Palo Alto Networks Releases Report "2024 Ransomware Review: Analysis of Unit 42 Leaked Websites"

Ransomware has undergone tremendous changes and challenges in 2023. This year, ransomware leak websites reported a 49% increase in victims, with a total of 3,998 posts published by various ransomware groups. 2023 saw the emergence of some high-profile vulnerabilities, such as SQL injection for MOVEit and the GoAnywhere MFT service. Zero-day exploits targeting these vulnerabilities have led to a spike in the amount of ransomware infected by organizations such as CL0P, LockBit, and ALPHV (BlackCat) before defenders can update the exploited software.

Based on an analysis of data from ransomware leak sites (sometimes referred to as specialized leak sites, abbreviated as DLS), Palo Alto Networks has released the report, Ransomware Review 2024: Analysis of Unit 42 Leak Sites.

Datasets for leaked websites and Palo Alto networks

The ransomware leak website first appeared in 2019, when the Maze ransomware began to resort to double extortion. The Maze Ransomware, which steals the victim's files before encrypting them, is the first known ransomware group to coerce its victims and publish the stolen data by setting up a leak website. These attackers coerce their victims into paying or decrypt their files and expose their sensitive data. Since 2019, ransomware groups have increasingly employed leak websites in their operations.

Palo Alto Networks monitors this website data, which is often accessible through the dark web, and studies this data to identify trends. Since leaked websites have become commonplace in most ransomware organizations, researchers often use this data to determine the overall level of ransomware activity and to judge the date when a ransomware group was first active.

The dataset compiled by Palo Alto Networks shows the evolution of ransomware organizations in 2023 and the geographic distribution of affected industries and attacks. What's more, the volume of ransomware activity reflects the massive impact of zero-day exploit attacks targeting critical vulnerabilities.

Critical vulnerabilities

Palo Alto Networks observed 3,998 posts from ransomware leak sites in 2023, an increase of about 49% from 2,679 posts in 2022. The increase in activity may be due to zero-day exploits targeting critical vulnerabilities such as CVE-2023-0669 against GoAnywhere MFT or CVE-2023-34362, CVE-2023-35036, and CVE-2023-35708 against MOVEit Transfer SQL Injection.

CL0P claimed responsibility for the MOVEit transport vulnerability attack. In June 2023, the U.S. Cybersecurity and Infrastructure Agency (CISA) estimated that the TA505 group, known for its use of the CL0P ransomware, had compromised about 8,000 victims worldwide. The scale of these attacks forces vulnerable organizations to reduce their reaction times in order to effectively respond to this threat. However, due to the sheer volume of data on the breached website, this also forced the ransomware group to make adjustments. CL0P is not the only organization that has exploited critical vulnerabilities. Ransomware groups such as LockBit, Medusa, ALPHV (BlackCat), and others launched a zero-day exploit against the Citrix Bleed vulnerability CVE-2023-4966, carrying out multiple intrusions during November 2023.

While looking at the number of intrusions reported by ransomware leak websites in 2023 month by month, Palo Alto Networks saw an increase in the number of intrusions in certain months. These increases roughly coincide with the date when ransomware groups began exploiting specific vulnerabilities. But not all ransomware attackers have the ability to exploit zero-day vulnerabilities. Some ransomware groups are made up of inexperienced attackers who will take advantage of whatever means are at their disposal. However, regardless of experience, the list of attackers is constantly changing in an ever-changing threat landscape, and 2023 is the year for which some ransomware groups have emerged.

Emerging ransomware groups in 2023

Given the high ransom payments paid by victims in recent years, ransomware has become a coveted source of revenue for cybercriminals. These criminals form new ransomware groups, but not every operation is successful or sustainable. New ransomware groups must consider issues that other malware doesn't, such as communicating with victims and improving operational security. The overtly nature of ransomware operations increases the risk of them being discovered by law enforcement agencies, security vendors, and other defenders. Ransomware organizations must also consider their competitors. In the highly competitive ransomware crime market, profit distribution, software features, and member support can greatly impact a new organization's position in that market.

Despite these challenges, the data shows that 25 new leak sites have emerged in 2023. These organizations have launched at least one ransomware-as-a-service (RaaS) offering and want to be a strong contender in the ransomware market. It's worth noting that at least three of these sites became active sometime in 2022. But there are two reasons why Palo Alto Networks named these ransomware groups new in its analysis: First, even if analysis suggests that these ransomware groups were operational sometime in 2022, they were first publicly reported in 2023. Second, to make a name for themselves in today's ransomware crime market, leak websites are essential. According to reports, three ransomware groups that started in 2022 have set up new leak websites in 2023, namely: 8Base, Cloak, and Trigona.

The number of new organizations reflected in the data of the leaked website reveals how competitive the ransomware crime market is. At least 5 of the 25 organizations that set up new leak sites in 2023 did not publish new posts in the second half of 2023, suggesting that these organizations may have been shut down. However, not posting on leaked sites doesn't necessarily mean that these organizations have ceased to function. The criminals of these groups may have moved on to other types of operations, disappeared from public view, or merged with other ransomware groups. If some of these organizations don't last more than a year, new threat actors fill the void. In the second half of 2023, 12 new leak sites posted posts, suggesting that these groups could start their activities in the second half of the year.

