Making Sense of the 2023 Ransomware Landscape
Ransomware actors thrive in a fluid and dynamically changing business ecosystem and times of radical upheaval, and that’s what they’ve gotten since Russia’s invasion of Ukraine. While the notorious Qakbot botnet, linked to more than 40 ransomware attacks over the past 18 months, was recently dismantled, plenty of new threat actors and their affiliates remain.
Understanding the current ransomware landscape is the first step to helping defenders protect their organizations. With this goal in mind, DomainTools researchers analyzed the most prolific ransomware families and the challenges they present in 2023.
Here are some of the most important trends they identified:
LockBit–and the Ransomware-as-a-Service (RaaS) Model–is Thriving
LockBit is now the most deployed ransomware variant in the world. Their operation has brought in about $91 million in ransom payments from U.S. victims alone since its first reported attack in January 2020.
The creators behind LockBit 2.0, which recently turned 3.0, have experienced tremendous success over the last few years, leveraging the now well-established ransomware-as-a-service (RaaS) model in its pursuit of riches. In spring 2023 alone, LockBit 3.0 was used in the attack of over 300 organizations compared to just over 100 victim organizations by its closest competitor, AlphVM. They show no signs of slowing down. The group has been actively advertising its services within popular darknet forums to recruit affiliates and expand its market share. It even launched its own bug bounty program with remuneration amounting to as much as $1 million, enough to rival the programs of legitimate businesses and government authorities. In short, LockBit exemplifies just how well-oiled of a machine the ransomware trade has become.
As the marketplace continues to mature, we’ll see it become increasingly commodified and competitive. Just as with regular consumers, affiliates will have the opportunity to browse and negotiate better terms, service, and/or support from their RaaS provider. The competitive nature of the RaaS model could lead to higher-quality ransomware products, making the lives of defenders that much more difficult.
Mayhem in the Cybercriminal Underworld Creates Mayhem in Defense Strategies
In early 2022, cybersecurity defenders also had to contend with the gang Conti. The group eventually disbanded in May 2022 due to internal discord over geopolitical events, demonstrating once again that they do not exist within a vacuum. Conti had publicly announced its support for Russia days after the invasion of its neighboring country, leading a Ukrainian member to leak masses of the group’s internal documents and data in retaliation; now dubbed the “Conti Leaks,” leaving room for the AlphVM and CL0P syndicates to grow their operations. The dissolution of Conti has also given rise to new players like Royal, Black Basta, Karakut and Quantum, made up in part of old Conti members. Of note, the former two players have already begun to make their mark, standing among the Top Five Ransomware Groups by Victimology for Spring 2023.
All of this movement has made it harder for defenders to determine who’s who. Where in the past, the infrastructure, code bases and TTPs – or tactics, techniques and procedures – may have once been relatively unique to each group, the lines have now blurred as gangs disperse, reshuffle, and reorganize. Consequently, it is only going to become increasingly vital that organizations work alongside reputable companies that can provide accurate threat intelligence.
Crackdown on Payments Leads to Attacks on Vulnerable Industries
Last but not least, the past year has seen significant disruption to the services that ransomware gangs use to finance their operations. This includes the closure of unlawful cryptocurrency exchanges and the sanctioning of individuals tied to cybercriminal groups. What’s more, victims are less likely to pay up on ransom demands due to a combination of factors: better security posture and preparedness among companies with backups, reluctance among insurance companies to settle claims, and general expert opinions advising against taking such action. In fact, Chainalysis’ report noted a significant drop in ransoms paid, falling from $766 million in 2021 to $457 million in 2022. To combat this, it seems some criminal groups are turning their attention to healthcare, IT services and government administration—industries that have, historically, been underfunded, but who are also under heightened pressure to pay and restore services quickly to mitigate the impact to people’s lives and livelihoods. Healthcare, in particular, has been hard hit, having moved up to the second most targeted industry in 2023.
What’s Next
We are facing a ransomware landscape that is only becoming more sophisticated as commoditization drives business innovation among cybercriminal groups. Add to this a muddying of the waters as gangs disband and reform, using a pick-and-mix of TTPs, infrastructure and code bases, as well as a rising trend among threat actors to target vulnerable industries as a way of compensating for reduced payouts. These trends pose a significant challenge for defenders. Organizations must be diligent about maintaining their defense-in-depth and work collectively with the most current threat intelligence to identify new trends and techniques in order to stay one step ahead of these motivated threat actors.
