Yet another record-shattering month for the number of ransomware victims on leak sites. Here’s what you need to know.
Corvus observed 484 new ransomware victims posted to leak sites in November 2023
That represents a 39.08% increase from October and a 110.43% increase year-on-year
This is the eleventh month in a row with a YoY increase in industry-wide ransomware victims, and the ninth month in a row with victim counts above 300
Threat actors are pivoting to software exploits and new malware to gain access to victims
Attack Frequency Details
In October, we reported that the number of ransomware victims on leak sites decreased by 15.12% compared to the previous month. However, November boomeranged back to a significant increase, both month-over-month and year-over-year.
In fact, November 2023 recorded the highest number of ransomware leak site victims ever reported. This is the third time in 2023 that such a record has been broken, the most recent pre-2023 record being established two years ago, in November 2021. During the previous two record-breaking months, a large portion of victims were a result of a CL0P mass-exploit attack, whereas that was not the case this month.
Such a pronounced October decrease across all groups was unusual, though the figure still remained vastly inflated year-over-year. Part of this could likely be attributed in part to the takedown of the Qakbot malware network. Qakbot, also called QBot is malware commonly deployed to gain initial entry into target networks. QBot was used by a number of prominent ransomware gangs including Black Basta, LockBit, Royal, Conti, and REvil.
According to Fortra PhishLabs, QBot was the most commonly observed malware family spread via email in Q3 2023. Even though it was taken offline by international law enforcement partway through the quarter, it still stood head and shoulders above competitors, making up 31.25% of the total payload volume for all of Q3.
For November, let’s drill into the data. The first thing to note is the breakdown by ransomware group. LockBit far and away tops the list with 121 victims followed by PLAY, AlphVM, BlackBasta, and 8Base.
LockBit, for its part was operating above average levels in November but not completely out of character. November 2023 was its third most active month on record just shy of February and August of this year, both of which were quite possibly seeing increased activity after some affiliates were returning from a Winter and Summer reprieve, respectively. Part of the explanation for increased LockBit activity could be the existence of a new NetScaler (formerly Citrix) vulnerability called CitrixBleed which has reportedly become a new staple for the group.
Other groups have begun exploiting a variety of recent vulnerabilities in software such as Qlik Sense (CVE-2023-41265) and ownCloud (CVE-2023-49103). While throughout the ransomware ecosystem, threat actors are switching to other types of infostealer malware such as DarkGate and Pikabot to make up for the loss of QBot. In essence, though perhaps slowed down by the shutdown, ransomware operators are quickly pivoting to other ways of compromising corporate networks.
Corvus Threat Intel Team Notes
In summary, our three primary observations this month:
After a puzzling decrease in October, November shattered another record
Based on historical seasonal data, December will remain inflated year-over-year but likely won’t match November’s numbers
Expect a decrease in January as the humans behind ransomware attacks take some time off
The ransomware ecosystem at large has successfully pivoted away from QBot. Making software exploits and alternative malware families part of their repertoire is paying off for ransomware groups
As we pursue our mission to make the world a safer place, Corvus will continue to monitor the threat landscape to protect insureds and contribute to the collective defense of the community.
Corvus analysis was made possible with supporting data from eCrime.ch. This report is intended for general guidance and informational purposes only. This report is under no circumstances intended to be used or considered as specific insurance or information security advice. This report is not to be considered an objective or independent explanation of the matters contained herein.