While coordinated law enforcement action and government initiatives helped in the fight against ransomware last year, NCC Group still recorded an 84% increase in attacks during 2023.
The IT services and consulting firm published its annual Threat Monitor Report for 2023 Thursday that detailed top threats, the most active threat actors and recommendations for emerging risks such as an increase in supply chain attacks. The report included data from NCC Group’s Cyber Incident Response Team (CIRT) and highlighted critical attacks, many of which involved ransomware.
The significant increase in ransomware activity followed a 5% decrease in cases that NCC Group observed between 2021 and 2022. Along with the 84% increase in ransomware incidents, where numbers jumped from 2,531 to 4,667, a significant number of victims amassed as well despite increased law enforcement achievements.
The report also highlighted successful law enforcement actions such as the temporary disruption of the BlackCat/Alphv ransomware group in December, the arrest of Russian national and alleged LockBit affiliate Ruslan Astamirov in June, and the Qakbot malware takedown. Other wins NCC Group noted included the efforts of the International Counter Ransomware Initiative (ICRI) in November that involved 48 countries, the European Union and Interpol. Information sharing and disrupting ransomware actors’ cryptocurrency wallets were two priorities of the ICRI last year.
“However, despite this, we saw the highest volume of ransomware victims NCC Group has ever recorded with an 84% increase in 2023 alone. The sheer volume of attacks and different types of victims proves that no organisation is safe,” NCC Group wrote in the report.
While targeted sectors such as finance and the most active threat actors remained consistent between 2022 and 2023, with players including LockBit and BlackCat/Alphv, activity exploded. NCC Group analysts found that the mean number of attacks rose from 211 in 2022 to 389 last year. September saw the greatest number of ransomware attacks per month, while January saw the lowest.
Analysts partially attributed 2023’s remarkable increase to threat actors capitalizing on the success of double and triple extortion methods. The use of DDoS attacks and public data leak sites further pressured victim organizations to pay the ransom. In addition, ransomware actors extended extortion threats to victim organizations’ customers, friends and family members. In some cases, ransomware groups threatened to send stolen data to victims’ competitors.
However, NCC Group found that there was more to the record-setting ransomware year than lucrative extortion methods.
“While these are all valid and likely contribute in some way, NCC Group strongly consider the frequent uptick of new players in 2023’s ransomware threat landscape to be pushing this figure up further, with an additional 3 arriving in December alone (Hunters, DragonForce and WereWolves),” the report said.
New ransomware gangs such as Play, 8Base, Medusa and BianLian emerged among NCC Group’s 10 most active threat actor groups for 2023. The total number of threat actors also rose from 55 threat groups in 2022 to 64 in 2023. In addition to new players, five ransomware gangs that were among the top 10 most active groups in 2022 maintained their positions in 2023, with LockBit at No. 1 and BlackCat/Alphv in second.
NCC Group also highlighted the elevated activity of LockBit and version 3.0 of its ransomware.
“LockBit 3.0’s 2023 activity is nearly 250% that of the second most active threat group for the year, BlackCat, which themselves saw a 200% increase in activity since last year,” the report said. “This shows how dominant LockBit has been in the ransomware space, that other threat groups can double or more their 2022 activity levels and still not be anywhere near LockBit’s level of activity.”
Beware of mass exploitation
The Clop ransomware gang, known for the widespread attacks against Progress Software’s MoveIt Transfer and Fortra’s GoAnywhere managed file transfer (MFT) products, also surprised NCC Group analysts. The report noted that Clop attacks increased from 57 in 2022 to 404 in 2023. Analysts emphasized that Clop “evidently stepped up their game.”
The gang claimed the third most active threat actor spot. In a separate report, Chainalysis revealed that Clop amassed more than $100 million in ransom payments during the months that Progress Software customers were attacked. While perpetrated by Clop threat actors, the MoveIt Transfer and GoAnywhere attacks did not encrypt victims’ systems and only exfiltrated data from vulnerable MFT instances.
Mass exploitation attacks such as these largely contributed to Clop’s success. NCC Group said the gang targets “a weak spot in organisational supply chains (preferably facilitating file transfer/storage)” and develops exploits to take advantage of vulnerabilities.
“Therefore, it is prudent for organisations of any sector to consider their third-party security posture and the exploitability of their supply chain, to avoid becoming a victim of Cl0p’s likely future excursion into the supply chain,” the report said.
A shift in the ransomware-as-a-service ecosystem also contributed to the surge in attacks. Ransomware operators will develop the strains and sell them to less technically savvy affiliate hackers, who in turn carry out attacks. However, NCC Group found that affiliates aren’t as loyal to the ransomware gangs they purchase from anymore, partly because they now have access to more variants.
If a victim organization blocks one attack with a specific ransomware variant, affiliates will return with a different strain. NCC Group provided an example of an attack that occurred against a Symantec client’s environments. Affiliates attempted to deploy LockBit ransomware, but the victim stopped the attack before any damage was done.
“With a demonstration of tenacity, the threat actor instead tried to deploy a much newer variant; 3AM (the first observation of which was very possibly this same incident), which was instead successful, although it was still subsequently blocked after just three machines were affected,” the report said. “This is a quintessential example of threat actors having a pool of variants to choose from, making their attacks far more persistent and difficult to block, and thereby potentially increasing the overall ransomware cases across the year.”
NCC Group also warned that ransomware operators are targeting large software developers and managed service providers to maximize their profits with large-scale attack campaigns. “So, even if an organisation does not perceive a direct threat from ransomware, it should consider the potential impact on its supply chain,” the report said.
Patch, patch, patch
While the number of ransomware attacks and victims skyrocketed in 2023, the threat only accounted for a small percentage of incident response cases handled by CIRT. Unauthorized access and phishing claimed the top two attack categories in NCC Group’s report. The sectors that saw the most incidents included financial, which experienced a 15% increase from 2022 to 2023, with industrials and government right behind at 14% each.
Though threat actors thrived last year, NCC Group said many attacks occurred because organizations struggled with timely patching. The report noted that SentinelOne continued to see a known Fortinet FortiOS and FortiProxy vulnerability, tracked as CVE-2018-13379, being exploited, as well as old flaws in Microsoft Exchange Server and Atlassian Confluence Server and Data Center.
The good news was that the number of critical vulnerabilities decreased in 2023, while vulnerability disclosure in general saw a “substantial increase.” NCC Group urged organizations to mitigate known vulnerabilities and implement efficient patch management programs.
NCC Group also discussed the potential risks and benefits of generative AI, claiming that “the technology has created a new vulnerability in adversarial attacks.” While threat actors have already abused some generative AI tools, the report noted that the technology will also help organizations strengthen their security postures. However, NCC Group urged organizations to exercise caution, particularly when it comes to software.
“Those that leverage generative AI models such as ChatGPT need to be aware of the trustworthy nature of the coding packages it outputs as it can be leveraged to spread malicious packages into developer’s environments through data poisoning,” the report said.
Arielle Waldman is a Boston-based reporter covering enterprise security news.