Massive Spike in Ransomware Activity in June
A recent analysis of ransomware activity by NCC Group’s Global Threat Intelligence team shows a major spike in cyberattacks by ransomware groups in June, with attacks occurring at 221% the level of June 2022 with 434 recorded attacks in the month.
NCC Group tracks ransomware attacks and data theft/extortion attempts by ransomware groups and reports that the massive increase was mostly driven by the Clop ransomware group’s mass exploitation of a zero-day vulnerability – CVE-2023-34362 – in Progress Software’s MOVEit Transfer file transfer solution. The ransomware remediation firm Coveware estimates the Clop group generated between $75 million and $100 million in profit from those attacks, which directly impacted more than 1,000 companies and indirectly affected a great deal more.
According to NCC Group, the Clop group was responsible for 21% of all recorded attacks in June, with attacks continuing to be conducted in high numbers by LockBit 3.0 affiliates, which accounted for 14% of attacks, although this was a reduction from the 21% of attacks the previous month. Several new ransomware groups have emerged that started to conduct attacks at relatively low levels in May, but one of those groups – 8base – has rapidly increased activity and conducted at least 40 attacks in June – 9% of the month’s total. Two other new groups – Rhysida and Darkrace – conducted 26 attacks in June (6%). The most targeted sectors in June were industrials (33%), consumer cyclicals (12%), and technology (9%), with North America the most targeted region with 51% of the attacks.
While attacks have increased significantly, the percentage of victims that are choosing to pay the ransom has fallen considerably. Coveware reports that ransom payments have fallen to a record low, with just 34% of victims paying ransoms in Q2, 2023, down from more than 75% in Q1, 2019. With ransom payments continuing to decline, cybercriminal groups have been forced to increase their ransom demands. In Q2, 2023, the average ransom payment increased by 126% from Q1, 2023, to $740,000 and the median payment increased by 20% to $190,424. Coveware says the attacks by the Clop group have driven the increase. While relatively few companies chose to pay the ransom to recover the data stolen in the MOVEit attacks, those that did pay paid very high ransom payments.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Coveware attributes the record low to the compounding effects of companies continuing to invest in security, continuity assets, and incident response training, but warns that the fall in revenue is forcing ransomware gangs to evolve their attack and extortion tactics, such as the switch from encryption to pure extortion by the Clop group. While this attack method is quicker and quieter, without the disruption caused by encryption, the percentage of victims paying the ransom is much lower; however, these attacks may prove to be more profitable for ransomware gangs. Encryption attacks require more time and resources, with teams of individuals involved in the different stages of the attacks and those individuals need to be paid, which decreases the profit.
Coveware’s report separates extortion and encryption attacks. Its data indicates BlackCat and Black Basta are the dominant encryption groups, each accounting for 15.5% of attacks in Q2. Royal accounted for 10.1% of attacks, followed by LockBit 3.0 (6.2%), Akira (5.4%), and Silent Ransom and Cactus each with a 3.1% share. Coveware reports that sophisticated affiliates of ransomware groups that have previously been using ransomware variants such as Dharma and Phobos are increasingly conducting attacks using 8base, hence the increase in attacks. In Q2, 2023, phishing was the most common initial access vector followed by RDP compromise and software vulnerabilities. Professional Services was the most targeted sector (15.5%) followed by healthcare (14%), materials (11.6%), and the public sector (10.1%).
