Palo Alto Networks has released Ransomware Retrospective 2024, which highlights how, over the past year, victims reported by leak sites grew by 49%, with 3,998 posts reported across various ransomware groups. 2023 has brought ransomware even more clearly to the market’s attention, posing particularly demanding challenges for companies. What caused this surge in activity? In 2023 they were registered vulnerability high-profile ones like SQL injection for MOVEit and GoAnywhere MFT services. Zero-day exploits for these vulnerabilities led to spikes in ransomware infections from groups like CL0P, LockBit, and ALPHV (BlackCat) before defenders could update the vulnerable software.
The impact of ransomware and its evolution is growing
Analysis by Unit 42 reveals the emergence of at least 25 new ransomware groups in 2023, underlining the attractiveness of ransomware as a profitable criminal activity. Despite the emergence of new groups such as Darkrace, CryptNet, and U-Bomb, many of these new ransomware threat actors did not resist and disappeared in the second half of the year. 2023 was a particularly active year for Strength of the international order, which have intensified the attention paid to ransomware. This led to the decline of bands like Hive and Ragnar Locker and the near collapse of ALPHV (BlackCat). The dataset available to Unit 42 reveals the evolution recorded by ransomware groups in 2023.
A threat aimed at all sectors and all regions
Throughout the year, ransomware threat actors targeted a wide range of organizations without targeting specific industries. That said, data collected by Unit 42 on leak sites indicates that the manufacturing industry was the most hit last year, with significant vulnerabilities recorded. The motivation? Companies in this sector generally have a visibility limited on its operational technology (OT) systems. They also often do not have adequate network monitoring and sometimes do not implement best security practices.
Italy in 6th place among the most affected states
Although businesses in at least 120 different countries have been affected by ransomware extortion, the United States has stood out as objective root of the ransomware. In fact, 47% of posts on leak sites involved US companies. Followed by the United Kingdom (6.5%), Canada (4.6%) and Germany (4%), with Italy ranking in 6th place, with 3%. In total, researchers observed 3,998 posts from leak sites in 2023, compared to 2,679 posts in 2022, which marks an increase of about 49%.
The impact of ransomware is growing
The first DLS (Dedicated Leak Site) was opened in 2019 by the Maze group, when it started using the tactics of double extortion. By stealing the victim’s files before encrypting them, Maze was the first known group to create a leak site to force the victim to pay a ransom to “free” the stolen data. These threat actors pressure victims to pay, not only to decrypt the files, but also to prevent them from being publicly exposed. Since 2019, ransomware groups have increasingly adopted leak sites as part of their operations.
Competition between criminal groups
Due to the high payments obtained from victims in recent years, cybercriminals are often enticed by the idea of ransomware as a source of revenue. When they form new gangs, not all attempts are successful or sustainable. A new group must consider several challenges not applicable to other malware, such as communication with victims and increased operational security. The public nature of dangerous operations increases the risk of detection by law enforcement, security providers and other defenders. Ransomware groups must also consider the competition.
The activity of the Akira group
The sharing of profits, software capabilities and affiliate support can have a significant impact on a new group’s position in a highly competitive criminal market like this one. Despite these challenges, the data reveals 25 new leak sites in 2023, with at least one ransomware-as-a-service (RaaS) offering launching, hoping to become a competitor in the ransomware market. The most active was Akira with almost 200 posts on the DLS and it was connected to Accounts through cryptocurrency transactions associated with the ransomware leadership team.
Ransomware groups that have disrupted operations
2023 also saw the decline of several prominent ransomware groups for different reasons. These include overexposure and aggressive tactics, which have attracted the attention of law enforcement and cybersecurity firms. Finish below i spotlight resulted in increased pressure and operational challenges. Among the most prolific groups of 2022, Hive was dismantled as part of a law enforcement operation reported in January 2023, obtaining the group’s decryption keys, sharing them with all victims around the world. This saved them over $130 million in potential ransom payments. Ragnar Locker, Ransomed.Vc, Trigona also suffered the same fate.
The impact of ransomware is growing
As for ALPHV, also known as BlackCat, the group was hit hard during 2023. In December, the FBI stopped its operations and released a decryption tool. This allowed compromised victims to recover your data. This was a huge setback for ALPHV, which offered incentives to keep its criminal affiliates from being scared off by the FBI. Meanwhile, other ransomware groups, such as LockBit, have begun to hunt them. The ALPHV group has since responded to the outage and resisted law enforcement action. However, he will not be able to improve his own reputationcould go out of business and rebrand itself as a new ransomware gang.
Groups that have potentially transformed themselves
2023 also saw suddenness disappearance of the Royal and Vice Society ransomware. Both were active in 2022 and the first half of last year with multiple extortion strategies, attracting the attention of law enforcement. Royal was created by former Conti members and has been involved in several high-profile attacks against critical infrastructure. It ceased operations in July 2023. However, several sources have reported similarities in the code between Royal and the new BlackSuit ransomware, indicating a possible rebranding. Vice Society had attracted the attention of the public and law enforcement by targeting organizations in the healthcare and education sectors.
Group distribution
This group stopped posting on its leak site in June 2023, but it may not have disappeared completely. Several researchers have linked Vice Society to the new Rhysida ransomware, suggesting a rebrand. Of the 3,998 posts on leak sites in 2023, the LockBit ransomware group was the most active until yesterday, with 928 companies affected (23% of the total). Operational since 2019 with few interruptions, they have been the most prolific group for two consecutive years. With the fall of gangs like Conti, Hive, and Ragnar Locker, it had become the go-to ransomware for many threat actors who later became its affiliates.
The impact of ransomware is growing. The Palo Alto analysis
LockBit has launched several variations affecting Linux and Windows operating systems. Using freely available software tools and taking advantage of LockBit’s fast encryption, affiliates could tailor ransomware operations to their individual needs. In second place for the number of leak messages is ALPHV (BlackCat), with approximately 9.7% of the total messages from leak sites in 2023. In third place is the CL0P ransomware, with approximately 9.1% of the posts . CL0P is known for using zero-day exploits of critical vulnerabilities such as those in Progress Software’s MOVEit and Fortra’s GoAnywhere MFT.