The world has witnessed an alarming surge in ransomware attacks in 2023. After a 2022 decline, cybercriminals are demonstrating their tenacity by exploiting vulnerabilities and holding organizations hostage.
Ransomware is back and worse than it’s ever been. Using ransomware leak sites on the dark web and ransomware payment data, Corvus aims to show that recent developments in ransomware are more than just a passing phase, but a definitive resurgence in ransomware.
The Escalation of Ransomware Attacks
A lot happened in 2022, notably the Russian invasion of Ukraine. Shortly after armed conflict broke out in the region, ransomware saw a notable decline. This was a welcome change at the time but ongoing monitoring of victim postings on ransomware leak sites shows just how much of an anomaly 2022 was.
Ransomware attacks climbed a staggering 101.84% from August 2022 to May 2023. A steady uptick began in late 2022 and became much more prominent in Q1 2023 with a 36% increase YoY and a 65% increase compared to Q1 2021. The trend didn’t stop there, as Q2 2023 now has the highest number of recorded leak site victims on record.
Corvus first flagged higher global ransomware frequency in early 2023, and now halfway through the year, there’s no sign of slowing down. This begs the question: why the increase?
More Active Ransomware Groups
One explanation is that there are simply more active ransomware groups. In fact, there has been a 33% increasein the number of active ransomware gangsbetween January 2022 and May 2023. As well-known ransomware groups fractured, their proprietary encryptors leaked on the dark web. This allowed a number of new threat actors to freely deploy these types of malware, and start their own ransomware operations. For example, since it leaked in 2021, at least 10 new ransomware groups have used Babuk’s encryptor. In addition, members of larger, defunct groups are forming splinter groups. The result has been an increasing number of ransomware gangs conducting attacks.
Mass Exploits of Vulnerabilities
Another explanation for the increase in attacks is that threat actors are taking advantage of software vulnerabilities within operating systems to exploit victims en masse. You may have heard of high-profile incidents such as an attack against Kaseya in 2021 which resulted in a large number of downstream victims. Previously, attacks of this scale would occur roughly once or twice per year. In 2023 so far, there have been three separate incidents (ESXiArgs, GoAnywhere, and MOVEit). Threat actors are finding more scalable ways of extorting many victims simultaneously. By quickly exploiting vulnerabilities in widely used software, threat actors may argue they are “working smarter, not harder.”
The impact is striking. A recent perpetrator of these large-scale exploits is the once relatively quiet CL0P ransomware group. Between January 2021 and January 2023 the group listed an average of 5 new victims per month. In February 2023, CL0P exploited a vulnerability in managed file transfer software, GoAnywhere, claiming to have compromised over 130 organizations in the attack. This led to the group listing 103 new victims to its leak site in March 2023, nearly as many in a single month as the past two years combined. This is all due to a single software vulnerability exploited en masse. More recently, CL0P exploited a separate vulnerability in file transfer software, MOVEit. The situation is still developing, but CL0P claims the vulnerability allowed them to compromise hundreds of victims.
It isn’t just frequency, ransomware severity is also increasing. According to payment solution provider, Digital Asset Redemption, ransomware cost, demands, and payments are up in 2023:
Average Cost of Ransom Demands
2023: $2 million ↗
2022: $1.04 million ↙
2021: $1.4 million
Ransome Payment Amounts Are Up
70% increase from 2022 ↗
36% increase from 2021 ↗
With an increased number of active ransomware groups perpetrating attacks and more victims facing higher demands, it’s safe to say we’re witnessing a ransomware resurgence.
Future Trends in Ransomware
The future is hard to predict but here are three significant developments to keep an eye on:
YoY numbers will likely remain high. The monthly number of ransomware leak site victims only exceeded 300 per month on three occasions in 2021. So far in 2023, monthly ransomware victims posted on leak sites exceeded 300 for the last four months in a row. We expect that even despite monthly variation, ransomware numbers in 2023 will continue to see inflated numbers over prior years with consistent YoY inflation.
MoM numbers may decrease during the Summer. While March and now June are at or near record-breaking numbers, it is likely that we may see a seasonal decrease in the Summer months. While MoM metrics may decline, YoY will likely remain above last year and even higher than in 2021.
More increase possible in late Q3 - Q4. If there is some Summer consolidation, expect an increase again in late Q3, heading into Q4. This is a pattern observed over the past two years heading into the holiday season before threat actors take their foot off the gas pedal in early Q1. In addition, mass-exploit attacks are likely to increase in frequency and severity for the remainder of 2023.
We aren’t sounding the alarm to incite panic. Yes, ransomware infections are increasingly pervasive, but there are steps organizations can (and should!) take to help mitigate risk and protect against cyber extortion. By staying informed on current trends, organizations are able to effectively spend their time and security budget where it counts most. For example, adequate cyber vulnerability management, incident response, and risk mitigation are more important than ever as we face a wave of mass exploits of sensitive data.
While the future may seem daunting, the Corvus Threat Intelligence team is working to provide businesses with the information they need to make informed decisions on their security journey.
Corvus analysis was made possible with supporting data from Digital Asset Redemption and eCrime.ch. This report is intended for general guidance and informational purposes only. This report is under no circumstances intended to be used or considered as specific insurance or information security advice. This report is not to be considered an objective or independent explanation of the matters contained herein.