Ryan Bell, Threat Intel Manager, Corvus Insurance

There is still more than one month left in the books for 2023, and it’s safe to say that once we flip the calendar to January, we will have also closed the books on the biggest explosion of ransomware attacks on record for a single year. 

This declaration is based on our Quarterly Ransomware Reports, which are tracking data collected from ransomware leak sites dating back to 2021. For anyone not familiar with these sites, they are on the dark web and are maintained by ransomware groups that list uncooperative victims and post stolen data.  

Our team regularly crawls these dark web leak sites, monitoring for insureds and partners. We also take the aggregated data from these efforts and combine it with insights from partners and others in the industry to gain a comprehensive picture of the ransomware landscape. This is how we’ve been able to track this spike in activity, which started at the beginning of the year. 

Here’s a quick recap of the activity we have seen this year to date.

The Year in Ransomware

In our initial ransomware reports from earlier this year, we saw the numbers skyrocket. Specific details include:

  • February was up 60 percent over January.
  • March was up 70 percent over February.

From that point forward, this trend continued. In our Q2 report, ransomware attacks grew by nearly 30 percent over Q1 and then again in Q3, with incidents increasing quarter-over-quarter by 11.2 percent. If we look at Q3 2022, the increase is even more startling— ransomware attacks are up more than 95 percent over 2022. 

Now, with just a month and a half left in the year, 2023 ransomware victim numbers have already surpassed what was observed for the entirety of either 2021 or 2022. If we look at how Q3 ended and how the year’s final quarter began, it’s very likely that we will eclipse 4,000 ransomware victims posted on leak sites for the first time ever. 

What’s scary is that these figures could be much higher. That’s because a significant percentage of victims—best estimates being between 27% and 41%—quickly pay threat actors’ demands and thus are never observed on a leak site. If you add these numbers, the total number of ransomware victims could be as high as 5,500 – 7,000 total businesses in 2023.

Behind the Numbers 

Our team has identified two key factors impacting this year’s activity. The first is CL0P. CL0P first appeared in 2020, but before this year, it only accounted for a small number of total ransomware victims. Then, in Q1, CL0P sprung to life by exploiting GoAnywhere file transfer software, which impacted more than 130 victims. CL0P struck again in Q2 with the mass exploitation of a zero-day vulnerability in MOVEit file transfer software. This time, there were a total of 264 victims, a number which continues to grow to this day.  

Even without CL0P, which accounted for 9 percent and 13 percent of Q2 and Q3 activity, it’s worth pointing out that the ransomware activity still would be up 5 percent quarter over quarter and 70 percent year over year in Q3. 

Another driver behind these figures was summer vacation. Yes, you heard me correctly. Like you and me, cybercriminals like to take summer breaks to unplug and spend some of what they’ve extorted from their victims. But this past summer, the pattern diverted from its usual course. Normally, the decline begins in May and remains low until early August. At that point, activity picks back up, where it remains high for the year. But this year was different, with the dip occurring one month later in June and then spiking until the end of July and the first half of August. 

Ransomware’s Top Industry Targets

One last area worth delving into is the industries that experienced the most significant spike in ransomware attacks. The two big winners, or in this case, losers, were law practices and the government, followed by manufacturing, medical practices, and oil and gas. 

With law practices, the numbers were driven by the ALPHV ransomware group, which accounted for 23.5 percent of all victims in this sector. Law firms were the top exploited industry by this pernicious ransomware group in the U.S., Canada, and the U.K.  

As for the government, ransomware attacks were up 95 percent due largely to LockBit, which tripled its government victims from Q2 to Q3, and the Stormous ransomware group, which targeted the Cuban government. 

Over the upcoming days and weeks, we will be rolling out additional ransomware research and analysis. As I mentioned, I expect we will see a continued rise in ransomware activity that will ensure 2023 secures the dubious honor of having had the most ransomware victims posted on leak sites we’ve ever seen. Keep your eyes open for updates.

The post An Inside Look at Ransomware’s Record-Breaking Pace in 2023 appeared first on Cybersecurity Insiders.

Rhysida Ransomware, operating since December 2022, has garnered attention from the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). Both agencies have issued warnings about this ransomware, noting its unique capability to delete itself upon detection.

