This report is a monthly spotlight on the period’s most significant ransomware attacks, and the top five ransomware families, it will explore which industries have been targeted the most frequently, how the attacks are evolving (and how vulnerabilities have been exploited) as well as any new trends. Organizations can leverage these insights to enhance their cybersecurity strategies and mitigate the huge risks ransomware poses.
Welcome to the Ransomware Report for September 2023. This report provides a comprehensive analysis of notable ransomware incidents that occurred during this period. We delve into the top 5 ransomware groups responsible for the highest number of victims and their targeted industries. Additionally, we examine the geographic regions that witnessed the most ransomware attacks in September 2023. Moreover, we explore the developments within ransomware groups throughout the month, with a specific focus on emerging actors and the vulnerabilities exploited by ransomware groups in September 2023. The report’s objective is to furnish organizations with critical insights to enhance their cybersecurity measures and effectively counter the evolving ransomware threat landscape.
MGM Resorts got hit
In a major cyber incident, MGM (the American resort, casino, and hotel chain) experienced a widespread disruption that forced the shutdown of its internal networks as a precaution. The attack – attributed to the ALPHV ransomware affiliate – caused significant disruptions, affecting ATMs, slot machines, room digital key cards, and electronic payment systems within the company’s hotels and casinos.
Save the Children Suffers Ransomware Attack
The BianLian ransomware group has asserted its involvement in a cyberattack against Save the Children International, the world’s foremost nonprofit organization. The hackers allege that they’ve acquired nearly 7TB of data, encompassing 800GB of the charity’s financial records, human resources information, and personal data such as health and medical records, along with email communications.
A New Zealand University fell victim to Monti
The ransomware attack on New Zealand’s third-largest university, Auckland University of Technology, has been claimed by the Monti ransomware gang. They assert that they have taken 60GB of data and have set a ransom deadline of October 9th for the victim to make payment.
Better Outcomes Registry & Network (BORN), fell victim to Cl0p.
BORN, a healthcare organization in Canada, has been compromised in a Cl0p ransomware attack. The attackers exploited a zero-day vulnerability in Progress MOVEit Transfer software to steal data pertaining to 3.4 million people, primarily newborns and pregnancy care patients. The exposed data includes full name, home address, postal code, date of birth, health card number, and other sensitive information.
Johnson suffered a Ransomware attack
Johnson Controls International, a major building automation company, experienced a significant ransomware attack that encrypted numerous company devices, including VMware ESXi servers. The attack impacted both the company and its subsidiaries, leading to technical outages on their websites and customer portals. The ransomware gang, Dark Angels, demanded $51 million for a decryptor and claimed to have stolen over 27 TB of corporate data.
This month, the cybersecurity landscape witnessed the activity of more than 30 ransomware groups: LockBit had the most substantial impact, affecting 79 victims. LostTrust closely followed, with 53 victims. AlphV is responsible for 49, while RansomedVC and Cactus affected 44 and 33 victims, respectively. These ransomware groups posed considerable threats to cybersecurity throughout the month.
This month saw a wide range of ransomware attacks affecting many different industries worldwide. Among the hardest-hit sectors were manufacturing, real estate and construction, healthcare, E-commerce, and telecommunication and FMCG with 80, 73, 48, 42 and 38 victims respectively. These industries are prime targets due to their significant financial assets, sensitive data, and critical infrastructure. The attackers likely aimed to maximize their financial gains and exert widespread disruption. Other affected sectors, such as banking and finance, IT, and hospitality also possess valuable information that can be exploited.
September 2023 saw ransomware attacks spread to more than 50 locations, with the US leading significantly with 237 attacks.
Ransomware groups frequently target the USA, UK, and several European nations, drawn to their robust economies, advanced technology infrastructure, and valuable assets. These developed countries present attractive opportunities for cybercriminals looking to maximize financial gains and disrupt operations by exploiting their valuable data and resources.
Blackcat/ALPHV compromised Azure Storage
In a recent security incident, researchers detected the new BlackCat/ALPHV variant, Sphynx, used to encrypt Azure Storage. Attackers disabled security features, and encrypted systems. Sphynx enhances BlackCat’s evasion capabilities with changes to command-line arguments, making detection more challenging. Multiple Remote Monitoring and Management tools were also used in the intrusion.
