Ransomware incidents are on the rise and thus fuelling the ongoing ransomware pandemic that industry leaders are trying to grapple with. Check Point’s 2023 Mid-Year Security Report has revealed that 48 ransomware groups have breached over 2,200 victims. JUMPSEC’s research supports this by revealing that in the first half of 2023, UK ransomware attacks rose by 87% and by 37% globally.
Check Point Research (CPR), the Threat Intelligence arm of Check Point Software Technologies, a leading provider of cybersecurity solutions globally, has unveiled its 2023 Mid-Year Security Report. The report uncovers an unsettling 8% surge in global weekly cyberattacks in the second quarter, the most significant increase in two years, highlighting how attackers have cunningly combined next-gen AI technologies with long-established tools like USB devices to conduct disruptive cyberattacks. The report also showcases how ransomware attacks have escalated in the first half of the year with new ransomware groups coming onto the scene.
From the triple extortion attack on the University of Manchester to the rise of new group, Anonymous Sudan, targeting western organisations, the 2023 Mid-Year Security Report uncovers the trends and behaviours that have defined the year so far.
Key insights from the report include:
- Ransomware groups have stepped up their game, exploiting vulnerabilities in commonly used corporate software and shifting their approach from data encryption to data theft.
- USB Devices have resurfaced as significant threats, with both state-affiliated groups and cybercriminals deploying USB drives as vectors for infecting organisations globally.
- Hacktivism has seen a rise, with politically motivated groups launching attacks on selected targets.
- Artificial Intelligence (AI) misuse has amplified, with Generative AI tools being used to craft phishing emails, keystroke monitoring malware and basic ransomware code, calling for stronger regulatory measures.
In H1 2023, 48 ransomware groups have breached over 2,200 victims, with Lockbit3 being the most active, reporting a 20% increase in victims compared to H1 2022. The emergence of new groups like Royal and Play is associated with the termination of Hive and Conti Ransomware-as-a-Service (RaaS) groups. In terms of geography, 45% of victims are in the US, with an unexpected rise in Russian entities due to the novel actor ‘MalasLocker’, which substitutes ransom demands with charitable donations. The manufacturing and retail sectors have seen the most victims, suggesting a shift in ransomware attack strategy.
“Criminal activities have continued to rise in the first half of the year, with an 8% surge in global weekly cyberattacks in the second quarter marking the highest volume in two years. Familiar threats such as ransomware and hacktivism have evolved further, with threat groups modifying their methods and tools to infect and affect organisations worldwide. Even legacy technology such as USB storage devices, which have long been gathering dust in desk drawers, have gained popularity as a malware messenger,” said Maya Horowitz, VP Research at Check Point Software.
“Organisations need to build a cyber-resiliency strategy and strengthen their defences by adopting a prevention-first, integrated approach to cybersecurity. Cyberattacks are inevitable but can be largely prevented by proactive measures and the right security technologies.”
In light of Check Point’s research, computer and network security leader, JUMPSEC, has also revealed research outlining ransomware attacks rising again.
In its latest report, JUMPSEC revealed that attacker-reported ransomware attacks increased by 87% in the UK and 37% globally in the first half of 2023. This follows reports of ransomware growth slowing at the end of 2022. Victims refusing to pay, higher security spending, or threat actors focusing on Russia-Ukraine were all theories for the slowdown.
JUMPSEC now expects 2023 to be the most prolific year for ransomware, surpassing the previous highs of 2021. JUMPSEC identified 436 attacks worldwide in July 2023, 20% higher than the previous all-time high caused by Log4j in 2021.
The mass exploitation of software vulnerabilities is perhaps the most clear-cut contributing factor to the rise of ransomware attacks in 2023. Several vulnerabilities discovered in widely used platforms have contributed to rising attack figures (Rackspace, Zimbra and most notably the MOVEit).
Analysis shows that Lockbit is still the most prevalent ransomware variant in 2023, however, Cl0p ransomware, which claims the MOVEit breach, has increased its impact significantly and could be on course to challenge Lockbit as the most prevalent ransomware.
Another 2023 trend reported by JUMPSEC is the increased exploitation of the financial services, insurance and IT sectors, both globally and within the UK. With organisations increasingly opting only to exfiltrate data as leverage for extortion these sectors are becoming increasingly lucrative targets. Large UK-based companies such as Aon, Deloitte and PWC were all targeted in the MOVEit attack and are representative of the types of organisations that have experienced higher attack rates.
Another explanation for rising attack figures is simply the proliferation of more ransomware variants as JUMPSEC have monitored 20% more ransomware groups in 2023 than in 2022.
According to the analysis, successful groups continue to prioritise big game hunting. In 2023, BlackCat (ALPHV) and CL0P are the most common ransomware groups targeting UK organisations with £10 million in bank assets, replacing Karakurt as the most common ransomware against large organisations.
The UK is the most targeted country outside the US and 20% of European ransomware attacks occur there. While Russian-aligned hacktivist organisations threaten DDoS assaults against the UK, theoretically making UK businesses more susceptible, such attention-grabbing hacktivism is unlikely to have a significant impact.
“We have observed a trend towards the increased personalisation of attacks, which could indicate victims have become less inclined to pay ransoms, causing attackers to exert greater pressure,” said JUMPSEC’s Researcher, Sean Moran. “Unfortunately, recent reports of rising Cryptocurrency profits by known ransomware threat actors suggests that attacker negotiation tactics have been effective. Organisations need to continually to refine their response to cyber extortion as attackers develop new strategies around mass exploitation of software vulnerabilities, data exfiltration, while becoming increasingly personal by targeting individuals and senior leadership within victim organisations.”
JUMPSEC threat intelligence analysts track global ransomware activity using a mixture of manual investigation and automated bots to search or ‘scrape’ the public-facing domains of ransomware threat actors. The raw data is then enriched by investigating the geographic location, industry sector, size and financial profile of each targeted organisation.