Kaspersky’s research reveals that Rhysida is equipped with an info stealer malware named Lumar. This malicious software is proficient in extracting sensitive information such as Telegram sessions, passwords, cookies, auto-fill data, desktop files, and even cryptocurrency from wallets. Notably, the malware, crafted in C++, demonstrates the ability to bypass detection, even on the latest Windows 11 operating systems. Additionally, Rhysida can encrypt Active Directories, demanding a ransom for decryption.

Fortra’s research delves deeper, identifying the malware-as-a-service team actively targeting healthcare companies and the prominent Chilean firm Grupo GTD. Beginning in September 2023, the hacking group expanded its operations to compromise data centers in education, manufacturing, IT, and government sectors, employing double extortion tactics.

Sophos draws parallels between Rhysida and Vice Society, noting similarities in their tactics. Vice Society is currently distributing the Nitrogen malware through Google Ads.

What sets Rhysida apart is its organizational structure. The ransomware group operates like an IT company, maintaining a structured employee base and following corporate-like hiring practices. They adhere to strict guidelines in concealing their operations from the public web, exclusively utilizing the Tor network for their activities.

The post FBI and CISA issues alert against Rhysida Ransomware Gang appeared first on Cybersecurity Insiders.

In a groundbreaking development in the realm of ransomware, ALPHV, also known as BlackCAT, has taken an unprecedented step by filing a complaint with the Security and Exchange Commission (SEC) against a victim who failed to adhere to the stipulated rule mandating disclosure of a cyber attack within a 4-day timeframe.

The targeted victim in this case is Meridian Link, a trading company specializing in providing tech solutions to financial institutions and banks. BlackCAT’s recent action indicates an alarming escalation in the tactics employed by cybercriminals, as they venture into publicly shaming their victims. Previously, ransomware groups typically resorted to tactics such as encrypting a victim’s database until a ransom was paid. Subsequently, they elevated their extortion methods by stealing sensitive data and issuing threats to release or sell it, applying pressure on the victim. A further tactic involved threatening to damage the victim’s reputation among competitors, partners, or customers. Now, these criminal entities seem to have reached a new low by formally filing a complaint with the SEC against their victim.

The SEC, however, systematically reviews such complaints, scrutinizing the technical aspects while assessing the credibility of the entity filing the complaint. And in this case, the SEC will collaborate with law enforcement agencies to appropriately address the situation.

ALPHV underscored its audacious move by publishing a screenshot of the complaint form submitted on the SEC website in a public Telegram channel.

In response, MeridianLink has acknowledged the authenticity of the data breach news and has expressed its intention to seek assistance from law enforcement in addressing the matter. Nevertheless, the company has yet to disclose specific details about the breach, including the timing of the cyber attack, when it was identified, and the extent of data loss.

The post ALPHV Ransomware gang files SEC Complaint against a victim appeared first on Cybersecurity Insiders.

LockBit, a notorious ransomware gang, has consistently targeted major corporations, with victims ranging from Boeing and DP World to the Industrial and Commercial Bank of China and Allen and Overy.

Recent revelations suggest that the hackers achieved their success by exploiting a vulnerability in Citrix Bleed on their NetScaler server, a flaw that had been patched a month prior. However, many companies overlooked the update, deeming the threat inconsequential at the time. This oversight provided LockBit with an opportunity to amass millions in ransom.

A noteworthy pattern in these cyberattacks is the involvement of young and talented hackers, often in their late teens or early twenties, between 21 and 23 years old. The question arises: How do these criminal organizations attract and recruit new talent?

The answer lies in the accessibility of young individuals who have recently graduated from college or completed professional degrees. These budding hackers can be enlisted at a relatively low cost through various online marketplaces. Once hired for a project or two, the criminal groups often sever ties with them to avoid detection by law enforcement.

Law enforcement agencies, such as the FBI, strongly discourage victims from paying ransoms. Not only does this practice perpetuate criminal activities, but it also offers no guarantee of receiving a decryption key. Moreover, there is no assurance that the stolen data will be deleted, as it may still reside on the servers controlled by the criminals.

To mitigate the risks associated with malware attacks, experts recommend implementing proactive measures. These include maintaining regular data backups, deploying threat monitoring solutions, and establishing an incident response team on premises. Taking these steps can significantly enhance an organization’s ability to protect itself against the growing threat of ransomware attacks.

The post LockBit hiring young hackers to launch ransomware attacks appeared first on Cybersecurity Insiders.

