A 143% increase in ransomware victims was observed between Q1 2022 and Q1 2023, with attackers pivoting from phishing to exploiting zero-day vulnerabilities and one-day flaws for network intrusion. Rather than encrypting data, these threat actors focused on data theft, threatening to sell or leak stolen sensitive data, thereby cornering even organizations with robust backup and restoration processes.
This trend was discovered by researchers at Akamai, who analyzed data from 90 ransomware groups' leak sites. These sites are typically where details about attacks, victims, and encrypted or exfiltrated data are released. The analysis revealed a shift in initial access vectors from phishing to vulnerability exploitation.
Major ransomware operators, like the Cl0P ransomware group, are focusing on acquiring zero-day vulnerabilities for their attacks. For instance, Cl0P exploited a zero-day SQL-injection vulnerability in Fortra's GoAnywhere software (CVE-2023-0669) to infiltrate numerous high-profile companies. The group also exploited another zero-day bug in Progress Software's MOVEIt file transfer application (CVE-2023-34362) for similar infiltration. The victim count for Cl0P surged ninefold between Q1 2022 and Q1 2023 following the adoption of zero-day exploits.
Other ransomware groups such as LockBit and ALPHV (aka BlackCat) exploited newly disclosed vulnerabilities before organizations could apply fixes. These 'day-one' vulnerabilities include the PaperCut vulnerabilities (CVE-2023-27350 and CVE-2023-27351) and vulnerabilities in VMware's ESXi servers.
Some ransomware operators, like those behind the BianLian campaign, have completely shifted from data encryption to data theft for extortion. This shift is significant because, unlike with data encryption, organizations cannot retrieve their stolen data even with robust backup and restoration processes. They are left with the choice of paying ransom or risking public data leaks or sales.
Most victims, about 65%, were small to midsize businesses with revenues up to $50 million. Larger organizations, often considered prime targets, constituted only 12% of the victims. Manufacturing companies, healthcare entities, and financial services firms were the most targeted.
Akamai's analysis also found that organizations are highly likely to experience a second attack within three months of the first. Despite the shift in attack vectors, organizations still need to defend against phishing and prioritize patching newly disclosed vulnerabilities.