In the first half of 2023, ransomware attacks increased by 46%. The main attacker is still Lockbit, the main victims are SMEs. This is shown by the Incident Response Ransomware Report with its Dark Web Monitoring.
In Arctic Wolf's Incident Response Ransomware Report, the company shares current incident response (IR) case data from its Security Operations Platform and the latest dark web monitoring insights from Arctic Wolf Labs.
Dark web monitoring shows sharp increase in ransomware attacks
On the Dark Web, threat actors maintain so-called leak or shame sites. On these sites, they threaten their victims with publishing their data and thus put pressure on them to comply with ransom demands. Although these sites do not represent an exact documentation of all global cyberattacks, they are still a good indicator of activity on the dark web and allow the current threat landscape to be contextualized. Arctic Wolf actively monitors known leak sites to better understand the dynamics of the threat landscape.
The significant increase in ransomware attacks and dark web activity in the first half of 2023 (H1) resulted in the largest data set Arctic Wolf has ever collected across its dark web monitoring and IR case data. The security operations expert observed a 1% increase in ransomware incidents in H2023 43 compared to the second half of 2022.
Leading threat actors
- Lockbit was the threat group that posted the most on dark web shame sites in H1 2023, with its posting volume increasing by more than 17% compared to the same period last year. However, after a peak in activity in the first four months of the year, the number of dark web posts fell in May and June, pushing the group from the top spot.
- MalasLocker appeared in May. In its first dark web posts, the group published data on a large number of victims based in Russia. Whether this is coincidence or intentional cannot be said with certainty. However, the geographical location of the victims is rather unusual. Additionally, both the shame site and MalasLocker ransom notes contain messages that suggest “hacktivist” motivation.
- CI0p, a ransomware group that first emerged in February 2019, was identified in June as the perpetrator behind the large-scale MOVEit Transfer exploits (CVE-2023-34362, CVE-2023-35036, CVE-2023-35708, and CVE-2023- 36934) confirmed. Arctic Wolf tracked their activity on leak sites between June 14 and July 14, 2023 and observed 169 cases, including 120 in the US, nine in the UK and eight in Germany.
Aside from MalasLocker, which appears to be politically motivated, Cl0p, Lockbit and the vast majority of attack groups are financially driven. Regardless of the victim company's industry, revenue, or number of employees, many threat actors launch their attacks by exploiting externally facing vulnerabilities, like CI0p, or by sending mass, sophisticated phishing emails to organizations worldwide.
Manufacturing industry targeted by ransomware groups
Throughout H1 2023, manufacturing companies were by far the most frequent victims of ransomware attacks. Despite the high number of postings on dark web shame sites compared to other industries, the median* of ransomware claims from those affected in the manufacturing industry was below the median of the total claims of recorded IR cases. This shows that while the manufacturing industry is not the most profitable for threat actors, it is easier to exploit due to the scale and complexity of its operations.
Ransom demands are increasing across industries: inflation?
The average ransom demand across all ransomware incidents Arctic Wolf responded to in the first half of the year was $600.000, a 43% increase compared to the same period last year.
Has inflationary pressure also reached the cyber crime business? Rather not. A combination of several factors is more likely: On the one hand, ransomware groups are trying to compensate for the drop in sales after they had to throttle their activities in 2022 due to the Russian war of aggression. On the other hand, cryptocurrencies have increased in value over the past year. The price of Bitcoin rose from around $25.000 on June 30, 2022 to over $40.000 on June 30, 2023.
Looking at the individual industries, there is a certain variance in ransom demands in certain industries compared to the previous year, with the median value* of demands being once again highest in the technology sector and lowest in construction. These stagnant positions reflect the sophistication of threat actors and show that they have a good understanding of how much which industries can pay. This is based on both the companies' publicly available financial data and the information they collect from attacks on thousands of companies each year.
SMBs most affected by ransomware
Small and medium-sized businesses (SMEs) are particularly affected by the rise in ransomware. 82% of victims in H1 2023 had fewer than 1.000 employees.
Although large companies and corporations are not immune from becoming victims, they more often have larger security budgets. SMBs are therefore often more challenged to implement an effective security operations program due to a lack of financial resources and internal security expertise. Compared to large companies with billions in revenue, SMBs are also less able to absorb the financial impact of business interruptions as a result of a cyber incident. Therefore, owners are more willing to quickly pay a ransom to restart operations. This makes them an attractive target.
More at ArcticWolf.com
About Arctic Wolf Arctic Wolf is a global leader in security operations, providing the first cloud-native security operations platform to mitigate cyber risk. Based on threat telemetry spanning endpoint, network and cloud sources, the Arctic Wolf® Security Operations Cloud analyzes more than 1,6 trillion security events per week worldwide. It provides company-critical insights into almost all security use cases and optimizes customers' heterogeneous security solutions. The Arctic Wolf platform is used by more than 2.000 customers worldwide. It provides automated threat detection and response, enabling organizations of all sizes to set up world-class security operations at the push of a button.