At least 1500 organizations have fallen victim to ransomware attacks globally in the first half of 2023, according to Rapid7’s 2023 Mid-Year Threat Review.
The majority of these attacks were perpetrated by three major ransomware gangs – LockBit (35.3%), ALPHV/BlackCat (14.2%) and Clop (11.9%).
Caitlin Condon, Vulnerability Research Manager at Rapid7, told Infosecurity that it is likely there were a higher number of incidents perpetrated by Clop, as this ransomware gang “was still actively claiming new victims from the MOVEit Transfer hack when we compiled our 1H 2023 data.”
The analysis was based on leak site communications, public disclosures, and Rapid7 incident response data.
While the top ransomware players remained stable in the first six months of 2023, Rapid7 also observed the emergence of new groups. A notable example is the Akira group, which appeared to have launched at the end of Q1. This gang has already racked up 60 known victims.
Condon said that the findings demonstrate that ransomware is thriving in 2023, with the ecosystem continuing to mature and diversify.
“High-profile smash-and-grab attacks perpetrated by groups like Clop have not only driven a high volume of ransomware victims, they’ve also led to significant downstream impact for users and organizations whose data was compromised as a result of attacks on technology and service providers or business partners. Ultimately, as long as businesses keep paying ransoms, new actors will arise (or regroup) to attempt to make money,” she explained.
A number of reports have highlighted a resurgence in ransomware attacks in 2023 following a relative slowdown in 2022.
Listen here: Ransomware - The Return of the Vicious Cycle
Initial Access Trends
The report revealed a 69% year-over-year increase in the overall caseload for Rapid7 incident responders in the first half of 2023. The most prevalent initial access technique detected was remote access, at 39%.
This was followed by vulnerability exploitation (27%), with the researchers highlighting more than a dozen new vulnerabilities that were widely exploited from January to June 2023. More than a third of these flaws were used in zero-day attacks.
Other initial access vectors were phishing payloads (13%), supply chain compromise (6%) and insider threat incidents (4%), according to the report.
The remaining 11% of vectors included cloud misconfigurations, SEO poisoning and failure to eradicate threat actors during previous compromises.
Condon told Infosecurity that 40% of incidents in H1 2023 were a result of missing or inconsistent enforcement of multifactor authentication (MFA), particularly on VPN, VDI, and SaaS products.
“We also continue to see attackers successfully leverage default credentials, weak passwords and unmonitored service accounts,” she outlined.
“Our report does have some specific guidance on mitigating the risk of data exfiltration in the face of smash-and-grab extortion attacks, but many organizations need to implement basic security controls and program components before they worry about targeted attacks,” added Condon.
State-Sponsored Attacks
The researchers also tracked 79 known state-sponsored attacks in H1 2023. Around a quarter (24%) of these leveraged exploits against public-facing applications to target governments, critical infrastructure and corporate networks.
The most common access technique used by these groups was spear phishing (23%) followed by the abuse of valid accounts (23%).
The primary motives for these state-backed attacks fell across three categories, according to the report:
- Cyber warfare: These are campaigns that targeted critical infrastructure, many of which relate to the ongoing conflict in Ukraine.
- Cyber espionage: Campaigns aimed at gathering intelligence or intellectual property for political or economic advantage. A recent example is the compromise of US government emails by Chinese threat actors in July 2023.
- Financial: Attacks targeting the private sector to evade economic sanctions and/or fund state regimes.