- Table of contents
The author
Research Team Leader at Cyberint
Table of contents
Related Articles
Ransomware Trends 2023, Q2 Report
Q2 2023 Ransomware Trends Summary
The ransomware industry has been a prominent player this quarter, causing significant impact and affecting numerous organizations globally. With its widespread threat, the industry has successfully claimed 1386 victims.
The industry is feeling increasingly impacted by ransomware as many critical vulnerabilities were discovered this quarter. Additionally, the emergence of new groups, both from the end of 2022 and during this quarter, has contributed to the industry’s growth. These ambitious groups show promise and are introducing a new generation of ransomware families.
While LockBit3.0 continues to dominate as the top ransomware group, their numbers have experienced a slight decline compared to the Q1 2023. Furthermore, one of their affiliates was apprehended.
As with every quarter,the Cyberint Research Team also monitored the emerging new ransomware groups. Notably, MalasLocker, 8base, and Nokoyawa have gained attention as new players in the field. In their first quarter of operations, these groups collectively claimed a total of 305 victims.
This report aims to summarize the global ransomware activity observed in Q2 2023. It will delve into statistics, trends, noteworthy events, and arrests related to ransomware incidents.
Q2 2023 Ransomware Stats
Overall, this quarter we saw a massive increase of no less than 67% in ransomware cases compared to last quarter, as ransomware groups were able to compromise 1386 victims worldwide (Figure 1).
Ransomware in Q2 2023 vs. Q2 2022
Compared to Q2 of 2022, we see that the numbers are even higher with an increase of 97% in ransomware cases (Figure 2).
Undoubtedly, this quarter was by far one of the most successful quarters the ransomware industry has seen.
Top Countries Targeted by Ransomware in Q2 2023
Not surprisingly, the country most targeted is the US, with 574 victims, followed by the United Kingdom and Canada, with 60 and 56 victims respectively (Figure 3).
Top Sectors Targeted by Ransomware in Q2 2023
As for the top sectors targeted, business services is on top this quarter, with 255 victims, followed by the retail and manufacturing sectors, with 168 and 156 victims respectively.
Q2 2023 Top 3 Ransomware Groups
Among all the ransomware groups, three have risen to the top – LockBit3.0, MalasLocker and the veteran ALPHV (Figure 5).
Unlike previous quarters, when the remaining groups didn’t get close to the top three, in this quarter, many of these groups were still able to boast significant victim counts, such as BianLian, 8Base and Cl0p, of course.
LOCKBIT3.0
LockBit3.0 is currently one of the most seasoned groups in the ransomware industry. They remained consistent throughout the quarter, averaging 20.66 victims per week and 248 victims overall.
LockBit3.0 mostly uses social engineering techniques in their campaigns, such as phishing and malspam, along with bribing employees to willingly give them access.
In addition, in some cases we witnessed that LockBit3.0 was able to utilize and exploit vulnerabilities to gain initial access.
The group mainly focuses on the business services, retail, and manufacturing (Figure 6) sectors.
In addition, the group targeted the US in 93 campaigns, followed by France and the UK, each with ten victims (Figure 7).
MALASLOCKER
While over time, LockBit3.0 has been the most consistent and professional ransomware group in the industry, this quarter, they faced quite a significant competitor – MalasLocker.
This new rising star of the ransomware industry first emerged on April 9 (Figure 8) and, throughout the quarter, was able to compromise 171 victims, which might be the best debut we have seen in the history of new ransomware groups.
Like many ransomware groups, MalasLocker presents itself as the “good guy” who is doing the victims a favor by testing their defenses. In return, they request payment for their hard labor.
It seems that MalasLocker usually targets Zimbra servers using the CVE-2022-27925, CVE-2022-37042, CVE-2022-30333 and CVE-2022-24682 vulnerabilities.
When it comes to targeted sectors, we can see that the top sectors targeted by MalasLocker are business services, manufacturing and retail (Figure 9).
Unlike most ransomware groups, the top country targeted by MalasLocker is Italy, followed by the US and Russia (Figure 10).
The fact that MalasLocker also targets Russian companies is very surprising, especially since Russia is one of their top three targeted countries. This leads to the assumption that MalasLocker is based outside the Russian region.
ALPHV/BLACKCAT
ALPHV/BlackCat is a veteran group, a descendant of the Darkside group that was responsible for the Colonial Pipeline incident, later rebranded into BlackBatter, and now ALPHV.
