The Deepwatch Adversary and Tactics team conducted a comprehensive analysis of ransomware leak sites in 2023, revealing a complex and evolving threat environment listing 2,436 victims. Key findings from the data indicate that ransomware remains a significant and growing threat to a wide range of industries and countries, with specific industries and regions being particularly vulnerable.
- The ransomware ecosystem is primarily dominated by a few key players – Lockbit, CL0P, ALPHV, Black Basta, and Play. Collectively, these groups account for a substantial portion of the attacks, each exhibiting unique targeting patterns and preferences.
- Manufacturing, professional, scientific, and technical services, information technology, finance and insurance, and educational services emerged as the most targeted industries. These industries are possibly chosen due to their critical operational roles, the sensitivity of the data they handle, and their perceived ability to pay ransoms.
- The United States, the United Kingdom, Canada, Germany, and France are the most affected countries, highlighting a focus on economically developed regions with high levels of digital infrastructure. This concentration suggests that ransomware groups may strategically target these regions due to the lucrative opportunities for extortion.
- Each ransomware group has demonstrated distinct preferences for specific industries, potentially reflecting their operational strategies. For instance, Lockbit heavily listed the manufacturing industry, while CL0P listed the finance and insurance industry the most.
Our analysis strives to be comprehensive, utilizing the most current data available from our dark web monitoring platform. However, it is crucial to acknowledge this data set’s inherent discrepancies. Despite our best efforts, the data set may include victims who are not listed on leak sites or were previously listed. Additionally, we may have omitted victims we could not verify. As the data set does not include information about the industry, we do our best to classify the victims based on the NAICS industry classification system. This manual effort may introduce other discrepancies, such as misclassifying the industry.
We also recognize that our data set does not represent the full scope of ransomware victims, as it only reflects those listed on leak sites, and groups do not list every victim they attacked on their sites. As such, while we believe our analysis provides valuable insights, it should be considered with an understanding of these potential discrepancies.
Analysis
The ransomware threat landscape in 2023, as evidenced by the data collected from various ransomware leak sites, presents a complex and evolving challenge. With a total of 2,436 victims recorded, the scale of these attacks underscores the proficiency and audacity of cybercriminals across a wide range of sectors.
Industry Analysis
The data reveals a concerning trend where specific industries are listed more frequently than others. Manufacturing, professional services, information technology, finance and insurance, and educational services emerge as the top targeted industries, each facing unique challenges and threats from these cybercriminals.
There are several possibilities; One: attackers may perceive these sectors as more vulnerable or lucrative. Two: due to these industries having numerous subsectors, many organizations fall under these industries. Three: Some organizations can be classified under multiple industries.
Manufacturing, encompassing a wide range of manufacturing organizations from food to pharmaceutical to chemical, with 545 victims, constitutes 22% of all victims listed on monitored leak sites. This sector’s vulnerability stems from its reliance on continuous production processes and complex supply chains.
Disruptions caused by ransomware can lead to substantial operational halts, making manufacturing companies more likely to pay ransoms to resume operations quickly.
The professional, scientific, and services industry, encompassing a wide range of services from legal advice to consulting to engineering, was the target of 386 attacks, representing 15% of the total. The high value of intellectual property and sensitive client data in these fields makes them lucrative targets. Ransomware attacks in this sector not only threaten to disrupt business operations but also risk compromising client confidentiality and trust.
The information industry, including software development companies and media outlets, faced 187 attacks, accounting for 8% of the total. Given the critical nature of data and the reliance on digital infrastructure in this sector, ransomware attacks can have devastating consequences, ranging from data loss to severe service disruptions.
With 166 attacks, making up 7% of the total, the finance and insurance industry is a prime target due to the critical nature of financial data and the sector’s regulatory and reputational obligations. Ransomware attacks in this sector have direct financial implications and pose risks to customer trust and regulatory compliance.
With 164 attacks (7% of the total), educational institutions are increasingly targeted, from entire school districts to universities, primarily due to their wealth of personal data and often less robust cybersecurity measures. These attacks can disrupt educational processes and lead to the loss of sensitive student and faculty data.
Geographic Analysis
Geographically, the United States stands out as the most affected country, accounting for over half of the reported victims, followed by the United Kingdom, Canada, Germany, and France. This geographical distribution indicates a focus on regions with high economic activity and digital infrastructure, making them attractive targets for ransomware operators.
Dominating the statistics, the United States experienced 1,271 ransomware attacks. This high number can be attributed to several factors, including the vast number of high-value targets in the form of large corporations and critical infrastructure, the extensive digitalization of businesses and services, and the high level of economic activity. The concentration of attacks in the U.S. also reflects the perception among cybercriminals that American entities are more likely to pay higher ransoms.
With 146 attacks (6% of the total), the UK is another significant target. The UK’s economy and substantial financial and professional services sectors make it an attractive target for ransomware groups. The prevalence of attacks in the UK also points to the sophisticated nature of cybercriminals capable of circumventing the robust cybersecurity measures often found in developed nations.
Canada experienced 111 attacks, representing 4% of the total. Similar to the U.S. and UK, Canada’s developed economy and high level of digitalization make it a lucrative target for ransomware operators. The concentration of attacks in Canada also suggests that cybercriminals may be exploiting specific vulnerabilities in Canadian businesses and institutions.
Germany, with 104 attacks (4% of the total), highlights the trend of ransomware groups targeting the economic powerhouses of Europe. Germany’s strong industrial base, particularly in manufacturing and technology, presents high-value targets for ransomware attacks, aiming to disrupt operations and extract significant ransoms.
