An increase in the number of active ransomware groups and threat actors exploiting more vulnerabilities contributed to a “record breaking year” for the widespread threat in 2023, according to new research from Corvus Insurance.
Corvus published its “Q4 Ransomware Report” on Tuesday that revealed a 69% increase in activity compared to the fourth quarter of 2022. While successful law enforcement action taken in the fourth quarter likely led to fewer ransomware victims, Corvus found threat actors adapted their tactics quickly.
“To describe cybercriminals in 2023, we’d use one word: resilient,” Corvus wrote in the report.
To compile the report, Corvus collected and analyzed data from ransomware leak sites, which it monitors for insured organizations and partners. Ransomware groups operate data leak sites on the dark web as an extortion method to pressure victim organizations to pay. Corvus noted its report does not include victims that paid the ransom, as those organizations typically get removed the leak sites.
Paying ransomware threat actors is an ongoing area of contention. While vendors like Emsisoft say it fuels the ransomware threat and payments should be banned, others claim prolonged disruptions leave businesses with no alternative. Based on claims data, the insurance company estimated that between 27% and 41% of ransomware victims paid their attackers.
By combining claims data with leak sites’ information, Corvus found the number of victim organizations reached record highs last year. The total number of leak site victims skyrocketed from 2,670 in 2022 to 4,496 in 2023. With the claims data estimate on victims that paid ransoms, Corvus said the number surges to between 6,100 and 7,600 total organizations.
One main contributor to the rise in attacks was a shift in tactics; threat actors increasingly used a security weakness found in many organizations — vulnerability management. Organizations struggled to keep pace with the influx of critical vulnerabilities while threat actors exhibited rapid exploitation times.
“Through rapid reconnaissance and scalable deployments, threat actors were able to exploit victims much more quickly after a CVE was discovered—in some cases, even before the discovery was publicized. Threat actors put thousands of security teams’ patch management and vulnerability programs to the test, and in many cases they won,” the report said.
Clop on top
In many cases, ransomware groups disrupted hundreds to thousands of victims by exploiting just one vulnerability. One of the most well-known examples occurred in May when the Clop ransomware gang exploited a zero-day vulnerability in Progress Software’s MoveIt Transfer managed file transfer (MFT) product. Clop’s widespread campaign of data theft and extortion attacks impacted more than 2,000 organizations, according to estimates.
The report detailed five largescale attacks in total, including the MoveIt Transfer attacks and an earlier campaign that exploited a zero-day vulnerability in Fortra’s GoAnywhere MFT software. Clop also took responsibility for subsequent ransomware attacks against GoAnywhere customers; Corvus counted an estimated 130 victims. According to the report, the highest number of victims stemmed from attacks that exploited known vulnerabilities in exposed ESXi servers. The campaign, which began in February, was dubbed ESXiArgs and hit thousands of victims, according to Corvus.
However, Clop wasn’t the only active ransomware gang in 2023. Corvus confirmed the LockBit and Medusa ransomware groups claimed responsibility for many “high-profile” attacks in the fourth quarter. Unfortunately for victim organizations, the threat landscape was full of many active groups throughout the year. Corvus revealed a 34% increase in the number of active ransomware groups between the first quarter and fourth quarter of 2023. The year started with 35 groups and ended with 47, which Corvus said played a significant role in the record high year.
“This increase is attributed to the fracturing of well-known ransomware groups that have had their proprietary encryptors leaked on the dark web. As a result, many new actors have gained access to these encryptors and started their own ransomware operators,” the report read.
One prime example was Babuk’s encryptor, which Corvus said has been used by at least 10 ransomware groups since the leak. However, Cisco Talos obtained a decryptor for Babuk Tortilla ransomware victims following an arrest of a threat actor in January 2024. The vendor shared the decryptor with Avast, which updated its earlier Babuk decryptor to assist victims with recovering from a wider set of Babuk strains.
Successful law information actions were also highlighted in the Corvus report. In August 2023, an international law enforcement operation dismantled Qakbot, a malware used to deploy dangerous ransomware. However, Corvus confirmed ransomware groups adapted quickly. Operators switched from using Qbot code to Pikabot and DarkGate.
Corvus wasn’t the only company to observe a significant increase in the ransomware threat last year.
In October, NCC Group found a 153% increase in the number of attacks between September 2022 and 2023. TechTarget Editorial also tracked ransomware activity in 2023 and found an alarming increase in attacks against the private sector and healthcare in December. Corvus’s report on Tuesday warned that attacks against law practices are also on the rise.
Corvus urged organizations to apply the same resilience threat actors exhibited throughout 2023, as risks will only increase.
“2024 will no doubt have more surprises, new threat actors, re-brands and lots of new vulnerabilities. The honing of the ransomware craft dominated 2023, and every indication points to that continued story in 2024,” the report said. “The onus is on businesses to bolster security in their own networks.”
Arielle Waldman is a Boston-based reporter covering enterprise security news.