Getty Images/iStockphoto
Corvus: 2023 was a 'record-breaking' ransomware year
The insurance company analyzed claims data and ransomware gangs' data leak sites, which suggests as many as 7,600 organizations across the globe were attacked in 2023.
An increase in the number of active ransomware groups and threat actors exploiting more vulnerabilities contributed to a "record breaking year" for the widespread threat in 2023, according to new research from Corvus Insurance.
Corvus published its "Q4 Ransomware Report" on Tuesday that revealed a 69% increase in activity compared to the fourth quarter of 2022. While successful law enforcement action taken in the fourth quarter likely led to fewer ransomware victims, Corvus found threat actors adapted their tactics quickly.
"To describe cybercriminals in 2023, we'd use one word: resilient," Corvus wrote in the report.
To compile the report, Corvus collected and analyzed data from ransomware leak sites, which it monitors for insured organizations and partners. Ransomware groups operate data leak sites on the dark web as an extortion method to pressure victim organizations to pay. Corvus noted its report does not include victims that paid the ransom, as those organizations typically get removed the leak sites.
Paying ransomware threat actors is an ongoing area of contention. While vendors like Emsisoft say it fuels the ransomware threat and payments should be banned, others claim prolonged disruptions leave businesses with no alternative. Based on claims data, the insurance company estimated that between 27% and 41% of ransomware victims paid their attackers.
By combining claims data with leak sites' information, Corvus found the number of victim organizations reached record highs last year. The total number of leak site victims skyrocketed from 2,670 in 2022 to 4,496 in 2023. With the claims data estimate on victims that paid ransoms, Corvus said the number surges to between 6,100 and 7,600 total organizations.
One main contributor to the rise in attacks was a shift in tactics; threat actors increasingly used a security weakness found in many organizations — vulnerability management. Organizations struggled to keep pace with the influx of critical vulnerabilities while threat actors exhibited rapid exploitation times.
"Through rapid reconnaissance and scalable deployments, threat actors were able to exploit victims much more quickly after a CVE was discovered—in some cases, even before the discovery was publicized. Threat actors put thousands of security teams' patch management and vulnerability programs to the test, and in many cases they won," the report said.
Clop on top
In many cases, ransomware groups disrupted hundreds to thousands of victims by exploiting just one vulnerability. One of the most well-known examples occurred in May when the Clop ransomware gang exploited a zero-day vulnerability in Progress Software's MoveIt Transfer managed file transfer (MFT) product. Clop's widespread campaign of data theft and extortion attacks impacted more than 2,000 organizations, according to estimates.
The report detailed five largescale attacks in total, including the MoveIt Transfer attacks and an earlier campaign that exploited a zero-day vulnerability in Fortra's GoAnywhere MFT software. Clop also took responsibility for subsequent ransomware attacks against GoAnywhere customers; Corvus counted an estimated 130 victims. According to the report, the highest number of victims stemmed from attacks that exploited known vulnerabilities in exposed ESXi servers. The campaign, which began in February, was dubbed ESXiArgs and hit thousands of victims, according to Corvus.
However, Clop wasn't the only active ransomware gang in 2023. Corvus confirmed the LockBit and Medusa ransomware groups claimed responsibility for many "high-profile" attacks in the fourth quarter. Unfortunately for victim organizations, the threat landscape was full of many active groups throughout the year. Corvus revealed a 34% increase in the number of active ransomware groups between the first quarter and fourth quarter of 2023. The year started with 35 groups and ended with 47, which Corvus said played a significant role in the record high year.
"This increase is attributed to the fracturing of well-known ransomware groups that have had their proprietary encryptors leaked on the dark web. As a result, many new actors have gained access to these encryptors and started their own ransomware operators," the report read.
One prime example was Babuk's encryptor, which Corvus said has been used by at least 10 ransomware groups since the leak. However, Cisco Talos obtained a decryptor for Babuk Tortilla ransomware victims following an arrest of a threat actor in January 2024. The vendor shared the decryptor with Avast, which updated its earlier Babuk decryptor to assist victims with recovering from a wider set of Babuk strains.
Law enforcement efforts
Successful law enforcement actions were also highlighted in the Corvus report. In August 2023, an international law enforcement operation dismantled Qakbot, a malware used to deploy dangerous ransomware. However, Corvus confirmed ransomware groups adapted quickly. Operators switched from using Qbot code to Pikabot and DarkGate.
A law enforcement effort publicly disclosed by the Department of Justice on Dec. 19 also temporarily disrupted the BlackCat/Alphv ransomware group. Corvus held a webinar Tuesday that expanded on the report and discussed additional law enforcement actions. Ryan Bell, head of threat intelligence at Corvus, said the insurer observed a decrease in activity on BlackCat's leak site beginning on Dec. 3. However, victim names ramped up again the week of Dec. 24.
Bell added that BlackCat accounted for 9% of total ransomware victims in 2022 and 2023. "We expected them to roll and over die [following law enforcement action], but they're not giving up as quickly as other groups in the past," Bell said during the webinar.
Another panelist, Josh Douget, senior claims manager for Corvus, detailed a case study that involved law enforcement and a wholesale distributor with locations throughout the U.S. The policyholder was attacked by an unnamed ransomware threat actor that exfiltrated data and encrypted its network, including business critical systems. Douget emphasized how the attack halted operations at many of the company's locations. After the policyholder contacted Corvus, the distributor engaged a ransom negotiator, forensics team and the FBI. The FBI provided the company with a decryptor, which significantly limited business disruptions. Although some corrupted data remained, the company's backups filled in any gaps.
"While all of this was going on, the ransom negotiator was on the phone with the threat actor attempting to delay posting the victims data to the public data leak site," Douget said. "In just the nick of time, the FBI spring into action and seized that leak site and took it down, which prevented any sensitive information from ever being posted to the dark web."
While Douget said policyholders can't rely on law enforcement to "save the day for every single claim," he said their work to disrupt ransomware groups is beneficial "from time to time." Corvus wasn't the only company to observe a significant increase in the ransomware threat last year.
In October, NCC Group found a 153% increase in the number of attacks between September 2022 and 2023. TechTarget Editorial also tracked ransomware activity in 2023 and found an alarming increase in attacks against the private sector and healthcare in December. Corvus's report on Tuesday warned that attacks against law practices are also on the rise.
Corvus urged organizations to apply the same resilience threat actors exhibited throughout 2023, as risks will only increase.
"2024 will no doubt have more surprises, new threat actors, re-brands and lots of new vulnerabilities. The honing of the ransomware craft dominated 2023, and every indication points to that continued story in 2024," the report said. "The onus is on businesses to bolster security in their own networks."
Updated on 2/7/2024.
Arielle Waldman is a Boston-based reporter covering enterprise security news.