Change Healthcare Hack: Everything You Need To Know
Change Healthcare experienced a ransomware attack with unprecedented fallout. What happened, and what have we learned?
![[LOGO] Corvus Insurance](https://www.corvusinsurance.com/hubfs/Corvus_Logo_Horizontal(R)%20(4).svg "[LOGO] Corvus Insurance"){kind=logo}
Key takeaways
-
Due to law enforcement actions, the number of ransomware leak site victims posted in Q4 was, as expected, lower than Q3 (by 7%) — but still up 69% year-over-year
-
The number of ransomware groups active across the globe grew by one third between Q1 and Q4 2023
-
Threat actors in Q4 proved resilient in the face of law enforcement, quickly switching from QBot to Pikabot and DarkGate
-
The exploit of external vulnerabilities played a significant role in breaking ransomware activity records throughout 2023, ending with high-profile exploits all the way up until Q4
Introduction
2023 has come to an end and one thing is for certain: it’s been a record-breaking year for ransomware. Victim counts on leak sites regularly landed above 300 (several months hit counts above 400) and activity steadily climbed each quarter throughout the year. Q4 saw a slight decrease over the previous quarter, with 1,278 victims observed on ransomware leak sites (that’s 7% fewer than in Q3). But make no mistake, that figure represents a steep 69% increase compared to the fourth quarter of 2022. As we’ve said before, we’re firmly in a “new normal” of heightened activity.
In this report, we will highlight some more of our findings from Q4 2023 and also look at trends across the full year that was 2023. Let’s dig in!
A quarter-over-quarter dip
In the past, the fourth quarter was typically the most active quarter for ransomware attacks in a given year. Why wasn’t that the case in 2023?
Most significantly, international law enforcement took down a malware network, Qakbot, in August. Also known as QBot, this malicious code was often used to gain initial access to victim networks. While threat actors wasted little time pivoting to new malware, the takedown does appear to have been a setback. As a result, October ransomware numbers fell short of what was expected. In Q4 law enforcement also disrupted one of the most prolific ransomware gangs, ALPHV/BlackCat, which likely impacted totals (more on this later).
.png?width=2286&height=1227&name=Over%20Time%20by%20Quarter%20Q4%20(1).png)
Ransomware data and observed trends in 2023
As we look back on 2023’s ransomware numbers, total victims posted on leak sites far surpassed what was observed in 2021 or 2022.
Year |
Total Leak Site Victims |
| 2023 | 4,496 |
| 2022 | 2,670 |
| 2021 | 3,048 |
We would be remiss if we didn’t point out that this is only a partial picture; ransomware victims who quickly pay the ransom may not show up on leak sites and thus wouldn’t be counted here. While no one has an exact number, the best estimates are that between 27% (a figure drawn from our own claims data) and 41% of ransomware victims fall into this unobserved category by paying a ransom. That means we can estimate the total number of ransomware victims would range between 6,100 and 7,600 total organizations in 2023.
Corvus observed several key factors that have contributed to the elevated year-over-year numbers in the fourth quarter and throughout the rest of the year.
1. Threat actors slowed, but resilient
In late Q3, International law enforcement took down the Qakbot malware network. Qakbot, also called QBot, is malware commonly deployed to gain initial entry into target networks. QBot was used by a number of prominent ransomware gangs, including Black Basta, LockBit, Royal, Conti, and REvil.
According to Fortra PhishLabs, QBot was the most commonly observed malware family spread via email in Q3 2023. Even though it was taken offline by international law enforcement partway through the quarter, it still stood head and shoulders above competitors, making up 31.25% of the total payload volume for all of Q3.
The takedown of QBot is one factor contributing to the lower than expected incidence of ransomware victims we saw in October and in the fourth quarter overall. This was certainly good news, but as shown in the chart below, this disruption didn’t keep threat actors down for long. We saw a noticeable pivot to other malware strains such as “Pikabot” and “DarkGate” to gain initial access to victim networks, and this activity ensured that the numbers for the fourth quarter, unfortunately, didn’t fall too far.
![[LINE GRAPH] Malware Submissions from December 2021 to December 2023](https://www.corvusinsurance.com/hs-fs/hubfs/Malware%20Submissions.png?width=1994&height=1222&name=Malware%20Submissions.png)
2. More active ransomware groups
There has been a significant 34% increase in the number of active ransomware gangs between Q1 and Q4 2023, starting with 35 active groups early in the year and ending with 47. This increase is attributed to the fracturing of well-known ransomware groups that have had their proprietary encryptors leaked on the dark web. As a result, many new actors have gained access to these encryptors and started their own ransomware operations. For instance, at least ten new ransomware groups have been observed using Babuk’s encryptor, which was leaked in 2021. Additionally, members of larger defunct groups are forming splinter groups, resulting in a higher number of distinct ransomware gangs conducting attacks.