Huber Heights, a picturesque city in Ohio, found itself in a state of emergency due to a sophisticated ransomware attack that targeted several of its departments. City Manager Rick Dzik assured residents that efforts were underway to resolve the issue by the weekend. In response to the situation, arrangements were being made to ensure residents could still reach emergency services such as 911 and fire departments if the need arose.

The discovery of the ransomware attack occurred at 8:15 am on a Sunday, according to a statement from Huber Heights spokeswoman Sarah Williams. She emphasized that the city’s IT staff were working tirelessly to restore systems from backups, while an investigative team was actively determining the identity of the attackers.

Reports from cybersecurity sources indicated that the attack might have affected critical departments, including tax, zoning, engineering, finance, human resources, and economic development. Consequently, tax and billing systems were expected to be unavailable for a week, and late fees would be waived until the systems were fully restored.

To keep residents informed, Huber Heights utilized its Facebook page, providing regular updates on the evolving situation, with new information released daily at 2 pm.

As the holiday season approached, the increased threat of cybercriminals targeting vulnerable networks became a significant concern. The festive period often sees a spike in cyberattacks, exploiting the fact that many staff members are on holiday and preoccupied with seasonal preparations. To mitigate such risks, organizations were urged to adopt automated software solutions to protect their networks from potential cyber threats, safeguarding their annual profits and maintaining a competitive edge in their respective industries.

While the specific ransomware responsible for the attack on Huber Heights servers had not been officially disclosed, suspicions were raised regarding the involvement of the LockBit and BlackCat Ransomware gangs. Both of these groups, known to be operated by Russian entities, were particularly active during the holiday season.

The post Ransomware attack on Huber Heights drives it into Emergency appeared first on Cybersecurity Insiders.

In an era where cyber threats continue to evolve in sophistication, organizations are increasingly turning to advanced security measures to protect their digital assets. One such strategy gaining prominence is micro-segmentation of networks, a powerful approach that proves invaluable in fortifying defenses against the pervasive threat of ransomware. This article explores the significance of micro-segmentation and how it contributes to a robust defense posture against ransomware attacks.

Understanding Micro-Segmentation:

Micro-segmentation involves dividing a network into smaller, isolated segments, each with its own set of security protocols and controls. Unlike traditional network security measures that rely on perimeter defenses, micro-segmentation operates within the network, creating barriers that restrict lateral movement for cyber threats.

Key Components and Benefits:

1.Isolation of Critical Assets: Micro-segmentation allows organizations to identify and isolate critical assets, such as sensitive databases and key servers. By segmenting these assets from the broader network, the impact of a potential ransomware attack is limited, preventing the lateral spread of malicious activity.

2.Reduced Attack Surface: By dividing the network into granular segments, the attack surface available to potential threats is significantly reduced. This makes it more challenging for ransomware to propagate throughout the network, as it must overcome multiple barriers rather than exploiting a single point of entry.

3.Enhanced Access Control: Micro-segmentation enables organizations to implement stringent access controls. Only authorized users and devices are granted access to specific segments, minimizing the risk of unauthorized access or lateral movement by ransomware.

4.Improved Incident Response: In the unfortunate event of a ransomware incident, micro-segmentation facilitates a more focused and efficient incident response. Security teams can quickly identify the affected segments, isolate the compromised systems, and prevent further damage before it spreads.

5. Adaptability to Network Changes: Micro-segmentation is adaptable to dynamic net-work environments. As organizations scale or reconfigure their networks, micro-segmentation can be adjusted to accommodate changes, ensuring continued protection against evolving ransomware tactics.

Case Studies and Real-World Examples:

Several organizations have successfully employed micro-segmentation to defend against ransomware. Case studies showcase instances where this strategy has prevented the lateral movement of ransomware, limiting the scope and severity of attacks.

Conclusion:

As ransomware threats persist in their sophistication, the implementation of advanced cybersecurity measures becomes imperative. Micro-segmentation stands out as a proactive and adaptive approach, providing organizations with a powerful tool to enhance their defense mechanisms. By isolating critical assets, reducing the attack surface, and improving access controls, micro-segmentation plays a pivotal role in safeguarding against ransomware attacks, ultimately ensuring the resilience and integrity of digital infrastructures.

The post Enhancing Ransomware Defense through Micro-Segmentation of Networks appeared first on Cybersecurity Insiders.