The group’s affiliates use various techniques in their campaigns as they utilize vulnerabilities, phishing campaigns, and the services of other malware-as-a-service groups, such as IcedID to deploy their payload.
Like most ransomware groups, business services is ALPHV’s most targeted sector, along with retail and finance (Figure 11).
There is no doubt that the US is the group’s main focus, as 55% of its cases are in the US (Figure 12).
NEWCOMERS
This quarter, an astonishing number of new ransomware groups – at least 143 – have emerged. Although the vast majority of these groups will soon perish, some will survive and could become a permanent fixture in the ransomware world.
This quarter we decided to focus on two newcomers that have already resulted in a substantial number of victims (given that we already addressed MalasLocker in the previous sector).
8BASE
8Base is a group we consider a newcomer. Although evidence suggests that the group existed a few months ago, their first victims were only documented in this quarter. Additionally, their “debut” in the ransomware industry was explosive, with 107 new victims.
Although MalasLocker was able to compromise 171 victims, which is way more than any other newcomer, it seems that 8Base is being taken more seriously in the ransomware industry as many compare it to LockBit3.0 and Conti.
8Base mostly targets the business services, retail and manufacturing sectors, focusing most of its efforts on the US, Brazil and the UK.
NOKOYAWA
Nokoyawa ransomware is a relatively new group that emerged recently. Although it was first seen in February 2022, it disappeared shortly after its arrival and resurfaced this quarter. In their first week, they published 26 new victims, although not much activity has been documented since.
Nokoyawa is known for reusing the leaked Babuk ransomware source code as they utilized it in their campaigns. In addition, their infection methods involve vulnerability exploitation and email phishing. 17 out of the 26 of Nokoyawa’s victims and surprisingly, the most targeted sector of the group, are from the educational sector, followed by the government and the transportation sectors.
Notable Ransomware Events in Q2 2023
Although this quarter was packed with notable events and cases to learn from, the main events we found worth mentioning are definitely the still-ongoing MOVEit campaign, the arrest of Ruslan Astamirov, one of LockBit3.0’s affiliates, and the high bounties on other affiliates and Cl0p’s heads.
MOVEIT CAMPAIGN
To date, the MOVEit campaign is still hitting headlines and claims new victims daily.
Their massive campaign is another great example of how a supply chain attack can affect a significant number of companies worldwide.
MOVEit is managed file transfer (MFT) software that encrypts files and uses secure File Transfer Protocols to transfer data within teams, departments and companies. By encrypting files and utilizing secure File Transfer Protocols, MOVEit provides an allegedly reliable solution for transferring data. MOVEit is used in the healthcare, finance, technology, and government industries.
The MOVEit campaign consists of several critical discovered vulnerabilities, which, once successfully exploited, can lead to remote code execution and data leaks.
The new information about the MOVEit vulnerability did not appear to be new to the Cl0p ransomware group, which had it in its sights long before it was made public. Cl0p has reportedly been exploiting this vulnerability since 2021. Indicators also showed that the group attempted to extract data from compromised MOVEit servers in April 2022.
Cl0p has demonstrated a pattern of conducting zero-day exploit campaigns against various targets, such as Accellion File Transfer Appliance (FTA) devices in 2020 and 2021 and GoAnywhere MFT servers in early 2023. This indicates that such campaigns may be an appealing modus operandi for Cl0p and provides insights into the technical profile of some Cl0p gang members. Currently, Cl0p has published 80 victims that were announced as compromised by the MOVEit vulnerability. In addition, they were able to ransom big name companies such as Norton, EY, and Zellis. The Cyberint Research Team covered this campaign in a different research report.
LOCKBIT3.0 AFFILIATE ARREST
Ruslan Magomedovich Astamirov was arrested in Arizona and charged by the U.S. Justice Department for deploying LockBit ransomware on networks in multiple countries. If convicted, he could face up to 20 years in prison for wire fraud and up to five years for damaging protected computers.
The U.S. government is determined to expose ransomware perpetrators and bring them to justice, emphasizing that online anonymity will not protect them. Astamirov is the third person to be prosecuted in connection with LockBit, following the arrests of Mikhail Vasiliev and the indictment of Mikhail Pavlovich Matveev.
Evidence suggests that Astamirov used specific email addresses and controlled an IP address involved in the attacks.
When asking LockBit3.0 for a response about how this arrest might affect their operation, they said, “He should have practiced better OpSec”. Once again, the group shows no sentiment, focuses purely on the business itself and on other affiliates, and is recruiting more skilled affiliates to take Ruslan’s place.
