Navigating Ransomware: Securin’s Insights and Analysis from 2023

By Ram Movva

[By Ram Movva, CEO, Securin]

As ransomware attackers continue to evolve and adapt their techniques, organizations must refine and adapt their security strategies to stay ahead of these threats.   

Human-augmented, actionable threat intelligence plays a critical role in every organization’s strategy – and Securin’s 2023 retrospective on a year’s worth of ransomware threats and attack groups brings additional insight to help enterprises learn, proactively mitigate risks and strengthen their security posture.  

2023 Year in Review: Ransomware Through the Lens of Threat and Vulnerability Management analyzes the 230,648 Common Vulnerabilities and Exposures (CVEs) listed in the National Vulnerability Database (NVD), prioritizing them on severity, affected systems and vulnerability characteristics. Here’s what we’ve learned.  

Ransomware Is Up 

Ransomware attacks are becoming more common and costly for businesses. On average, a data breach caused by a ransomware attack costs approximately $5.11 million and results in significant downtime lasting days or weeks, severely disrupting business operations.   

Unfortunately, even high-level businesses such as banks and famous casinos are now frequent targets of these attacks, attracting more publicity than ever before.  

Compared to the 344 attacks counted in 2022, we found 38 new ransomware-associated vulnerabilities by the end of last year. This brings the total number of ransomware-specific CVEs to 382 – a growth of 11.05% by the end of Q4 2023. While the CVSS scoring system notes that 17% of the 382 CVEs are low or medium risk, they remain a viable ransomware target.   

Since 2020, there has been an annual increase of approximately 50 new ransomware-related vulnerabilities. Of the 382 vulnerabilities linked to ransomware, 67.5% are connected to MITRE’s 2023 Top 25 Most Dangerous Software Weaknesses. This implies that 258 of the 382 vulnerabilities are considered the most widespread and harmful in software and should be avoided by developers.  

In addition, the number of kill chain vulnerabilities has increased since Q1 2023. Attackers now have 21 more pathways for start-to-finish exploitation than they did last year. Kill chain vulnerabilities are CVEs that allow attackers to go from network infiltration to data extortion. By exploiting just one vulnerability, bad actors can compromise an organization’s network and put their entire systems at risk. 

With the increase in attacks, there emerged some established as well as some new prominent players…  

New Threats on the Block 

The year’s dominant ransomware groups included Cl0p, BlackCat, and LockBit 3.0, and all three are poised to continue their attacks in 2024. The groups relentlessly exploited and weaponized some of the year’s most critical vulnerabilities, including the Progress MOVEit Transfer, CitrixBleed, and Fortra GoAnywhere Managed File Transfer.   

In addition, our cybersecurity experts noticed the emergence of ten new ransomware families this year. These families consist of one or more ransomware groups characterized by unique tactics and malware.  

On top of these newly established families, three Advanced Persistent Threat (APT) groups – Scattered Spider, FIN8, and RomCom – began using ransomware in 2023. These groups are highly specialized threat actors and can operate within a system or network for a prolonged period without detection, often with state backing. This brings the total number of APT groups using ransomware to 55. This expanded arsenal is a cause for concern, as APT groups now have additional destructive tools to use alongside their already sophisticated attack technologies.  

These ransomware groups have increasingly begun targeting the education, healthcare and financial sectors. These sectors are particularly vulnerable due to the vast amounts of critical data they handle, including sensitive personal information, authentication data, and financial records. Ransomware groups have shifted their focus toward these sectors because they can leverage this highly confidential data to extort costly ransom payments from victims by threatening to publish or destroy the stolen information. The consequences of these attacks can be devastating for both the targeted organization and the individuals whose data is compromised.   

Taking Control of Security 

The emergence and sharp increase in threats and attacks pose a significant challenge for security teams. Sensitive data and credentials are constantly at risk from newly discovered vulnerabilities and weaknesses. It’s imperative that security leaders prioritize staying ahead of the latest ransomware threats and implement preventative measures that can effectively defend against such attacks.  

Training and refreshing employees on basic security practices like password protection, complexity, and updates can go a long way in safeguarding a company’s systems. Too often, employees are overlooked in security practices, creating a new layer of vulnerability in organizational systems. By educating and empowering them to take proactive security measures, organizations can implement a more comprehensive cybersecurity approach that considers all angles. 

External attack surface management and periodic penetration testing play a key role in providing a holistic view of potential entry points or weaknesses in the attack surface. Scheduling regular backups can ensure that organizations can restore critical data if the system is compromised during a ransomware attack.  

It is crystal clear that cyber resilience is no longer an option – it is a necessity if we want to create a secure future. The nature and severity of attacks are constantly evolving, from AI-driven threats to the rising number of ransomware groups. Finding continuous monitoring solutions and implementing prompt patching is crucial to protecting business operations. Organizations must take a proactive approach and implement mitigation and defensive strategies to strengthen their systems and pave the way for a safer future. 


No posts to display