Ransomware has been making headlines for several years in a row. In their quest for profit, attackers have targeted almost every type of organization, from healthcare and educational institutions to service providers and industrial enterprises, affecting nearly every aspect of daily life. This year, these groups are still managing to come up with new, elaborate techniques or even attribute features of former gangs among top players that have currently ceased operations. Kaspersky has released a new report reviewing last year’s ransomware predictions and providing insights for 2023.
In 2022, Kaspersky solutions detected more than 74.2M attempted ransomware attacks, a 20% increase over 2021 (61.7M). At the same time, at the beginning of 2023 we saw a slight decline in the number of ransomware attacks – however, they became more sophisticated and targeted. Moreover, the top five most influential and prolific ransomware groups have drastically changed over the last year. The deceased REvil and Conti, that placed second and third in H1 2022 respectively in terms of attacks, in Q1 2023 were replaced by Vice Society and BlackCat. The remaining ransomware groups that formed TOP5 in Q1 2023 are Clop and Royal.
The review of last year’s ransomware trends shows that all of them persisted. In the course of 2022 and at the beginning of 2023, there were several cross-platform ransomware modifications that caught researchers’ eyes, such as Luna and Black Basta. Ransomware gangs have also become more industrialized, with groups such as BlackCat adjusting their techniques over the year. For now employees of victim organizations must check to see if they are listed in the stolen data, thus increasing the pressure on the affected organization to pay a ransom. The geopolitical situation has seen some ransomware groups take sides in conflicts – including the Eternity stealer. The group behind it created a whole ecosystem, with a new ransomware variant.
For 2023, Kaspersky experts have presented three key trends for ransomware threat landscape development. The first refers to more embedded functionality used by various ransomware groups such as self-spreading functionality or an imitation of it. Black Basta, LockBit, and Play are among the most significant examples of ransomware that spreads on its own.
The next trend to recently emerge is driver abuse for malicious purposes – an old trick. Some of vulnerabilities in AV driver were exploited by AvosLocker and Cuba ransomware families, however, Kaspersky experts’ observations show that even the gaming industry can fall victim to this sort of attack. Reportedly, the Genshin Impact anti-cheat driver was used to kill endpoint protection on the target machine. And the trend continues to be watched with high-profile victims such as government institutions in European countries.
Finally, Kaspersky experts draw attention to how the largest ransomware gangs are adopting capabilities from either leaked code, or code sold by other cybercriminals, which may improve their malware’s functions. Recently LockBbit group adopted code, at least 25 percent of the leaked Conti code, and issued a new version based entirely on it. These types of initiatives provide affiliates with similarities and facilities to work with ransomware families that they were previously used to working with. Such moves can strengthen their offensive capabilities – and that should keep in mind in companies’ defense strategy.
“Ransomware gangs continually surprise us, and never stop developing their techniques and procedures. What we’ve been watching throughout the last one and a half year is that they are gradually turning their services into full-fledged businesses. This fact makes even amateur attackers quite dangerous,” comments Dmitry Galov, senior security researcher at Kaspersky’s Global Research and Analysis Team. “So, to make your business and your personal data safe, it’s very important to keep your cybersecurity services updated.”
Kaspersky encourages organizations to follow these best practices that help safeguard against ransomware:
Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for Kaspersky’s TI, providing cyberattack data and insights gathered by our team for over 20 years. To help businesses enable effective defenses in these turbulent times, Kaspersky has announced access to independent, continuously updated and globally sourced information on ongoing cyberattacks and threats, at no charge.