by Avishai Avivi, CISO, SafeBreach
From small attacks to mass hacks, ransomware groups continue to wreak havoc in 2023, attacking organizations of all types, disrupting operations, and exacting high payouts. In March, not only did the White House declare ransomware a national security threat, but a record was also set for the highest number of ransomware attacks in one month, totalling 459. The infamous Ransomware group Clop has also already waged two high-profile mass hacks against western organizations, impacting hundreds of organizations and millions of consumers. Public, private, government, schools, healthcare…none are safe from these emerging threats. What should businesses do to protect themselves?
A good place to start is by understanding the most popular patterns and types of attacks used by ransomware groups. Armed with this data, organizations can more effectively implement their security controls and continuously validate them to proactively identify gaps and take action before malicious actors do. Here are the top four ransomware trends observed by the team at SafeBreach in 2023.
New Focus on Healthcare, Schools, and Government
The unfortunate truth about ransomware is that most threat actors carrying out these types of attacks are financially motivated. They don’t care who they attack, as long as they can make a profit. This means they will typically go after the most vulnerable victims who have the most urgent need—and monetary means—to stop an attack.
In 2023, we saw a significant rise in ransomware attacks on healthcare entities. Due to their highly sensitive and valuable patient data, as well as the critical life-saving services they offer, healthcare organizations face heavy pressure to meet ransomware attackers’ demands. Over 1 million patients had their data exposed in March and April in a breach of NextGen Healthcare, the electronic health record software. Harvard Pilgrim Health Care (HPHC) suffered a ransomware attack in April that resulted in sensitive data of 3.5 million people being exposed. And 11 million patients had data exposed in a July attack on HCA Healthcare. And these are only a few examples.
Governments have increasingly come under attack as well. In late July Maximus, a U.S. government contractor, confirmed that it was a victim of the MOVEit ransomware campaign. Official numbers aren’t out yet, but it is suspected that eight to eleven million individuals were impacted by this campaign. Universities, who can’t afford to let students sit idle, have also become common targets for ransomware groups. In the MOVEit campaign alone, Colorado and Washington State Universities were both confirmed as victims.
Exploiting Vulnerabilities in the Supply Chain
In the 2023 mass attacks based on MOVEit and GoAnywhere, Clop exploited vulnerabilities in two popular managed file transfer (MFT) systems used by thousands of companies. By taking advantage of a flaw in software that was presumed secure, Clop was able to successfully attack many different companies across every level of the supply chain. This is likely because many of the organizations using MOVEit and/or GoAnywhere software had not adopted a zero-trust architecture to compartmentalize their computing environments against supply-chain-type risks. It does not take much for a company to have at least one vendor in the supply chain that is vulnerable to risk considering how many are used across industries.
What these two Clop campaigns emphasize is that it’s incredibly important for companies to use caution when transferring data through third-party vendors. Even if the vendor says they are secure, companies should apply robust security practices. For example, applying critical secure-by-design and privacy-by design principles would prevent sensitive data from being allowed to linger in a location meant to be a temporary transfer system. Additionally, it’s necessary for organizations to adopt a zero-trust architecture and begin to assume that every supply-chain vendor used is already insecure and leaking data.
Utilizing Spray and Pray Versus Big Game Hunting Methods
Another interesting phenomenon in 2023 is the split between the use of “spray and pray” and “big game hunting” methods by ransomware groups. In “spray and pray” attacks, ransomware groups indiscriminately send out as many attacks as they can, hoping for smaller payouts from as many victims as possible. This is effective because smaller organizations are less likely to have mature security programs to prevent these attacks and/or deal with the fallout.
The other method is “big game hunting,” where ransomware groups target a smaller selection of large organizations to maximize profit in one shot. The target organizations are often desperate to avoid a breach and are more likely to pay a ransom, thus rewarding the ransomware group with a large payout.
Though the split between these two methods has been even in the past, we predict that larger organizations will begin to understand the necessity of investing in proactive security measures, making “big game hunting” less feasible for threat actors overall. Unfortunately, this means “spray and pray” attacks will likely be on the rise to make up for the loss of “big game hunting” revenue.
Motivated By Politics
Increasingly, we see that profit is not the only motivator for threat actors. In recent years, the presence of nation-state actors in the cyber arena has been on the rise. These threat actors—most commonly from China, Iran, Russia, and North Korea—are not motivated just by money, but rather by causing damage to western organizations and governments. These groups are much less predictable and, because of that, are highly dangerous and often more difficult to detect.
How to Utilize This Information
Understanding recent ransomware trends is the first step to defending your organization. The next step is fortifying your security practices. At a minimum, we strongly recommend that public, private, and government enterprises deploy multi-factor authentication (MFA), use least privileged access to protect sensitive data from unauthorized access, and remain up to date on all software patches.
Further, it’s important to proactively identify any gaps within your organization’s security controls in order to minimize your exposure duration and prevent exploitation. As discussed above, adversaries will use proven techniques to accomplish their goals, and they will continue to seek weaknesses in order to achieve maximum profitability. The continuous validation of security controls with tools such as breach and attack simulation (BAS) can help organizations leverage known information about attacker techniques to test their defenses to gain greater visibility into business risk, maximize security ROI, and strengthen their resilience against attackers, both today and in the future.
