnerability in MOVEit to steal data and hold it to ransom, one upside for victims is that the extortionists didn't crypto-lock victims' networks.

Cyber insurer Corvus reports that even if one doesn't count Clop's campaign, the known volume of ransomware attacks per quarter would have already increased by 5% from Q2 to Q3, and 70% year on year to September.

"Following seasonal ransomware patterns, expect attack velocity to climb in Q4," Corvus said.

Whether Clop might be prepping its next zero-day attack, or simply living large after making an estimated $75 million to $100 million off of its MOVEit-hacking campaign, remains unclear (see: Hackers Hit Secure File Transfer Software Again and Again).

Clop last posted to its data leak site on July 31.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.