Cuba came up with Dangerous Backdoor
The Cuba ransomware gang, known for stealing sensitive data, has evolved with new BurntCigar malware versions. Researchers discovered this during an investigation, finding a sophisticated backdoor called BugHatch that operates in process memory, connects to a command-and-control server, and can download tools like Cobalt Strike Beacon and Metasploit. The use of Veeamp suggests Cuba’s involvement.
“Xollam Ransomware: An Evolution of the TargetCompany Strain”
Xollam, a modified version of TargetCompany ransomware, encrypts files with “.xollam” extensions and spreads via phishing emails with malicious OneNote attachments. It utilizes fileless techniques, targets Azure SQL servers, and employs various tools for evading antivirus software. Encryption methods include ChaCha20, Curve25519, and AES-128.
FreeWorld- variant of Mimic Ransomware
A recently emerged variant of Mimic Ransomware is FreeWorld. When executed, this ransomware encrypts files and appends “.FreeWorldEncryption” to their filenames. Upon completion of this process, a ransom note named “FreeWorld- Contact.txt” is generated.
3AM is a new ransomware that has been coded using the Rust programming language. Its primary objective is to encrypt files stored on a victim’s computer, additionally altering the filenames of encrypted files by adding the “.threeamtime” extension. To communicate with the victim and demand a ransom for file decryption, the ransomware creates a ransom note titled “RECOVER-FILES.txt.”
10 Victims were listed on the leak site during the publishing of this report.
LostTrust is a newly emerging ransomware that encrypts files and adds the “.losttrustencoded” extension to the names of the encrypted files.
The ransomware generates ransom notes named “!LostTrustEncoded.txt” in every folder on the device. In these notes, the threat actors initially presented themselves as former white hat hackers who had transitioned to cybercrime due to inadequate compensation.
53 Victims were listed on the leak site during the publishing of this report.
A recently prevalent ransomware variant known as CryptBB is possibly coded in the Delphi programming language. Following the encryption of files, it appends a random character string as an extension to the original file names.
After completing the encryption process, this ransomware modifies the desktop wallpaper and then creates a ransom note titled “[random_string].README.txt.” It is highly likely that the threat actors behind this ransomware have Russian origins and have publicly declared their support for the Russian Federation.
8 Victims were listed on the leak site during the publishing of this report.
There was an increase in ransomware attacks in September compared to the previous month, demonstrating a consistent level of activity.
Ransomware poses a serious threat to both organizations and individuals in the external threat landscape. It causes extensive damage by encrypting data and demanding ransom payments. The consequences are severe, including financial losses, data recovery expenses, and business disruptions that lead to downtime and reduced productivity. Additionally, ransomware attacks can lead to data breaches, exposing sensitive information and customer data, resulting in regulatory compliance challenges and legal issues. The impact on reputation can be significant, with organizations facing public scrutiny, loss of customer trust, and reduced market confidence. All must stay vigilant and implement robust cybersecurity measures to combat this growing menace.
Ransomware operators are drawn to companies with valuable data, like personal information, financial records, and intellectual property. Industries like Manufacturing, Real Estate & Construction, Health Care, FMCG, E-commerce & Telecommunication, Finance, and Technology are top targets due to their valuable data. These attackers also focus on countries with strong economies and digital infrastructures, as they may have more assets to demand ransom for. Their goal is to exploit vulnerabilities in organizations and countries, encrypting data and demanding large ransoms for its safe return. The potential for huge profits motivates these cybercriminals to carry out their attacks.
In September 2023, a wide spectrum of ransomware attacks impacted various countries and global industries. Nations such as the USA, Germany, the UK, and Canada are targeted heavily due to their economic significance and advanced technology infrastructure, and multiple industries experienced the multifaceted motivations of cybercriminals, including financial exploitation and the disruption of vital services. The emergence of ransomware groups such as 3AM, LostTrust and CryptBB are notable, and the effectiveness of groups like Blackcat/ALPHV, Cuba, and Xollam highlights their expertise. The consistency in the number of victims from August to September underscores the ongoing ransomware threat: to tackle these challenges, organizations should enhance their cybersecurity measures to safeguard their data against these enduring and continuously evolving threats.