Freely subscribe to our NEWSLETTER

Drawing on our continuous monitoring and analysis of ransomware groups and their respective data-leak sites, we’ll reveal our insights into Q3 2023, beginning with two key events of the past three months.

Rhysida Goes After Healthcare, Education

The “Rhysida” ransomware-as-a-service (RaaS) group has heavily targeted the education sector since May 2023—40% of all its compromises were entities involved in that sector. In Q3 2023, Rhysida expanded their scope to perform cyber-threat activity against hospitals and medical clinics across the US. Rhysida not only stole sensitive data, including Social Security numbers and patient files, but it also auctioned off healthcare data on dark-websites.

Rhysida’s attacks on the healthcare sector have brought devastating effects. In one campaign, the group disrupted the operations of 17 hospitals and 166 clinics across the US after encrypting the systems of a healthcare organization. The group’s activities prompted the US Department of Health and Human Services (HHS) to issue a warning about Rhysida in August 2023.
Mitigations

HHS suggests several defensive strategies and best practices, including:

Implementing virtual patching to address known vulnerabilities
Conducting regular phishing awareness training for staff members
Using endpoint security tools
Maintaining immutable backups
Segmenting networks
Deploying firewalls and intrusion detection systems
Developing a well-defined incident response plan

Clop Concludes MOVEit Campaign

Clop continued its MOVEit campaign, which had begun in late May 2023, and began an extended operation to extort compromised companies. Clop used various tactics to pressure organizations into negotiating ransom payments, such as:

Naming the clients of targeted organizations, to imply data had been stolen from multiple companies in the compromise
Leaking excerpts of ransom negotiation conversations publicly
Leaking data on the dark web in multiple parts
Exposing the data on the clear web using an impersonating domain—a strategy previously used by “ALPHV”
Using torrents to leak stolen data, which allows faster downloads

Clop seemed to conclude its MOVEit campaign in mid-September 2023, when it last updated its data-leak site. The group only named four new companies in August and one in mid-September. Most of the group’s activity took place in July 2023, when the group achieved a remarkable feat by naming more than three times the number of organizations to its data-leak site than the “LockBit” group did. Clop’s MOVEit campaign illustrated the group’s ability to inflict significant damage, quickly.
Mitigations

ReliaQuest saw Clop attempting to exploit MOVEit vulnerabilities in several of our customers’ environments; we developed these mitigation steps for organizations to protect against similar campaigns:

Minimize exposure on managed file transfer (MFT) sites: Limit the duration of content storage on MFT sites to roughly 5 to 10 business days, as these services are designed for file transfer rather than long-term storage.
Strengthen on-premises application deployments: Implement robust logging, comprehensive tool coverage, and strict access control lists, and consider geofencing measures for on-premises applications. Be aware that most exploitation attempts for MOVEit originated from IP addresses in Slovakia.
Maximize application-specific log files and enable dedicated Windows logs (for MOVEit): Increase native log files’ size or retention duration, aiming for at least 30 days of log retention. Additionally, enable dedicated Windows logs for the MOVEit software if available, as this might not be enabled by default and could have size limitations.

Trends: Usual Suspects, New Adversaries, Insatiable Appetite

Q2 2023’s record-breaking stats were attributed to the launch of large-scale campaigns by brand new groups, such as “Malas.” In Q3 2023, although ransomware gangs named 6.9% fewer organizations on data-leak websites than they did in the previous quarter, they remained voracious. Almost twice as many compromised entities were named on data-leak sites in Q3 2023 than a year prior.

Overall, ransomware activity throughout 2023 has become noticeably more prolific, compared to the previous year.
image

During Q3 2023, LockBit, Clop, and ALPHV were the most active ransomware groups (naming the most compromised entities on their data-leak sites; see Figure 2). Clop regained its position as the second most active, surpassing Malas the previous quarter.

Since May 2023, no new entities have been listed on Malas’s data-leak site, suggesting that the group might have folded. Clop’s rise was driven by its MOVEit campaign, which became the most impactful extortion campaign we’ve ever witnessed.
image

“LostTrust”—probably a rebrand of “MetaEncryptor”—took eighth place in Q3 2023. What makes this remarkable is that LostTrust only created its data-leak site on September 26, 2023, just four days before the end of the quarter. In that short period, the group fired off the names of more than 50 victims, quickly establishing a reputation as a formidable threat.