In a world plagued by numerous cyberattacks and their devastating aftermath, a recent incident involving the Industrial & Commercial Bank of China (ICBC) has drawn significant attention. ICBC, one of the world’s largest banks, was forced to resort to a rather unconventional method for transporting critical data due to a malicious cyberattack.

The ICBC fell victim to a disruptive ransomware attack, which brought their entire digital infrastructure to a standstill. This unforeseen disruption impacted banking transactions and online services, paralyzing their daily operations. However, a critical situation required urgent action: the need to send essential settlement details to the US Treasury Trades.

With online services rendered useless, ICBC’s administrative staff had to think on their feet. They opted to load the crucial data onto USB sticks and physically transport the information to the federal organization. While this may seem like a secure means of information transfer, it comes with its own set of challenges, including the allocation of additional manpower and miscellaneous expenses.

The New York-based Industrial & Commercial Bank of China suspects that the cyberattack was the handiwork of the LockBit Ransomware group, believed to be operating out of Russia. ICBC’s security experts are currently engaged in gathering evidence and exploring the possibility of negotiating a resolution with the hackers through forensic efforts.

Simultaneously, ICBC is committed to handling the incident professionally. Their approach involves recovering the stolen data from backups and collaborating with law enforcement agencies to prevent the illicit sale or leakage of sensitive information on the internet.

Despite the enormous financial significance of ICBC, with trading operations in financial securities centers like London, Tokyo, and New York, the bank refuses to succumb to the hackers’ ransom demands, which could reach a staggering figure in the millions. Paying these criminals not only incentivizes further criminal activity but also does not guarantee the receipt of a decryption key.

Regrettably, the LockBit group shows no signs of letting up in their malicious endeavors. Recent victims of this cybercriminal gang include notable companies such as Boeing, ION Trading UK, and the UK’s Royal Mail. As the group communicates in the language associated with Putin-led Russia, there is speculation that they may have connections to the Kremlin, a concern raised by the Pentagon.

The post Cyber Attack on US Bank forces it to transit data via USB Sticks appeared first on Cybersecurity Insiders.

In accordance with the newly introduced federal guidelines, the responsibility for a company facing a ransomware attack is now placed squarely on the shoulders of its CTO or CEO. Legal repercussions may be initiated against the targeted business if it fails to take adequate measures to protect its customer data from cybercriminals.

However, the recent incident at Optus Australia appears to be challenging this standard practice, as the company’s CEO, Kelly Bayer, is poised to encounter a challenging period in the upcoming weeks. Yesterday’s national network outage is expected to cast a shadow over her career.

It is undeniable that the network breakdown has severely eroded customers’ trust in the Optus brand. Nevertheless, it’s important to recognize that this is a national issue, and attributing blame solely to one individual or team may not be entirely fair.

Over the past few hours, social media has been ablaze with criticism, with many insisting that the CEO should bear the brunt of the blame, citing the company’s apparent failure to safeguard its infrastructure from cyberattacks effectively.

Notably, the company’s technology leadership has clarified that the outage resulted from a software flaw, not a state-sponsored attack, as was the case in a previous incident in which a Russian GRU was implicated. Optus is diligently working on recovering from this recent incident and has made significant progress in restoring its infrastructure.

However, in a twist of events, some Telegram members, seemingly acting as paid advocates, are calling for a change in senior-level management. They believe that the attack could have been prevented or that the telecom provider failed to implement adequate security measures, even after learning from the significant breach that occurred during the Optus Cyber Attack in 2022, exposing the data of over 9.8 million Australians due to an API vulnerability.

From a technical standpoint, Optus was well-prepared to fend off sophisticated cyberattacks and was proactive at every stage. Nevertheless, as is the case in the world of cybersecurity, even the best-laid plans can falter for various reasons, and this incident is no exception.

The Australian Securities Exchange has requested an explanation from Singapore Telecom, a major stakeholder in Optus, regarding the situation. However, they have opted to keep the investigation and analysis of the Optus 2023 cyberattack away from the public eye.

The question arises: Is it fair to place blame on a CTO or CEO when their company’s information technology network is struck by a sophisticated cyberattack or when a software glitch disrupts operations for hours or even days?

 

The post How can a CEO or a CTO lose their jobs on ransomware attacks appeared first on Cybersecurity Insiders.