News
ReliaQuest: Ransomware rises 22% in last quarter
April 2023 by ReliaQuest
ReliaQuest has just issued its quarterly ransomware review report.
· The first quarter of 2023 was the most prolific the ReliaQuest Threat Research Team has ever observed in terms of double-extortion ransomware groups. More victims were named on data-leak sites than in any other quarter to date—despite increased law enforcement operations and other challenges ransomware operators faced in 2022.
· March 2023 set the record for the most active month we have ever recorded in the history of double-extortion ransomware. More than 400 organizations were named on ransomware data-leak sites; that’s 35% more than the previous monthly record.
· In Q1 2023, ReliaQuest observed close to 850 organizations being named on ransomware and data-extortion websites on the dark web. This was a 22.4% jump from the previous quarter, which had a total number closer to 700.
Of the above 160 organizations (19%) are based in Europe. The most affected countries are the UK (with 7.5% of the total) followed by France (3.5%), Germany (3.3%), Italy (2.9%) and Spain (1.9%).
· Unsurprisingly, “LockBit” remained the most active group, by a wide margin. But the number-two spot came from a last-minute contender: Clop, with its GoAnywhere exploitation.
· Probably the most notable event in Q1 2023 was an attack campaign by “Clop,” exploiting a GoAnywhere managed le transfer (MFT) zero-day vulnerability (CVE-2023-0669) to breach over 130 organizations. This wasn’t Clop’s first large-scale supply-chain attack. In February 2021, Clop exploited an Accellion le transfer application (FTA) zero-day vulnerability to breach over 100 organizations.
· There were many similarities between these two campaigns; both exploited zero-days in le-transfer platforms, and in both Clop chose to steal data from victims and not drop ransomware. By skipping encryption, Clop could conduct these attacks at lightning speeds, reportedly taking only ten days to steal data usingGoAnywhere MFT.
· Despite the bonanza of ransomware attacks, extortion-only attacks diminished substantially: by 90%. We’re talking about threat groups that steal data, threaten to leak it on data-leak sites, and then don’t end up encrypting.
