This report thoroughly analyses ransomware activity in August 2023, covering significant attacks, the top five ransomware families, geographical distribution, targeted industries, evolution of attacks, new ransomware groups, vulnerabilities exploited by ransomware groups, and trends between July and August 2023. Organizations can leverage these insights to enhance their cybersecurity strategies and mitigate ransomware risks.
Welcome to the August 2023 Ransomware Report. This report offers a detailed analysis of significant ransomware events during this period. We explore the top 5 ransomware groups responsible for the highest number of victims and the industries they targeted. Additionally, we investigate the geographical locations that experienced the most ransomware attacks in August 2023. Furthermore, we discuss the evolution of ransomware groups during this month, focusing on emerging actors and vulnerabilities exploited by ransomware groups in August 2023. The report aims to equip organizations with crucial insights to bolster their cybersecurity measures and combat the evolving ransomware threat landscape effectively.
Seiko fell victim to BlackCat Ransomware.
Japanese watchmaker Seiko fell victim to a cyberattack by the BlackCat/ALPHV ransomware gang. The breach, confirmed by Seiko on August 10th, exposed sensitive information stored in its IT infrastructure. BlackCat has now claimed responsibility, showcasing stolen data samples that include production plans, employee passport scans, new model releases, and confidential technical schematics.
Ransomware Hits South Africa’s Defense Department.
The Snatch ransomware gang has reportedly breached the Department of Defense South Africa and included the military entity on its data leak platform. The hackers claim to have acquired sensitive data such as military contracts, internal call signs, and personal information, amassing a significant 1.6 TB of data.
‘LockBitLocker’ Ransomware Phishing.
The National Police of Spain issued a warning about a sophisticated ‘LockBit Locker’ ransomware campaign targeting architecture companies through phishing emails. The attackers pose as a new photography store, engaging in detailed communication to build trust before delivering a malicious archive. This campaign is likely distinct from the main LockBit operation, negotiating via email rather than Tor, and using a ransomware executable with connections to the BlackMatter group. The complexity of these phishing attacks raises concerns about ransomware groups adopting more deceptive tactics to evade detection.
Rhysida Claims Prospect Medical Attack.
The Rhysida ransomware gang admits to infiltrating Prospect Medical Holdings, compromising 500,000 social security numbers, patient records, and more. The breach led to an IT network shutdown, necessitating paper record use. The group demands 50 Bitcoins ($1.3 million) in exchange for not releasing the exfiltrated data to the public.
Mom’s Meals Data Breach.
PurFoods, operating as ‘Mom’s Meals,’ disclosed a data breach affecting 1.2 million customers and employees, including the theft of personal data, including birthdates, financial info, medical records, and Social Security Numbers. Investigations revealed tools for data theft on the network.
In August 2023, more than 30 ransomware groups were found active, with the top 5 delineated below.
Cl0p takes the forefront among these groups, utilizing advanced tactics that empower them to target a considerable number of victims, thereby causing significant repercussions for both organizations and individuals.
This month, we have seen a troubling increase in ransomware attacks affecting many different industries worldwide. Among the hardest-hit sectors were Manufacturing, E-commerce & Telecommunication, IT, Banking & Finance, and FMCG with 79, 60, 44, 43 and 39 victims respectively. These industries are prime targets due to their significant financial assets, sensitive data, and critical infrastructure. The attackers likely aimed to maximize their financial gains and exert widespread disruption. Other affected sectors, such as Real Estate & Construction, Health Care, and Government, also possess valuable information that can be exploited.
In August 2023, ransomware attacks spread to more than 50 different locations, with the US leading significantly with 232 attacks.
The USA, UK, and various European nations face frequent attacks due to their substantial economies, advanced technological infrastructure, and valuable resources. These developed countries make ideal targets for ransomware groups seeking maximum financial gain and impact by exploiting their valuable data and resources.
Monti ransomware hits ESXi servers with an advanced Linux locker
The Monti ransomware gang came up with a new Linux locker, targeting VMware ESXi servers. Unlike previous versions, this variant has distinct changes, including a subtler ESXi VM termination method and improved evasion techniques. It uses AES-256-CTR encryption from OpenSSL, appending “.MONTI” to encrypted files, and generates ransom notes.
Yashma Ransomware Adapts Multilingual Approach
A Yashma ransomware variant, believed to be linked to Vietnamese actors, has initiated a multilingual attack campaign since June. Targeting organizations worldwide, it encrypts files and alters wallpapers, with ransom doubling after three days. The new variant retrieves its ransom note from a GitHub repository, evading traditional detection methods. The ransom note’s likeness to WannaCry adds to uncertainty, highlighting the need for comprehensive response strategies.
A new version of DoDo Ransomware has emerged
Linked to Chaos Ransomware, a new version of DoDo has emerged with a disguise as “Mercurial Grabber,” targeting users who unknowingly download the fake tool. While differences exist in ransom notes and extensions, both share the origin of Chaos Builder 3 and a common Bitcoin address. The updated version adds “. crypterdodo” to files, alters wallpapers, and includes a contact email.
BlackCat’s Sphynx Ransomware Integrates Impacket and RemCom for Lateral Spread
Researchers report that BlackCat ransomware’s new version, Sphynx, utilizes Impacket and RemCom tools to enhance lateral movement within breached networks. The ransomware, considered advanced, has transitioned into a post- exploitation toolkit, using Impacket for lateral spread and credential compromise. This version is identified as BlackCat 3.0, reinforcing the gang’s evolution and complexity in its attack tactics.
