Q3 Cyber Threat Report: The Ransomware Ecosystem is Increasingly Distributed
Ransomware attacks remained high in Q3 2024, with groups targeting sectors like Construction and Healthcare, often exploiting weak VPN credentials.
Ransomware is up 60% from this time last year, and 141% from two years ago.
After a notable decrease in 2022, ransomware is on the rise in 2023. Data drawn from our threat intelligence sources (not based on claims activity within Corvus’s own book of business) revealed that the overall number of ransomware victims listed on dark web leak sites increased 60% between January and February. It increased another 69% from February to March 2023.
Overall, March 2023 appears to be the month with the largest number of ransomware victims being posted to leak sites over the past two years.
The CL0P ransomware gang is partially responsible for the increased numbers in March. CL0P claims to have compromised over 130 organizations by exploiting vulnerable GoAnywhere file transfer software and began publishing victims en masse on its leak site. CL0P’s victims comprise roughly 22% of March’s total claimed ransomware victims.
CL0P listed nearly as many victims in a single month as it did in all of 2021 and 2022 combined, indicating that the flurry of activity in March is not necessarily representative of their typical behavior.
Even without CL0P’s contribution, the number of claimed ransomware victims in March stands at 349. This is still a 31% increase over February 2023, a 23% increase YoY, and would remain one of the highest months on record. With or without CL0P’s campaign, ransomware victim metrics this year are far above the typical threshold for February and March.
Half of these organizations are based in the United States, the others are located in the U.K., France, Lebanon, and Cameroon.
It should be noted that some of this increase was due to CL0P’s GoAnywhere campaign (35% of the total), however, even after removing CL0P’s victims from the analysis, there would still have been a 450% increase from February. Many of the organizations impacted were healthcare tech companies.
This mostly includes local municipalities such as cities. These targets were attacked by no less than 10 different ransomware groups including BianLian, Lockbit, Play, and Stormous.
The relative reprieve from ransomware in 2022 wasn’t going to last forever. We’re just a few months into 2023 and ransomware is making a resurgence. Threat actors carrying out these attacks have demonstrated their penchant for exploiting software vulnerabilities against a large number of targets. As some of the more “tried and true” attack vectors have waned in potency, attackers have switched to new vectors such as using malicious LNK or OneNote email attachments instead of Microsoft Office documents. We expect this trend to persist.
Corvus will continue to monitor the threat landscape to protect insureds and contribute to the collective defense of the community.
Corvus analysis was made possible with supporting data from eCrime.ch.