Power Rankings: Halcyon Ransomware Malicious Quartile Q4-2023

Ransomware remains one of the most significant threats to organizations of all sizes in all industry verticals.

Analysis indicates the volume of attacks surged in 2023 by 55.5% year-over-year with 4,368 documented cases. Successful attacks in the U.S. increased by 60% for the healthcare sector, 82% for K-12 schools, and 48% for higher education.

Surprisingly, this do not include the massive number of victims compromised by way of a vulnerability exploit in the MOVEit managed file transfer software (CVE-2023-34362) the Cl0p ransomware gang leveraged to attack more than 1000 victims in rapid succession.

The Halcyon team of ransomware experts put together this RaaS and extortion group guide as a quick reference for the based on data from throughout 2023. Download the full report here: Power Rankings: Ransomware Malicious Quartile.

Executive Liability: A New Twist

Ransomware attacks can do more damage to an organization than simply impacting the bottom line, they have the potential to damage brand, increase insurance costs, force budget cuts and layoffs, negatively impact stakeholders and even put victim organizations and their CXOs and BoDs in legal jeopardy.

Recent actions taken against the former CISO for Uber and the more recent case brought against the SolarWinds CISO represent a significant sea change regarding where liability lands for security-related decisions.  

Today, the C-level and BoDs are increasingly in the crosshairs. We will likely see victims being prosecuted and potentially serving jailtime after a successful ransom attack – especially if sensitive or regulated data was compromised or exfiltrated.

A punitive regulatory stance will only create top-down pressure on CISOs and security teams to be less forthcoming with the C-level and BoD when faced with a security event. Security teams will feel pressure to not report events unless they absolutely must, and this will negatively impact security operations.  

Q4-2023 Trends

Some interesting trends emerged in the fourth quarter of 2023:

Record Setting Year:

• The vast majority (75%) of organizations reported being targeted by at least one ransomware attack in 2023, with 26% reporting they were targeted with ransomware four or more times: InfoSecurity Magazine
• The first half of 2023 saw more victims impacted by ransomware attacks than in the entirety of 2022: Security Magazine
• The volume of ransomware attacks surged in 2023 by 55.5% year-over-year from 2022 levels, with 4,368 cases documented cases: The Hacker News
• Ransomware attacks in the U.S. increased by 60% for the healthcare sector, 82% for K-12 schools, and 48% for higher education institutions: Data Breach Today

Liability for C-Level and Boards:

• SEC implements rules requiring public companies to disclose “material cyberattacks” within four business days: Bleeping Computer
• SEC announced enforcement actions against SolarWinds and the company’s CISO alleging fraud and internal control failures for known security risks: SEC
• Ransomware attack that exposed the PHI of 2.5 million McLaren Health Care patients could result in multiple federal class action lawsuits for failure to protect patient records: BankInfoSecurity

The Stakes Are High:

• A ransomware attack on the Industrial and Commercial Bank of China (ICBC) reportedly disrupted the US Treasury market: Financial Times
• CISA warned an Iran-linked threat actor is "actively targeting and compromising" multiple U.S. water treatment facilities: NPR
• The UK’s Joint Committee on the National Security Strategy (JCNSS) warned that is a “high risk” the nation will experience a “catastrophic ransomware attack at any moment”: The Record
• Ransomware attacks are causing psychological trauma for incident responders and business owners: The Record
• MGM’s SEC 8-K filing revealed the company lost $100 million following a highly publicized ransomware attack in early September: DarkReading
• Ransomware and data extortion claims have been increasing every year, surging 40% in 2019 and almost 80% in 2022, with 2023 also trending higher: Insurance Journal  

Attackers Improving:

• Ransomware operators have reduced the time to infection after initial compromise from an average 4.5 days to a matter of a few hours: The Record
• We are seeing a steady increase in the number of zero-day vulnerabilities being exploited by ransomware operators employing automated scans looking for vulnerable applications: CyberWarZone

Vulnerability Exploits Rule:

• LockBit is exploiting the Citrix Bleed vulnerability (CVE-2023-4966) that impacts the Citrix NetScaler web application delivery control (ADC) and NetScaler Gateway appliances: CISA
• HelloKitty observed exploiting critical vulnerability in Apache ActiveMQ service (CVE-2023-46604) that could allow remote code execution and arbitrary shell commands: The Hacker News
• SysAid advised customers to update following Cl0p’s exploitation of a zero-day (CVE-2023-47246) in the SysAid IT support software: SysAid  
• Ransomware operators were observed targeting misconfigured MSSQL servers in a massive campaign designed to deliver Mimic ransomware: Bleeping Computer

Healthcare in the Crosshairs:

• 68% said ransomware attacks resulted in a disruption to patient care, 43% said data exfiltration during the attack also negatively impacted patient care, 46% noting increased mortality rates and 38% noting more complications in medical procedures following a ransomware attack: HelpNet Security
• Attack ion Prospect Medical Holdings forced suspension emergency services, cancelled medical procedures, downed billing systems and caused ambulances to be diverted: WSHU
• Attack shut down dozens of Akumin medical centers causing appointments to be cancelled and making it impossible for doctors to view images for diagnosis and treatment: WUSF
• Two hospital emergency rooms in New Jersey were forced to divert ambulances following a disruptive ransomware attack: ABC7NY
• 800,000 patients had their data exposed and the attackers are extorting individual patients for a $50 ransom to avoid having personal health information (PHI) exposed online: The Record
• Ransomware operators are threatening patients whose data has been exposed with swatting, a harassment tactic that involves calling in false threats to law enforcement: The Register
• Ransomware attacks against U.S. healthcare providers cost nearly $80 billion over the past seven years, with 539 reported attacks impacting 10,000 hospitals and clinics with over 52 million records compromised: InfoSecurity Magazine
• Akumin Imaging filed for Chapter 11 bankruptcy protection amidst a "ransomware incident" that patients unable to schedule appointments: First Coast News

Push to Ban Ransom Payments:

• Biden administration leads a multinational coalition of 50 nations who [propose banning ransom payments: The Record
• Calls for ban on ransom payments increase as threat actors carry out more complex, targeted attacks against specific industries and organizations: The Register

Takeaway: Until recently, while ransomware attacks were very disruptive to organizations, at the end of the day everyone went home.

That may no longer be the case. When you look at the legal actions taken against the former CISO for Uber and the more recent cases brought against SolarWinds executives including the CISO, we are witnessing a significant sea change regarding where liability lands for security-related decisions.

Executives and Boards of Directors are increasingly at risk of being prosecuted and potentially serving jailtime following a successful ransomware attack – especially if sensitive or regulated data was compromised or exfiltrated in the attack.

Why? The government is failing to protect organizations from ransomware attacks, which makes them look ineffective, and the government does not like to look inept, so they know they must do something.

So, what do they do? They re-victimize the victims of these attacks so they can pat themselves on the back and say they are addressing the problem. They are making the problem worse for the victims.

Take the recently enacted reporting rule implemented by the Securities and Exchange Commission (SEC) last December. The new rules require publicly traded companies to disclose a “material” security event within four days or face regulatory actions.

Forensic investigations are difficult, and they take time – a lot of time. The disclosure rule set by the SEC has the potential to create a situation where an attack is disclosed but the details are murky because it could be weeks or months before the organization can adequately assess the information the SEC is requiring be reported.

A punitive regulatory stance by the government will likely create top-down pressure on CISOs and security teams to be less forthcoming with the C-level and BoD when faced with a security event.  

It is not hard to see that security teams will feel pressure to not report events to leadership unless they absolutely must, and this has the potential to negatively impact security operations.

All these factors add up to one thing: organizations who were already struggling to defend themselves against the threat from ransomware and data extortion attacks now also must contend with being re-victimized by an overzealous legal and regulatory landscape.

And while the C-Level and BoD are increasingly at risk of legal and regulatory actions, it is most definitely the CISO or equivalent who is at most risk of getting thrown under the bus following a successful attack.

In this environment, it is likely that we may see CISOs and/or security team leaders potentially face jail time following an attack, and this risk could also extend to executives and Boards.

‍

Halcyon.ai is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform to fill endpoint protection gaps and defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more, and check out the Recent Ransomware Attacks resource site.