These 25 new leaked websites account for about 25% of the total number of ransomware posts in 2023. Among these new organizations, Akira has the highest number of posts. Akira was first spotted in March 2023 and described as a fast-growing ransomware group. The researchers linked the organization to Conti through cryptocurrency transactions related to Conti's leadership team. The second most leaked website in 2023 is the 8Base ransomware. 8Base is one of the ransomware groups that has been active since 2022, but the group only started announcing victims in May 2023.

Leaked Website Statistics 2023

By analyzing leaked website data, it is possible to gain insight into the threat level of ransomware. Palo Alto Networks looked at 3,998 leak website posts in 2023, and the data revealed the most active organizations, the most affected industries, and the most ransomware-hit regions in the world.

Tissue distribution

Out of the 3,998 leak website posts in 2023, the LockBit ransomware is still the most active, with 928 organizations, or 23% of the total. LockBit has been active since 2019 with little interruption and has been the most rampant ransomware group for two years in a row. With the fall of groups like Conti, Hive, Ragnar Locker, and others, LockBit has become the ransomware of choice for many attackers, who subsequently become members of the group. LockBit has released several variants that affect both Linux and Windows operating systems. By repurposing the freeware tool and taking advantage of LockBit's fast encryption capabilities, members can tailor the ransomware campaign to their needs.

In second place in terms of the number of leaked posts is the ALPHV (BlackCat) ransomware, which accounts for about 9.7% of the total number of leaked website posts in 2023. In third place is the CL0P ransomware, which accounts for about 9.1% of the total number of posts in 2023. CL0P is known for launching zero-day exploits against critical vulnerabilities such as Progress Software's MOVEit and Fortra's GoAnywhere MFT. But the number of businesses reported by CL0P on the group's leaked website may not accurately reflect the full impact of these breaches. For example, CL0P's leaked website data shows that it hacked 364 businesses during the year, but a report analyzing CL0P's exploitation of the MOVEit vulnerability in 2023 states that 2,730 businesses were affected. We often find discrepancies between leaked website data and the actual impact, and this is a prime example of this.

Monthly and weekly averages

Palo Alto Networks viewed a total of 3,998 ransomware posts, which means that ransomware groups generated an average of 333 posts per month in 2023, which equates to an average of nearly 77 posts per week. Data for 2023 shows an increase in ransomware activity compared to 2022.

The number of leaked website posts in 2022 was 2,679, with an average of 223 per month and 52 per week. The number of posts on ransomware leak sites in 2023 increased by 49% compared to the previous year.

The month with the highest number of reports of leaked websites in 2023 is July, with a total of 495 posts. CL0P may have been the most posted ransomware of the month due to the massive exploitation of the MOVEit vulnerability. The number of posts on leaked websites shows that January and February 2023 were the least active months for ransomware.

Affected Industries

Some ransomware groups may focus on specific countries or industries, but most are opportunists whose primary goal is to make a profit. As a result, many ransomware groups attack businesses across multiple industries. The distribution of leaked website posts in 2023 shows that the manufacturing industry is the most affected by ransomware, accounting for 14% of the total number of posts. This is due to the fact that manufacturers often have limited visibility into their operational technology (OT) systems, often lack adequate monitoring of the network, and sometimes fail to implement best security practices.

Regional impacts

Data from leaked websites shows that the majority of victims in 2023 are located in the United States, accounting for 47.6% of all posts, followed by the United Kingdom with 6.5%, Canada with 4.6%, and Germany with 4%.

Since leaked websites first emerged in 2019, businesses in the United States have been top targets for ransomware. The Forbes Global 2000 list ranks the world's largest companies based on sales, profits, assets, and market capitalization. In 2023, there are 610 companies on the list in the United States, accounting for nearly 31% of the Forbes Global 2000 companies. This is tantamount to telling ransomware groups that the country is home to wealthy targets.

While ransomware groups tend to target wealthy regions such as the United States, the threat remains a pervasive global problem. Data from leaked websites in 2023 shows that victims cover at least 120 countries around the world.

summary

As can be seen from the number of ransomware leak website posts, ransomware has been increasingly rampant in 2023, with a significant increase in ransomware activity and a sign of emerging ransomware organizations.

Ransomware groups such as CL0P have launched zero-day exploits against newly discovered critical vulnerabilities, leaving potential victims at a loss. While ransomware leak website data can provide valuable insights into the threat landscape, it may not accurately reflect the full impact of a breach. Not only do organizations need to be vigilant about known vulnerabilities, but they also need to have strategies in place that can quickly respond to and mitigate the impact of zero-day exploits.

Protection and mitigation measures

Palo Alto Networks' customers can better protect against ransomware threats with next-generation firewalls with built-in cloud security services, including Advanced WildFire, DNS Security, Advanced Threat Prevention, and Advanced URL Filtering.

Cortex Xpanse detects vulnerable services. Cortex XDR and XSIAM customers get protection against all known active ransomware attacks in 2023 right out of the box, with no need to add additional protection to their systems. The Anti-Ransomware Module helps prevent encryption behavior, local analytics helps block the execution of ransomware binaries, and Behavioral Threat Protection helps prevent ransomware activity. Prisma Cloud Defender Agents monitors Windows virtual machine instances for known malware.

Source of this article: https://unit42.paloaltonetworks.com/unit-42-ransomware-leak-site-data-analysis/