We noticed that multiple companies named on LostTrust’s site had also been listed on the leak sites of other ransomware groups. Those companies may have been targeted twice, or LostTrust affiliates could be attempting to re-extort them.
Countries and Sectors in the Hot Seat

The most targeted country in Q3 2023 was the US, accounting for nearly half of all entities named on ransomware data-leak sites. This is usually the case, owing to multiple factors:

A vast number of potential targets in the US
Previous success of ransomware groups in receiving ransom payments from the US
Attackers’ nationalistic motives
A perception that US entities have more potential to pay ransoms

The UK experienced a 37.9% increase in targeting since the previous quarter. Australia and Italy each saw significant increases: of 60% and 55.5%, respectively—this can be attributed to smaller-scale ransomware operations, such as Rhysida attacks on Italy and Australia.

In terms of sectoral targeting patterns, no major shifts took place in Q3 2023. The professional, scientific, and technical services; manufacturing; and construction sectors bore the brunt of attacks by ransomware groups, likely owing to three key factors these sectors share:

A heavy reliance on technology, often using outdated and vulnerable systems with incomplete network-infrastructure visibility
Critical roles in supply chains
Service providers that often share data and infrastructure with other organizations, allowing threat actors to target multiple companies with one attack

As Clop concludes its MOVEit campaign, the group will probably move into a temporary phase to plan its next move; it’s realistically possible that we won’t see Clop in the top 5 again next quarter. We’ve seen Clop performing minimal or no activity for extended periods before launching large-scale attacks (see Figure 3), such as before its exploitation of vulnerabilities in MOVEit (beginning late May 2023), GoAnywhere (February–March 2023), and Accellion (December 2020) software.
image

Clop has demonstrated a particular interest in targeting enterprise MFT solutions to conduct extortion-only attacks. By choosing to not deploy ransomware in its major campaigns (MOVEit, GoAnywhere, Accellion), the group nimbly exfiltrated the data of hundreds of organizations in less than a week. Clop’s success is likely to inspire other ransomware groups to favor extortion over dropping ransomware, as well as target vulnerabilities in supply chains.

Other shifts will probably be tied to new ransomware groups. The lifespan of most new groups tends to be relatively short (one to three months), so it wouldn’t be surprising if we see few or no victims affected by new groups, such as LostTrust. Nascent ransomware groups often struggle to host data-leak sites, and lack the skills to develop tools that bypass new defenses. In some cases, they buckle under the threat of law enforcement.

It’s likely that we’ll also see some established groups cease operating or experience disruptions in Q4 2023. The start of the quarter has already witnessed the law-enforcement seizure of the “Ragnar Locker” ransomware gang’s dark-websites. That group has been active since December 2019 and waged many a high-profile attack campaign, such as one resulting in 52 US organizations across ten critical-infrastructure sectors being compromised. Ukrainian hacktivists have also allegedly hacked the “Trigona” ransomware servers, reportedly wiping all data from them.
image

Recommended Mitigations

Implement multifactor authentication (MFA) for user accounts, especially for remote and privileged access.
Use canary tokens for early detection and response to potential threats.
Implement network segmentation to limit the spread of ransomware.
Regularly monitor and patch external-facing assets to address vulnerabilities.
Follow a defense-in-depth strategy, incorporating multiple security controls.
Restrict PowerShell usage to authorized users or administrators.
Maintain offline backups in secure locations to ensure data recovery capabilities.
Use application control to allow the execution of signed scripts only.
Ensure comprehensive endpoint logging and visibility, and use endpoint detection and response tools.
Keep operating systems and software up to date by regularly patching known vulnerabilities.

Dig Deeper

Our comprehensive quarterly ransomware report further excavates the ransomware landscape of Q3 2023, offering the following insights:

In-depth analysis of ransomware activity
Extensive breakdown of ransomware targeting, by sector and country
Intelligence on the most active ransomware groups, including background; tactics, techniques, and procedures; and notable events
Insights regarding the MITRE ATT&CK techniques used by top ransomware groups
Detection recommendations to help mitigate
General recommendations to safeguard against ransomware
Strategies to protect against ransomware with assistance from ReliaQuest

Want more ransomware intel? Read our other blogs about ransomware-related insights and events, such as Clop’s MOVEit extortion campaign, three malware loaders that are often used to deploy ransomware, and a multinational operation that disrupted “QakBot,” a banking trojan used to deliver ransomware.

You can also explore our comprehensive ransomware defense guide that highlights strategies to prepare for, and defend against, ransomware attacks. Prefer to listen? Tune in to our threat-research podcast, ShadowTalk, which features weekly discussions of emerging ransomware and cybercrime trends.