France, experiencing 79 attacks (3% of the total), completes the top five affected countries. France’s diverse economy, including major players in finance, manufacturing, and technology, makes it a varied landscape for ransomware attacks. The focus on France also underscores the broader strategy of ransomware groups to target the economic centers of Europe.
Group Analysis
The ransomware ecosystem in 2023 was dominated by several key players – Lockbit, CL0P, ALPHV, Black Basta, and Play, each with its unique modus operandi and target preferences.
Lockbit leads the pack with 704 victims, accounting for 28% of the total reported cases. This group’s prominence is a testament to the large number of affiliates of its ransomware-as- a-service model and their tactics.
The data reveals that Lockbit’s leak site predominantly listed the manufacturing sector the most, with 156 incidents accounting for 22% of their total attacks. This was followed by the professional, scientific, and technical services industry. While it’s not precisely known why these sectors were listed the most, one suggestion is that it’s a strategic focus on industries where operational disruptions can lead to significant financial losses, increasing the likelihood of ransom payment.
CL0P, responsible for 15% of the attacks, demonstrates a slightly different pattern with their leak site listing the finance and insurance sector the most, likely stemming from CL0P’s exploitation of file management solutions widely used in this industry. Their targeting of manufacturing and professional services may also suggest a strategic focus on industries where operational disruptions can lead to significant financial losses.
In June of this year, Ukrainian officials claimed to have taken down the CLOP ransomware gang’s infrastructure. In July, however, CLOP began posting data stolen from the MOVEit vulnerability. Exploiting this zero-day allowed the threat actors to steal data from almost 600 organizations worldwide. With one zero-day vulnerability in MOVEit file transfer software, CLOP accounted for 13% of all ransomware victims in Q3. -Corvus Insurance
ALPHV, accounting for 12% of the attacks, lists the professional, scientific, and technical services industry the most on their data leak site. This choice may be due to their strategy to target this industry due to this sector’s prevalent intellectual property and sensitive data. ALPHV’s operations in the manufacturing and information industries further highlight their adaptability and focus on high-value targets.
The FBI recently seized ALPHV’s leak site. If ALPHV remerges, they will unlikely rebrand as the effort to change ALPHV ransomware’s behavior is too hard, and rebranding efforts will eventually be revealed. Additionally, there have been discussions between ALPHV and Lockbit leadership joining forces, ultimately creating a “cartel.” As of 2 January 2024, ALPHV’s leak site was back online, this cat and mouse game between law enforcement and cybercriminals highlights the difficulty in combating these threats.
Though responsible for 7% of the attacks, Black Basta demonstrates a unique focus, with 34% of its listings in the manufacturing sector. This concentration suggests a deep understanding of the high stakes involved in manufacturing operations. Their targeting of professional services and construction also indicates a broader strategy to disrupt critical infrastructure and services.
Play, also accounting for 7% of the attacks, shows a diverse range of targets, with manufacturing, professional services, and information sectors being the primary victims. This diversity in targeting reflects a more opportunistic approach, possibly exploiting various vulnerabilities across different sectors.
As organizations look towards 2024, given the success and proliferation of groups like Lockbit, CL0P, ALPHV, Black Basta, and Play in 2023, it is reasonable to expect their continued prominence in 2024. These groups have demonstrated adaptability and resilience, and unless significant disruptions occur in their operations, like ALPHVs, they are likely to maintain or expand their activities.
Industries that have been heavily targeted, such as manufacturing, professional services, and finance, will likely remain primary targets. However, without knowing why these industries are listed the most, it’s difficult to assess if they will switch focus to other industries that have been less targeted in the past. While the U.S., UK, Canada, Germany, and France have been primary targets, ransomware groups might begin to explore opportunities in other regions. This shift could be driven by increased government collaboration in currently targeted countries or by discovering lucrative targets in other emerging regions.
Avoid Becoming a Victim in 2024
Actions & Recommendations
To withstand, recover, and adapt to the evolving scourge of ransomware, customers should implement the following actions to mitigate the threat posed by actors targeting vulnerabilities in unsupported software and deploying ransomware:
- Regularly scan systems for vulnerabilities and patch systems as soon as possible. Prioritization should be placed on those systems that are internet-exposed with a focus on known exploited vulnerabilities like those featured in CISA’s Known Exploited Vulnerabilities Catalog.
- Integrating phishing-resistant multi-factor authentication (MFA) as part of the organizational policy can significantly reduce the risk of a cybercriminal gaining control of valid credentials for additional tactics such as initial access, lateral movement, and collecting information.
- Prevent users from opening scripts, like .hta, .jse, .js, .vbs, and .wsf, through Group Policy settings and prevent the execution of script interpreters (MSHTA.exe and WSCRIPT.exe) through Group Policy or Application Control.
- Employ an anti-virus or EDR solution that can automatically quarantine suspicious files.
- Organizations are highly encouraged to establish an incident response plan and frequently test it. These plans should include the calculation for the amount of time it would take to restore from backups and the overall cost. Customers should restore data from backups when testing their plans.
- Organizations with encrypted off-site backups should ensure that the digital decryption key or the applications needed to restore are not stored on a local file-sharing network and access is tightly controlled.
- Educate employees about the dangers of phishing emails and other common attack vectors. An informed workforce can act as a first line of defense against initial infiltration attempts.
Share