Record Numbers of Ransomware Victims Named on Leak Sites Infosecurity Magazine
pDeputy Editor Infosecurity MagazineppThe number of victims named on ransomware leak sites reached unprecedented levels in the four months from March to June 2023 according to Secureworks 2023 State of the Threat reportppAt current levels 2023 is on course to be the biggest year on record for victim naming on socalled name and shame sites since this practice began in 2019 It is expected the 10000th victim name was posted to leak sites in late summer 2023 but this has not yet been confirmed by SecureworksppThe report which presented insights from July 2022 to June 2023 revealed that oneoff mass exploitations of specific vulnerabilities was the main factor for the record numbers of named victims in the latter four months of the periodppA LockBit operator dubbed GOLD MYSTIC by Secureworks was the most active ransomware group during the 12month period covered publishing nearly threetimes the number of victims as the next most active group ALPHVBlackCat operated by a group known as GOLD BLAZERppAlongside known groups Secureworks revealed that new ransomware schemes posted numerous victims from March to June 2023 This includes 8BASE listing nearly 40 victims on its leak site during June 2023ppDon Smith VP threat intelligence Secureworks Counter Threat Unit noted While we still see familiar names as the most active threat actors the emergence of several new and very active threat groups is fuelling a significant rise in victim and data leaks Despite high profile takedowns and sanctions cybercriminals are masters of adaptation and so the threat continues to gather paceppThe researchers acknowledged that leak sites alone do not provide an entirely accurate picture of the state of ransomware as they only list victims who have not paid the ransom and are not used by all ransomware groupsppThe 2023 report found that ransomware median dwell time was under 24 hours representing a dramatic fall from 45 days during the previous 12 months In 10 of cases ransomware was deployed within five hours of initial accessppSmith believes this trend is due to improved cyber detection capabilities with cybercriminals speeding up their operations to reduce the chances of being stopped before deploying ransomwareppAs a result threat actors are focusing on simpler and quicker to implement operations rather than big multisite enterprisewide encryption events that are significantly more complex But the risk from those attacks is still high commented SmithppAnother factor identified for the fall in dwell times is that many threat actors now deploying ransomware are lower skilled than previous operators with less sophisticated approaches This is due the rise of the RansomwareasaService RaaS model lowering the barrier to entryppSecureworks observed that the two most common initial access vectors were scanandexploit 32 and stolen credentials 32ppScanandexploit the identification of vulnerable systems which are then compromised with a specific exploit fell significantly as a proportion of ransomware incidents compared to the previous 12 months when it was 52ppThe proportion of incidents that started with stolen credentials also fell from the previous 12 months when it represented 39 of ransomware intrusionsppCommodity malware delivered via phishing emails was the third most common initial access vector from July 2022 to June 2023 at 14ppThe researchers noted that the top three initial access vectors identified can either be prevented or detected at an early stage using a combination of the following measuresp