September Was a Record Month for Ransomware Attacks in 2023

Cyber Security Threat Summary:
Ransomware activity in September reached unprecedented levels following a relative lull in August that was still way above regular standards for summer months. According to NCC Group data, ransomware groups launched 514 attacks in September. This surpasses March 2023 activity, which counted 459 attacks, and was heavily skewed by Clop's MOVEit Transfer data theft attacks” (Bleeping Computer, 2023). Clop had virtually no activity in September, which may be a sign the sophisticated ransomware gang is looking for their next critical/zero-day vulnerability to exploit. According to NCC Group, the record month was achieved by other threat groups, led by LockBit 3.0 (79 attacks), LostTrust (53), and BlackCat (47).

Of note is a new ransomware actor called LostTrust, who entered the ransomware landscape with the second most attacks in September. LostTrust is believed to be a rebrand of the MetaEncryptor ransomware group due to significant code overlaps.

“Ransomed, a newcomer in extortion attacks employing GDPR reporting threats, is in NCC's fourth place with 44 attacks. However, it should be noted that some of the attacks claimed by Ransomed were later found to be exaggerated” (Bleeping Computer, 2023).

Interestingly, one in five attacks in September came from a new ransomware operations, highlighting a shift in prominent threat actors. Based on the NCC Groups data, North America saw the most attacks with around 50%, this was followed by Europe with 30% and Asia with 9%. The most targeted sectors were 'industrials' (construction, engineering, commercial services) with 169 attacks, 'consumer cyclicals' (retail, media, hotels) with 94, technology (software and IT services, networking, telecommunications) with 52, and healthcare with 38.

Security Officer Comments:
Our Operations Team tracked 300 attacks in September, which put our figures close to what we saw in August. While not our top month of 2023, September was a busy month for ransomware groups. LockBit took the top spot for us with (71) attacks, followed by BlackCat (32) and Ransomed (26). Commercial facilities was our most targeted sector at 22%, and Critical manufacturing was right behind with 17% of attacks. This aligns mostly with the NCC Groups data. We also saw around 50% of attacks being focused on North America. Ransomed has recently joined our top five list. The group employs a unique extortion tactic not seen before, using data protection laws, such as the EU’s GDPR, to threaten victims with fines unless they pay the ransom. This approach diverges from typical extortion schemes by manipulating protective laws to justify their illegal attacks. By using these tactics, the Ransomed group attempts to exploit the fear of regulatory consequences and the potential harm to an organization’s reputation, making it more likely that victims will opt to pay the ransom to avoid negative outcomes.

Suggested Correction(s):
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.

Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk- based assessment strategy to drive your patch management program.

Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?

Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.

Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.

Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained how to avoid and spot phishing emails. Multi Factor authentication can help prevent malicious access to sensitive services.