Q2 Cyber Threat Report: Ransomware Season Arrives Early
In this report, our threat intel team highlights our critical cyber threat and ransomware findings from Q2 2024 and what it means for the threat landscape.
Yet another record-shattering month for the number of ransomware victims on leak sites. Here’s what you need to know.
Corvus observed 484 new ransomware victims posted to leak sites in November 2023
That represents a 39.08% increase from October and a 110.43% increase year-on-year
This is the eleventh month in a row with a YoY increase in industry-wide ransomware victims, and the ninth month in a row with victim counts above 300
Threat actors are pivoting to software exploits and new malware to gain access to victims
In October, we reported that the number of ransomware victims on leak sites decreased by 15.12% compared to the previous month. However, November boomeranged back to a significant increase, both month-over-month and year-over-year.
In fact, November 2023 recorded the highest number of ransomware leak site victims ever reported. This is the third time in 2023 that such a record has been broken, the most recent pre-2023 record being established two years ago, in November 2021. During the previous two record-breaking months, a large portion of victims were a result of a CL0P mass-exploit attack, whereas that was not the case this month.
Such a pronounced October decrease across all groups was unusual, though the figure still remained vastly inflated year-over-year. Part of this could likely be attributed in part to the takedown of the Qakbot malware network. Qakbot, also called QBot is malware commonly deployed to gain initial entry into target networks. QBot was used by a number of prominent ransomware gangs including Black Basta, LockBit, Royal, Conti, and REvil.
According to Fortra PhishLabs, QBot was the most commonly observed malware family spread via email in Q3 2023. Even though it was taken offline by international law enforcement partway through the quarter, it still stood head and shoulders above competitors, making up 31.25% of the total payload volume for all of Q3.
For November, let’s drill into the data. The first thing to note is the breakdown by ransomware group. LockBit far and away tops the list with 121 victims followed by PLAY, AlphVM, BlackBasta, and 8Base.
LockBit, for its part was operating above average levels in November but not completely out of character. November 2023 was its third most active month on record just shy of February and August of this year, both of which were quite possibly seeing increased activity after some affiliates were returning from a Winter and Summer reprieve, respectively. Part of the explanation for increased LockBit activity could be the existence of a new NetScaler (formerly Citrix) vulnerability called CitrixBleed which has reportedly become a new staple for the group.
Other groups have begun exploiting a variety of recent vulnerabilities in software such as Qlik Sense (CVE-2023-41265) and ownCloud (CVE-2023-49103). While throughout the ransomware ecosystem, threat actors are switching to other types of infostealer malware such as DarkGate and Pikabot to make up for the loss of QBot. In essence, though perhaps slowed down by the shutdown, ransomware operators are quickly pivoting to other ways of compromising corporate networks.
As we pursue our mission to make the world a safer place, Corvus will continue to monitor the threat landscape to protect insureds and contribute to the collective defense of the community.
Corvus analysis was made possible with supporting data from eCrime.ch. This report is intended for general guidance and informational purposes only. This report is under no circumstances intended to be used or considered as specific insurance or information security advice. This report is not to be considered an objective or independent explanation of the matters contained herein.