Collaboration Between Vice Society and Rhysida Ransomware
The Rhysida ransomware group shows technical connections to the Vice Society ransomware group, both of which target the education and healthcare sectors, however, Rhysida’s emergence does correlate with Vice Society’s decline. Shared Tactics, Techniques, and Procedures (TTPs) include lateral movement through RDP, PowerShell sessions, and PsExec. Defence evasion involves log deletion, and data encryption and access manipulation are common.
Akira continues to Exploit Vulnerability
Recently Akira ransomware has been seen infiltrating corporate networks through Cisco VPN products, using single-factor authentication. Uncertainty arises due to insufficient logging in Cisco ASA, making it unclear if credentials were brute- forced or bought from the dark web. It’s speculated Akira might have exploited a Cisco VPN vulnerability for authentication bypass. Leaked data on their page shows Akira using Cisco VPN. They also exploit RustDesk for network traversal, the first ransomware group to do so.
Scattered Spider, affiliated with BlackCat/ALPHV
The Scattered Spider cybercriminal group, known for unique attack methods, has reportedly partnered with the BlackCat ransomware group. Scattered Spider, active since 2022, utilized tactics like SMS phishing, social engineering, and SIM swapping. They shifted from data theft extortion to collaborating with BlackCat, seen through shared techniques and links. The collaboration suggests a shift towards ransomware operations within the Russian-speaking cybercriminal community. The partnership is marked by temporal, technical, and behavioral overlaps, indicating a change in tactics and goals.
Knight ransomware, a rebrand of Cyclops Ransomware-as-a-Service, is spread through a spam campaign posing as TripAdvisor complaints. Emails contain ZIP attachments with executables, leading to fake TripAdvisor pages. Clicking ‘Read Complaint’ downloads Excel XLL files, triggering Knight Lite ransomware to encrypt files with .knight_l extension. Ransom notes demand $5,000 in Bitcoin.
A new ransomware strain named INC is targeting large commercial entities, encrypting files with a “.INC” extension. The threat actor’s actions involve accessing different servers through compromised credentials and RDP. Data collection, exfiltration, and lateral movement were observed using tools like 7-Zip, native software, and MEGASync. Installation of Advanced IP Scanner, PuTTY, and credential access commands occurred, followed by file encryption execution via PSExec.
The number of ransomware victims increased by approximately 17% from July 2023 to August 2023, with 443 victims in July and 517 victims in August.
This significant rise in victims highlights the escalating threat of ransomware attacks during August Month.
|Sr No||CVE ID||CVSS Score||NAME||Affected Product||Associated Ransomware|
|1||CVE-2023-27532||7.5||Veeam Backup & Replication Cloud Connect Missing Authentication for Critical Function Vulnerability||All Veeam Backup & Replication (VBR) versions||Cuba ransomware|
|2||CVE-2021-33764||5.9||Windows Key Distribution Center Information Disclosure Vulnerability||Various Windows Server software configurations.||Scarab Ransomware|
|3||CVE-2023-35078||9.8||Ivanti Endpoint Manager Mobile Authentication Bypass Vulnerability||All supported versions of Ivanti Endpoint Manager Mobile (EPMM) prior to the vendor patch: 11.10. 11.9. 11.8||8Base Ransomware|
|4||CVE-2023-3519||9.8||Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability||NetScaler ADC and NetScaler Gateway versions.||8Base Ransomware|
Ransomware poses a serious threat to both organizations and individuals in the external threat landscape. It causes extensive damage by encrypting data and demanding ransom payments. The consequences are severe, including financial losses, data recovery expenses, and business disruptions that lead to downtime and reduced productivity. Additionally, ransomware attacks can lead to data breaches, exposing sensitive information and customer data, resulting in regulatory compliance challenges and legal issues. The impact on reputation can be significant, with organizations facing public scrutiny, loss of customer trust, and reduced market confidence. All must stay vigilant and implement robust cybersecurity measures to combat this growing menace.
Ransomware operators are drawn to companies with valuable data, like personal information, financial records, and intellectual property. Industries like Manufacturing, FMCG, E-commerce & Telecommunication, Finance, and Technology are top targets due to their valuable data. These attackers also focus on countries with strong economies and digital infrastructures, as they may have more assets to demand ransom for. Their goal is to exploit vulnerabilities in organizations and countries, encrypting data and demanding large ransoms for its safe return. The potential for huge profits motivates these cybercriminals to carry out their attacks.
The ransomware landscape in August 2023 showcased a surge in cyber threats across diverse geographies and industries. The targeting of countries like the USA, Germany, the UK, and Europe underscores the global impact of ransomware attacks, driven by economic significance and advanced technological infrastructure. The variety of industries affected highlights the breadth of cybercriminal motivations, from financial gains to disrupting critical services. The dominance of Cl0p and other ransomware groups emphasizes the evolving tactics used to exploit vulnerabilities, resulting in significant victim counts. The upward trend in victim numbers between July and August reflects the escalating danger posed by ransomware attacks. To address these challenges, it is vital for organizations to strengthen their cybersecurity defenses. This is essential for safeguarding data and reducing the growing risks posed by these persistent threats.