The number of victims that ransomware groups posted on their data leak sites increased by 50% last year according to an analysis by researchers from Palo Alto Networks. Twenty-five new groups also appeared last year but some of them had a short life until they disbanded or rebranded.
Noteworthy trends include the use of exploits for zero-day vulnerabilities in lesser known software such as managed file transfer (MFT) applications, but also for vulnerabilities in popular enterprise products like Citrix or VMware. “2023 presented a thriving and evolving ransomware landscape as reflected in posts from ransomware leak sites,” the Palo Alto researchers said in their report. “Posts from these sites indicate a notable increase in activity, and this data also reflects new ransomware groups that have appeared and existing groups that have declined. Although the landscape remains fluid, law enforcement’s growing effectiveness in combating ransomware signals a welcome change.”
Ransomware hit nearly 80 organizations per week
Not every ransomware group uses a data leak site to name and threaten its victims publicly, but many have adopted this tactic in recent years, including the biggest groups. Ransomware is no longer just about making data inaccessible to the user through encryption, but also about exfiltrating it and threatening to release it or sell it.
As such, monitoring the leak site activity can provide better insights than the industry used to have just based on public reports from victims themselves or from customer engagements. That said, the leak sites probably don’t provide the whole picture of ransomware activity as some groups might choose not to publish all their victims, especially if they reach a payment agreement quickly.
In 2023, researchers documented 3,998 posts on ransomware leak sites compared to 2,679 in 2022 — a 49% increase. This means that on average ransomware groups made 333 posts per month and almost 77 per week last year. A spike in activity occurred in July with almost 500 posts and is somewhat correlated with the CL0P ransomware group exploiting a zero-day vulnerability in the MOVEit MFT application. This might have led to a larger influx of victims than usual.
The CL0P gang, or TA505 as it’s also known in the security industry, has been involved in ransomware distribution and extortion since 2019. According to US Cybersecurity and Information Security Agency (CISA) advisory, the group has compromised over 3,000 organizations in the US and over 8,000 globally. Before the MOVEit exploit the group also used zero-day exploits against the Accellion File Transfer Appliance (FTA) devices in 2020 and 2021 and Fortra/Linoma GoAnywhere MFT servers in early 2023.
That said, CL0P’s activity only accounted for around 9% of the data leak posts in 2023, positioning it in third place after BlackCat (ALPHV) with almost 10% and LockBit with 23%. LockBit, a ransomware-as-a-service (RaaS) operation that gathered many affiliates after groups like Conti, Hive and Ragnar Locker shut down, has been the most prolific ransomware group two years in a row.
Ransomware group newcomers and goners
New groups also played a big role in the ransomware activity spike, setting up 25 new leak sites that accounted for 25% of the total number of victim posts. Some of these groups have been active since 2022 but did not have leak sites until 2023. Five had no activity in the second half of the year, so it’s not clear if they are still active or they’ve already disbanded. However, others remain active, and the top ones are Akira and 8Base, each of them with almost 200 posts.
Akira is a group that was first observed in March 2023 and has suspected links to the former leadership of the Conti group based on observed cryptocurrency transactions. 8Base has been active since 2022 but did not disclose any victims until May 2023.
Last year has also been busy for law enforcement in the ransomware space with several actions that have led with prominent groups shutting down or suffering significant disruptions. It started with a US Federal Bureau of Investigation (FBI) operation that dismantled the Hive command-and-control network in January 2023. In October, an Europol-coordinate international action saw the seizure of the Ragnar Locker infrastructure and in December the FBI disrupted the operations of BlackCat (ALPHV) and released a decryption key. The BlackCat group has not disbanded but it’s not clear if it can restore its reputation in the cybercriminal underground.
The Palo Alto Networks researchers also mention the potential rebranding of two other notable groups: Royal which stood out in 2022 with attacks against critical infrastructure targets and which researchers believes has since rebranded into BlackSuit based on code similarities, and Vice Society, a group that attracting attention to itself by targeting healthcare and education organizations and which multiple researchers have linked to the new Rhysida ransomware.
Manufacturing was the industry most targeted by ransomware
The ransomware victim distribution shows that manufacturing was the most impacted sector, accounting for 14% of the data leak posts. This was followed by professional and legal services, high-tech, wholesale and retail, construction, healthcare, financial services and education.
By geographic distribution, almost half of the victims were based in the US, 6.5% in the UK, 4.6% in Canada, 4% Germany, and 3.4% in France. “The US presents a very attractive target, especially when examining the Forbes Global 2000, which ranks the largest companies in the world according to sales, profits, assets and market value,” the researchers said. “In 2023, the US accounted for 610 of these organizations, consisting of almost 31% of the Forbes Global 2000, indicating a high concentration of wealthy targets.”