Corvus: 2023 was a 'record-breaking' ransomware year

Clop on top

In many cases, ransomware groups disrupted hundreds to thousands of victims by exploiting just one vulnerability. One of the most well-known examples occurred in May when the Clop ransomware gang exploited a zero-day vulnerability in Progress Software's MoveIt Transfer managed file transfer (MFT) product. Clop's widespread campaign of data theft and extortion attacks impacted more than 2,000 organizations, according to estimates.

The report detailed five largescale attacks in total, including the MoveIt Transfer attacks and an earlier campaign that exploited a zero-day vulnerability in Fortra's GoAnywhere MFT software. Clop also took responsibility for subsequent ransomware attacks against GoAnywhere customers; Corvus counted an estimated 130 victims. According to the report, the highest number of victims stemmed from attacks that exploited known vulnerabilities in exposed ESXi servers. The campaign, which began in February, was dubbed ESXiArgs and hit thousands of victims, according to Corvus.

However, Clop wasn't the only active ransomware gang in 2023. Corvus confirmed the LockBit and Medusa ransomware groups claimed responsibility for many "high-profile" attacks in the fourth quarter. Unfortunately for victim organizations, the threat landscape was full of many active groups throughout the year. Corvus revealed a 34% increase in the number of active ransomware groups between the first quarter and fourth quarter of 2023. The year started with 35 groups and ended with 47, which Corvus said played a significant role in the record high year.

"This increase is attributed to the fracturing of well-known ransomware groups that have had their proprietary encryptors leaked on the dark web. As a result, many new actors have gained access to these encryptors and started their own ransomware operators," the report read.

One prime example was Babuk's encryptor, which Corvus said has been used by at least 10 ransomware groups since the leak. However, Cisco Talos obtained a decryptor for Babuk Tortilla ransomware victims following an arrest of a threat actor in January 2024. The vendor shared the decryptor with Avast, which updated its earlier Babuk decryptor to assist victims with recovering from a wider set of Babuk strains.

Law enforcement efforts

Successful law enforcement actions were also highlighted in the Corvus report. In August 2023, an international law enforcement operation dismantled Qakbot, a malware used to deploy dangerous ransomware. However, Corvus confirmed ransomware groups adapted quickly. Operators switched from using Qbot code to Pikabot and DarkGate.

A law enforcement effort publicly disclosed by the Department of Justice on Dec. 19 also temporarily disrupted the BlackCat/Alphv ransomware group. Corvus held a webinar Tuesday that expanded on the report and discussed additional law enforcement actions. Ryan Bell, head of threat intelligence at Corvus, said the insurer observed a decrease in activity on BlackCat's leak site beginning on Dec. 3. However, victim names ramped up again the week of Dec. 24.

Bell added that BlackCat accounted for 9% of total ransomware victims in 2022 and 2023. "We expected them to roll and over die [following law enforcement action], but they're not giving up as quickly as other groups in the past," Bell said during the webinar.

Another panelist, Josh Douget, senior claims manager for Corvus, detailed a case study that involved law enforcement and a wholesale distributor with locations throughout the U.S. The policyholder was attacked by an unnamed ransomware threat actor that exfiltrated data and encrypted its network, including business critical systems. Douget emphasized how the attack halted operations at many of the company's locations. After the policyholder contacted Corvus, the distributor engaged a ransom negotiator, forensics team and the FBI. The FBI provided the company with a decryptor, which significantly limited business disruptions. Although some corrupted data remained, the company's backups filled in any gaps.

"While all of this was going on, the ransom negotiator was on the phone with the threat actor attempting to delay posting the victims data to the public data leak site," Douget said. "In just the nick of time, the FBI spring into action and seized that leak site and took it down, which prevented any sensitive information from ever being posted to the dark web."

While Douget said policyholders can't rely on law enforcement to "save the day for every single claim," he said their work to disrupt ransomware groups is beneficial "from time to time." Corvus wasn't the only company to observe a significant increase in the ransomware threat last year.

In October, NCC Group found a 153% increase in the number of attacks between September 2022 and 2023. TechTarget Editorial also tracked ransomware activity in 2023 and found an alarming increase in attacks against the private sector and healthcare in December. Corvus's report on Tuesday warned that attacks against law practices are also on the rise.

Corvus urged organizations to apply the same resilience threat actors exhibited throughout 2023, as risks will only increase.

"2024 will no doubt have more surprises, new threat actors, re-brands and lots of new vulnerabilities. The honing of the ransomware craft dominated 2023, and every indication points to that continued story in 2024," the report said. "The onus is on businesses to bolster security in their own networks."

Updated on 2/7/2024.

Arielle Waldman is a Boston-based reporter covering enterprise security news.