RANSOMWARE BOUNTIES
There is no doubt that the FBI, along with other intelligence and law enforcement organizations worldwide, decided to significantly increase its efforts in hunting down those behind one of the most widespread threats to organizations worldwide.
As part of their war against ransomware, the FBI is offering a bounty of no less than $10 million for anyone who has information about another LockBit3.0 affiliate, Mikhail Pavlovich Matveev (Figure 13), who, in the past, also worked with Darkside and Babuk ransomware families.
Mikhail, aka Wazawaka, was being targeted by bounty hunters even before the $10 million reward, and several head hunters were able to find him several times, but no arrests were ever made.
In addition, the FBI has also offered a reward for the Cl0p ransomware family, although usually, the reward is given for information that will lead to the shutdown of the operation or the arrest of its people. In Cl0p’s case, the additional reward will be granted for any information linking a government or a state to Cl0p and its operations, especially if it’s related to the MOVEit campaign.
Q2 2023 Ransomware Summary
We all know that the ransomware threat is not going anywhere. However, Q2 of 2023 showed massive growth in ransomware cases with several new campaigns and the emergence of new, very ambitious groups.
Although LockBit3.0 remains the industry leader, more and more groups have risen to the challenge and tried to take over the throne.
In addition, Cl0p’s MOVEit campaign has taught us once again how lethal a ransomware campaign can be when obtaining strategic pivot points in a supply chain infrastructure. We expect other ransomware groups to invest time and effort in exploiting and finding these strategic links as well.
Unfortunately, Q2 of 2023 was very successful for the ransomware industry, with the highest victim counts per quarter we have seen, ambitious newcomers, and a strong supply chain use case that could be utilized by other ransomware groups.
Cyberint and the Dark Web
Cyberint gathers high-tier sources that remain elusive to most companies. We penetrate hidden corners to enables us to collect and analyze data. We enrich our automated collection with a human approach, through research and analysis of our military-grade expert team. Get a demo and see what assets you have exposed on the deep & dark web that could put you at risk of a ransomware attack.
Q1 2023 Ransomware Statistics
The first quarter of 2023 was the best quarter we’ve seen for the ransomware industry in a long time, even exceeding Q1 2022. With 831 victims, Q1 2023’s victim count was much higher than the first quarter of 2022, with just 763 victims.
Unsurprisingly, LockBit3.0 remained the number one group claiming an average of around 23 victims per week and almost 33% of all ransomware cases this quarter.
The groups that came in second and third places were Clop Ransomware and ALPHV/BlackCat ransomware, with 104 and 81 victims, respectively.
In addition, we saw some notable events, such as LockBit’s Royal Mail incident, the shutdown of Hive Ransomware and the ESXiArgs campaign with thousands of infected machines.
Q1 2023 Ransomware Trends & Statistics
Top Ransomware Groups 2023
As mentioned, LockBit3.0, ALPHV and Royal are currently leading the industry; LockBit has the most victims (Figure 1).
Top 10 Ransomware Targeted Countries
When it comes to the top 10 ransomware targeted countries, the US remains the number one targeted country with the UK and Canada falling behind (Figure 2).
Top Ransomware Targeted Sectors 2023
Analyzing the victims by sectors, we can see that the manufacturing sector is the top targeted sector this quarter, along with the services and construction sectors (Figure 3).
Q1 2023 Notable Ransomware Trends, Events and Developments
During this quarter, we encountered several interesting ransomware cases.
Hive Ransomware Shutdown
At the beginning of February, the U.S. Department of Justice celebrated a major victory in the fight against ransomware by dismantling and confiscating the infrastructure of Hive ransomware (Figure 4), which was one of the most persistent groups in the ransomware industry and was ranked in the top 10 ransomware groups in 2022.
Hive ransomware emerged in mid-2021 and has reportedly targeted and held ransom about 1,500 victims.
At a press conference led by FBI Director Christopher Wray, it was revealed that the FBI had taken control of servers in Los Angeles, which contained important Hive ransomware gang data. The operation was the culmination of several months of investigation, beginning with the FBI’s infiltration of Hive ransomware’s network in July 2022. By gaining access to the network, the FBI obtained the decryption keys for the ransomware and provided them to 1,300 current and former Hive targets.
While many celebrated the takedown, some doubt it will have any real effect on the ransomware industry in general. Currently, there has been no actual change and none of the other veteran groups went off-grid because of this incident.
