Ransomware attacks are expected to continue escalating in 2023, with attackers becoming more sophisticated and efficient in their methods. According to a report by NCC Group, a security consultancy, the number of compromises posted to leak sites in July increased by over 150% compared to the same month in the previous year. This surge in attacks follows a rising trend throughout 2023, with the number of breaches publicized on these sites growing by 79% compared to the same period in 2022.
The increase in ransomware attacks can be attributed to several converging factors. Recent vulnerabilities in managed-file transfer services, such as MOVEit, have made it easier for attackers to exploit systems. Additionally, there has been a rise in the availability of services offering initial access, providing attackers with more opportunities to infiltrate organizations. Criminal groups are opportunistic in nature and will seize upon any new vulnerabilities to maximize their financial gains. If similar vulnerabilities to MOVEit are discovered in the future, it is highly likely that there will be a significant increase in ransomware activity.
Further analysis by Sophos, a cybersecurity company, reveals that ransomware criminals are becoming more efficient in compromising companies once they have gained initial access. The average dwell time in ransomware incidents has decreased from nine days in 2022 to five days in 2023. This reduction in dwell time indicates that attackers are able to quickly execute their attacks before organizations can detect and respond to the infection. In contrast, non-ransomware attackers are taking more time, with an average dwell time of 13 days in 2023 compared to 11 days in 2022.
According to Chester Wisniewski, field CTO for applied research at Sophos, attackers are improving their techniques in stealing and encrypting data. Modern ransomware attacks involve a series of complex tasks, including finding a way into the system, breaching the Active Directory, disabling backups, and more. These tasks take time to complete, which is why the median dwell time for a ransomware attack is around five days. The attackers need sufficient time to carry out their operations effectively.
Despite the emergence of alternative strategies, such as theft-and-extortion schemes, most ransomware groups continue to use the double extortion approach. They steal and encrypt data to convince companies to pay the ransom. The industrial sector has been particularly vulnerable to these attacks, as it has historically allocated less budget towards cybersecurity compared to other sectors. Attackers often move laterally within the network, especially targeting Active Directory servers, which grant them access to various resources. Establishing control over an Active Directory server significantly enhances an attacker’s capabilities and allows the theft of highly privileged accounts.
One prominent group contributing to the increase in ransomware activity is known as the Cl0p group. This group has exploited vulnerabilities in managed file transfer platforms, attacking MOVEit and GoAnywhere MFT. However, instead of encrypting data, the Cl0p group has shifted its focus to straight theft and extortion. They steal data and threaten to reveal it unless the victim pays the ransom. The Cl0p group has been responsible for three times more data leaks than the second most successful group, Lockbit 3.0.
Despite the significant impact of the Cl0p group, overall ransomware activity has been on the rise. Posts to data-leak sites increased by 57% year-over-year, excluding the Cl0p group’s activities. This growth demonstrates the ongoing threat posed by ransomware attacks. Additionally, there has been no summer slump in ransomware activity in 2023, as was observed in the previous year. This suggests that cybercriminals are motivated to generate profits, particularly during periods of economic downturn.
In conclusion, ransomware attacks are on the rise and expected tocontinue affecting more organizations in 2023. Attackers are becoming more adept at compromising systems and executing attacks quickly to maximize their financial gains. Organizations must remain vigilant and prioritize cybersecurity measures to mitigate the risk of falling victim to these devastating attacks.