Ransomware Trends Overview
As ransomware’s fundamental nature shifts from encryption to data exfiltration, organizations’ data backup and recovery practices no longer protect them from attacks. Over the course of the past few years, the cybercriminal landscape changed too.
More and more criminal ransomware organizations are adopting “as-a-Service” business models on the dark web which open the door to attackers of all levels participating. Cybercriminals can now purchase the entire ransomware infrastructure on the dark web.
For this analysis, the Flare research team reviewed data from thousands of double and triple extortion ransomware attacks to identify trends around:
- Changes to data extortion attacks over time
- Groups representing the most significant threats
- Industries most affected by ransomware attacks
Read our full report, Data Extortion Ransomware & The Cybercrime Supply Chain: Key Trends in 2023, and/or continue reading for the highlights.
How to “Talk” Ransomware
As ransomware attacks have changed over the years, the vocabulary that discusses different actors and variants has evolved too. Some key terms used when discussing ransomware organizations and variants include:
- Data Extortion: Ransomware operator threatening to publish stolen data if the victim fails to pay ransom
- Double Extortion Ransomware: Attack using two methods of extortion, like data extortion and encryption
- Triple Extortion Ransomware: Attack using three or more separate extortion methods, like encryption, data extortion, and third-party notification
- Ransomware Group: An organized, criminal group focused on ransomware creation, distribution, and extortion
- Ransomware Affiliate: An outside party partnering with a ransomware group and sharing in potential profits
- Ransomware Blog: A Tor website where a ransomware group publishes victim data
- Dedicated Leak Site (DLS): A website/hidden service where ransomware operators publish the stolen data, with more advanced groups maintaining a blog and DLS
Ransomware Groups and Data Extortion
Ransomware groups exist within a broader cybercrime ecosystem that includes cybercriminals selling resources like:
- Initial access to corporate IT environments
- Cookies for SSO applications
- Ready-made infrastructure for distribution
Additionally, ransomware organizations are self-sufficient entities that take on different business models, including:
- Corporate structure: Ransomware groups with clear hierarchies and role specializations
- Affiliate programs: Ransomware affiliates that provide ransomware to outside contractors who manage gaining initial access and infecting systems
The different business models impact how the cybercriminal organization operates within the broader ecosystem.
Infostealers, Dark Web Marketplaces, and Paid Telegram Channels
Often underestimated, infostealer malware and stealer logs infect victim computers mainly through cracked software downloads, malvertising, and phishing emails. Once executed, the malware exfiltrates devices’ data, including the browser fingerprint containing stored credentials, active session cookies, credit card information, and host information.
Ransomware groups can purchase this data on dark web marketplaces and illegal Telegram channels enabling access to:
- Corporate SSO applications
- Active Directory (AD) environments
- Remote desktop protocol (RDP)
According to Flare’s research, a sample of 20+million unique stealer logs identified:
- 196,970 instances of AD credentials
- 53,292 corporate SSO credentials
Malware-as-a-Service (MaaS), Phishing-as-a-Service (PaaS), and Cybercrime Infrastructure Vendors
MaaS and PaaS vendors provide the infrastructure and malware necessary for cybercriminals to access privileged systems.
Examples of the services these criminal organizations provide include:
- Exploit kits
- Remote access trojans (RAT)
With these services, unsophisticated ransomware operators can quickly, efficiently, and successfully deploy attacks.
Initial Access Brokers (IABs) and Obtaining Privileged Access
Operating largely on the Exploit and XSS forums, IABs specialize in gaining and selling access to corporate IT environments. While IABs only post one or two listings per day, the listings are often high-quality, containing the access ransomware operators need to compromise network and infrastructure.
Tor Ransomware Blogs
Ransomware groups use these to communicate with affiliates, often posting updates like:
- Affiliate program updates
- Data from victims who failed to pay the ransom
Cybercriminals can use these websites to pressure victims into paying the ransom.
Ransomware, Data Extortion, and the Explosive Growth of Organized Cybercrime
To understand key ransomware trends in 2023, Flare analyzed more than 80 ransom publications over more than 18 months, comprising thousands of events.
According to this research, we found a 112% annualized increase in data extortion tactics primarily targeting the following industries:
- Information Technology: Targeting Managed Security Services Providers (MSSPs) and Software-as-a-Service (SaaS) companies to distribute ransomware
- Professional and Consumer Services: Targeting organizations that hold highly sensitive data, like law firms, accounting practices, and consultants, with an incentive to pay ransoms
- Financial and Insurance: Targeting financial services companies that hold corporate and consumer sensitive data
Our analysis of the groups and affiliates responsible for the majority of attacks found the following most prominent ones:
- LockBit Ransomware as a Service Group: providing an easy “point and click” that accounted for 20% of ransomware attacks in some countries and tens of millions of dollars in damages
- CL0P Ransomware Gang (TA505): demonstrating sophistication and adaptability through a multi-vector approach to cyber-attacks with the zero-day MOVEit exploit as one of their most well-known
- BianLian: specializing in ransomware deployment and data extortion primarily by gaining initial access though compromised RDP credential to target critical infrastructure, professional services, and property development industries
Ransomware Prevention Recommendations
Addressing Primary Ransomware Attack Vectors
The three primary attack vectors that ransomware organizations target are:
- Stolen credentials (especially through stealer logs)
- Human error
Preventing and Identifying Stealer Logs and Leaked Credentials
With a new class of RAT dubbed infostealer malware, stealer logs have become a greater threat, especially those containing active session cookies that allow attackers to bypass two-factor authentication (2FA) and multi-factor authentication (MFA).
Since people often reuse passwords across multiple services, ransomware operators can use stolen credentials as an easy entry point, giving them the opportunity to move laterally and attempt to access AD. At that point, they escalate privileges to steal files.
Ransomware Prevention Best Practices for Blue Teams
- Implement robust detection measures in place for stealer logs on Russian Market, Genesis Market, and public/private Telegram groups
- Monitor for reused passwords identified in a data breach, paying particular attention to reused passwords found across multiple breaches
- Monitor for stealer logs that contain specific access to RDP, VPN, and SSO credentials (corporate access)
How Flare Can Help: Ransomware Threats
Flare’s proactive external cyber threat exposure management solution constantly scans the online world, including the clear & dark web and illegal Telegram channels.
With 4,000 cybercrime communities monitored, our platform provides data from 14 million stealer logs and two million threat actor profiles. Since our platform automatically collects, analyzes, structures, and contextualizes dark web data, you gain the high-value intelligence specific to your organization for faster dark web investigations and significant reduction in data leak incident response costs.