Royal Mail Ransomware Attack
In early January, the UK’s Royal Mail was compromised by a ransomware attack. At first, it seemed that it was a new module of LockBit named Lockbit Black.
However, when contacting the LockBitSupp, they claimed that this was in fact their module, but they are not aware of any campaign targeting the UK’s Royal Mail.
This claim raised many speculations regarding copycats or new groups that emerged due to a leak LockBit had in September 2022.
Several days later, LockBit3.0 made another announcement saying that they had found the affiliate that was responsible for the attack and they reclaimed responsibility for the case, saying, “We have too much activity going on these days and it’s hard to keep track of everything”.
During negotiations for this case, LockBit demanded a £65 million ransom, which was rejected by the Royal Mail.
While observing LockBit’s negotiation chats, the group said that these are hard times for the ransomware industry as they are impacted by less profitable campaigns.
Nevada/ESXiArgs Campaign
Over the weekend, a relatively new ransomware group named Nevada Ransomware initiated its first massive campaign, targeting any ESXi machine that is exposed to the internet. The group seemed to compromise hundreds of servers over the weekend and caused major damage. Although the scale of this campaign is one of the biggest we have seen, it might already have a solution.
As mentioned, the group includes only Russian and Chinese speakers. As a result, the group’s encryption module does not target Russia, Albania, Hungary, Vietnam, Malaysia, Thailand, Turkey and Iran.
Over the weekend, the group targeted any front facing ESXi machine that could find and exploited multiple related vulnerabilities. A significant proportion of the victim count is focused on France.
The group encrypts the configuration files of the ESXi systems instead of encrypting the vmdk disks themselves.
Then, a ransomware note is left for the victim with contact information for negotiations.
Clop Ransomware On The Rise
Clop Ransomware is a veteran ransomware group that emerged in February 2019 and targeted most industries worldwide, including retail, manufacturing, energy and finance.
Over the last three weeks of Q1, Clop’s victim count was much higher than the average numbers we are used to seeing from this group. It seems that Clop was able to claim an massive number of victims worldwide and was even able to surpass the current ruler of the ransomware industry, LockBit3.0.
The Cyberint research team has covered this anomaly in this blog post “Is Clop the New Ransomware to Watch?”, which is recommended reading.
Q1 2023 Ransomware Newcomers
During Q1, Cyberint’s research team found 167 new ransomware families. While this number seems very high, not all of them will become major actors in the ransomware industry, and some of them target individuals and not organizations.
Those that the Cyberint research team found more interesting this quarter than the others are Medusa ransomware and Nevada ransomware.
Medusa Ransomware
Medusa ransomware has become a solid member in the ransomware industry in 2023, targeting corporate victims worldwide with high ransom demands.
The Medusa operation started in June 2021 but with relatively low activity, and few victims. However, in 2023 this ransomware gang increased its activity and launched its own unique ‘Medusa Blog’ and like the classic double-extortion model, threatened to leak the files if the ransom isn’t paid.
One of the cases that made Medusa ransomware fairly popular in the mainstream was the video they published of themselves showing the stolen data of one of their campaigns, targeting the Minneapolis Publish Schools (MPS).
Throughout this quarter, Medusa was able to compromise 20 victims as their activity started in mid-February.
Nevada/ESXi
The Nevada group was first introduced to the cybercrime industry on December 10, 2021, when they published an announcement to recruit new members to their Ransomware-as-a-Service plan.
The group works with only Russian and Chinese-speaking individuals.
Their encryption module is built in Rust and is currently still under development, as the group claims it will target Windows and Linux machines in addition to ESXi.
As the group is still very new, there is a chance that this incident was merely an initial experiment for their products and an opportunity to get some free PR, given that any threat actor in the cybercrime industry knows their name.
This campaign claimed around 3,200 victims in the first week. It taught us a lot about the awareness companies have of version control. One of the vulnerabilities that was exploited was a two-year-old vulnerability, where the patch has been available for around the same amount of time.
2023 Ransomware Trending Up
The ransomware industry is on the rise once again. Clop delivered explosive numbers towards the end of the quarter, Royal became more firmly established and LockBit3.0’s stayed consistent. This led to the ransomware industry claiming a greater number of victims than any quarter in the past year.
When considering the fact that Hive ransomware operators might make a comeback in the next 2-3 months with a rebrand, we do see a shift in favor of the ransomware industry as the once new groups, are now a persistent threat in our landscape.
