Power Rankings: Ransomware Malicious Quartile Q3-2023

Ransomware poses an existential threat to organizations of all sizes in any vertical, and attacks continue to be extremely lucrative with ransom demands and recovery costs bleeding victim organizations for millions of dollars.    

Ransomware-as-a-Service (RaaS) and other operators are implementing novel evasion techniques into their payloads specifically designed to evade or completely circumvent traditional endpoint protection solutions.  

The Halcyon team of ransomware experts has put together this extortion group power rankings guide as a quick reference for the extortion threat landscape based on data from throughout Q3- 2023, which can be reviewed with earlier reports here: Power Rankings: Ransomware Malicious Quartile.

The report finds that attackers are getting more efficient at exploiting vulnerabilities, and this trend is likely to continue as threat actors automate aspects of their attack sequences. We see evidence of this automation in the hundreds of organizations that have been hit by just one ransomware group exploiting one patchable vulnerability in early 2023.    

This mass exploitation wave is also evidence that ransomware gangs are increasingly leveraging automation to identify and target exposed organizations who have not patched against known vulnerabilities, which is why we are seeing so many new victims.    

The annual impact from ransomware attacks in the US alone is estimated to be more than $20 billion dollars. This figure does not include additional incident response costs, tangential costs, damage to the brand, lost revenue, lost production from downed systems, and other collateral damage.  

And the above figures did not even include the ransom payment, the long-term damage to an organizations’ brand (loss of consumer trust), increased cyber insurance premiums, legal fees, or lost revenue which can far exceed remediation costs – and we have not even gotten to the potential impact from data exfiltration.  

These days, ransomware operators don’t just brick your systems and ask for a ransom payment, they first steal sensitive data to use as leverage by threatening to leak it publicly. For many organizations this exposure of customer data has regulatory implications and can lead to lawsuits and fines.    

Additionally, sensitive data on corporate transactions, R&D, patents, etc. can end up in the attackers' hands and be sold to the highest bidder on dark web forums or end up in the hands of a competitor.  

While larger organizations may be able to absorb these costs, this potentially represents an existential threat to smaller companies and their employees’ jobs.  

If your organization is not prioritizing anti-ransomware defenses, you should really be asking why not...

Q3-2023 Trends

Some interesting trends emerged in the third quarter of 2023:

General

• Ransomware Unabated: Ransomware operators are set to have the second most profitable year according to the Department of Homeland Security’s 2024 Homeland Threat Assessment report
• Reporting Issues: The majority of executives surveyed (61%) indicate they did not report a major ransomware attack to authorities
• Insurance Claims Spike: Reports indicate a 12% spike in cyber insurance claims related to ransomware attacks over the first six months of 2023
• Botnet Takedown: The FBI and the Justice Department spearheaded a multinational operation that disrupted the massive Qakbot botnet operation that has driven millions in losses from ransomware attacks

Organizational Risk

• Existential Threat: The risk to organizations from ransomware attacks grows, as KNP Logistics - the UK’s largest logistics provider - declared itself insolvent following a major ransomware attack that affected key systems, processes and resulted in the loss of financial information
• Third-Party Risks: DHS suspects sensitive security information compromised in a ransomware attack on government contractor Johnson Controls
• Insurance Struggles: Cyber insurance carriers are struggling to provide effective coverage in an evolving ransomware threat landscape where operations are more commonly focused on data theft and extortion and don’t always include a ransomware payload
• Mandatory SEC Reporting: The SEC will soon be requiring publicly traded companies to disclose cyberattacks within four business days if they are deemed material to current and prospective shareholders
• Confidence Wanes: Fully 93% of survey respondents believe the threat of ransomware attacks increased in 2023, and 67% lacked confidence their organization could recover data and critical business processes in the event of an attack

TTPs

• Rust Ransomware: More ransomware variants written in Rust continue to emerge which allow for advanced evasion capabilities by disabling security tools and evading sandbox analysis
• More Zero-Days: Ransomware gangs are more often leveraging zero-day exploits typically seen in nation-state operations in attacks
• Linux Threat: More ransomware gangs are developing Linux versions, but not much attention has been paid to what this trend means for the ransomware threat landscape
• Cloud Risk: BlackCat/ALPHV has been observed harvesting One-Time Passwords (OTP) to bypass security tools to drop the recently released Sphynx variant to encrypt Azure cloud storage deployments
• Cl0p Rampage: The Clop ransomware gang’s unprecedented campaign exploiting a known vulnerability in the MOVEit file sharing program drove attacks levels to a new high in July

Takeaway

Ransomware is big business, and the financial impact of ransomware attacks is one we all bear as it becomes a significant drag on our economy. The only way we can counter its growth is to disincentivize the attackers.

Ransomware attacks can do more damage to an organization than simply impacting the bottom line, they have the potential to damage brand, increase insurance costs, force budget cuts and layoffs, negatively impact stakeholders and even put victim organizations and their CXOs and BoDs in legal jeopardy.

The ransomware threat is very real, the problem is seemingly growing exponentially, and executive leadership at organizations are struggling with how best to deal with both preparing to defend against attacks as well as what to do to protect the organization after a successful attack.

The only way we can counter its growth as a major industry vertical is to disincentivize the attackers. The only way to disincentivize them is to make ransomware attacks unprofitable, and unfortunately, we are still a long, long way from accomplishing that.

‍

‍Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.