![[LINE GRAPH] Active ransomware sties with total victim numbers from Q1 2021 to Q4 2023](https://www.corvusinsurance.com/hs-fs/hubfs/Leak%20Sites-1.png?width=2482&height=1429&name=Leak%20Sites-1.png)
3. Vulnerabilities exploited to the max
Another factor contributing to higher ransomware numbers in 2023 was a major shift in threat actors’ use of vulnerabilities. If malware, like infostealers, provide a steady drip of new ransomware victims, then a major vulnerability is like turning on a faucet. With some vulnerabilities, relatively easy access to thousands of victims can materialize seemingly overnight.
Looking back at what happened in the first quarter of 2023 shows just how devastating this can be. The year started like most years do, with fewer ransomware victims in January as threat actors took their usual holiday breaks. By early February, though, a threat actor had developed a working exploit for dated software vulnerabilities in VMware ESXi servers. The actor located potential victims by scanning the web for that software, and quickly amassed thousands of victims. Within a few weeks, other threat actors discovered a software vulnerability in Fortra’s GoAnywhere, a managed file transfer software, and like the first group scanned the internet for potential victims with great effect. Shortly after these exploits the number of victims published on ransomware leak sites hit record-breaking levels, and we saw the same playbook used again and again throughout 2023, with startling results.
One reason for the seemingly sudden effectiveness of this strategy is that threat actors expedited their exploitation efforts. Through rapid reconnaissance and scalable deployments, threat actors were able to exploit victims much more quickly after a CVE was discovered — in some cases, even before the discovery was publicized. Threat actors put thousands of security teams’ patch management and vulnerability management programs to the test, and in many cases they won.
This trend continued into Q4 with rapid and wide exploitation of vulnerabilities like CitrixBleed, a critical flaw in NetScaler Gateways and Application Delivery Controllers (ADC). This has been exploited by numerous ransomware groups including LockBit and Medusa and has resulted in some very high-profile cases over the last few weeks.
![[TIMELINE] Ransomware gang activity from February 2023 to October 2023](https://www.corvusinsurance.com/hs-fs/hubfs/Group%203348.png?width=2284&height=1073&name=Group%203348.png)
Industry trends
Our analysis of leak site data shows that the targeting of particular industries was less prevalent in the last quarter. That said, two industries saw numbers of leak victims climb steadily throughout the year in 2023.
Law Practices: We previously reported on the increasing number of law practices on leak sites. Much of this was due to the ALPHV ransomware group. This group accounted for nearly a quarter of all victims in this industry (23.53%) in Q3. However, this fell in Q4 to 8.82%, possibly slowed down as a result of law enforcement disruption in December 2023.
Transportation, Logistics, and Storage: This industry has seen consistent increases throughout the year. Lockbit 3.0 accounts for 22.22% of victims while ALPHV (BlackCat) makes up another 15.87%. Given the nature of the work, businesses in this industry are sensitive to business interruption and may present attractive targets to threat actors looking to put pressure on victims to pay for decryption.
![[CHART] Industry ransomware trends from Q1 to Q4](https://www.corvusinsurance.com/hs-fs/hubfs/Frame%2029.png?width=2270&height=1087&name=Frame%2029.png)
Conclusion
To describe cybercriminals in 2023, we’d use one word: resilient. Coming out of 2022, a year in which a continuing war in Ukraine and successful law enforcement actions appeared to have destabilized the entire industry, threat actors appeared to be undeterred. They quickly pivoted to new forms of malware after the QBot takedown, and doubled down on software vulnerabilities, moving the starting line in their own favor in the race to patch or exploit.
2024 will no doubt have more surprises, new threat actors, re-brands, and lots of new vulnerabilities. The honing of the ransomware craft dominated 2023, and every indication points to that continued story in 2024. While law enforcement actions have been able to throw a wrench in threat actors’ plans, this hasn’t stopped attackers. The onus is on businesses to bolster security in their own networks. We hope to see organizations focus on their own resilience in 2024 — a narrative that doesn’t just belong to threat actors — as they continue to take the right steps to secure their environments and focus on cybersecurity.
Methodology
The data for this report is collected from ransomware leak sites. These are websites on the dark web maintained by ransomware groups where they will list uncooperative victims and post stolen data. Relying on regular crawls of these dark web leak sites, Corvus is able to continually monitor for insureds and partners but also uses the aggregated data for these analyses.
As with most other datasets in existence, this is an incomplete picture of all ransomware attacks. Victims who quickly comply with threat actors’ demands and quietly pay a ransom have a much lower likelihood of appearing on a leak site and therefore would not be measured in our assessments of ransomware velocity. There will always be a percentage of attacks that are unknown. However, leveraging our data combined with insights from partners, and others in the industry, we can paint a comprehensive picture of the ransomware landscape and draw valid insights.
Corvus analysis was made possible with supporting data from eCrime.ch and Malware Bazaar. This report is intended for general guidance and informational purposes only. This report is under no circumstances intended to be used or considered as specific insurance or information security advice. This report is not to be considered an objective or independent explanation of the matters contained herein.