KELA reports manufacturing, industrial sectors most targeted by ransomware, data leak actors during Q1 2023

KELA reports manufacturing, industrial sectors most targeted by ransomware, data leak actors during Q1 2023

Cybercrime threat intelligence firm KELA disclosed that the manufacturing and industrial sectors were most targeted by ransomware attackers and data leak actors during the first quarter of this year. LockBit, Royal, and Alphv were behind over 50 percent of the attacks in this sector, while the U.S. is still the most targeted country, recording 45 percent of ransomware and extortion attacks. 

The firm also observed an increase in ransomware and extortion attacks and sales of network access, an important part in ransomware gangs’ supply chain, in the first quarter of this year, compared to the average metrics of 2022, KELA wrote in its report titled ‘Ransomware Victims and Network Access in Q1 2023.’ Additionally, the massive ransomware campaign that targeted thousands of ESXi servers early this year highlights the continuing danger posed by ransomware and extortion groups to organizations worldwide.

“The most prolific ransomware and data leak actors in Q1 2023 were LockBit, Clop, Alphv, Royal, and Black Basta. Clop made it to the top five most prolific gangs by exploiting a zero-day vulnerability (CVE-2023-0669) in the Fortra GoAnywhere MFT system, targeting 130 victims, as claimed by the gang,” KELA reported. The number of ransomware attacks increased in the first quarter of this year compared with the average number in the first quarter of last year and counted almost 900 victims, rising by 30 percent.  

KELA disclosed that the most prolific ransomware and data leak actors in the first quarter of this year were LockBit, Clop, Alphv (aka BlackCat), Royal, and Black Basta, with around 45 to 270 victims disclosed by each group. LockBit kept its first position with over 265 victims, which is almost 2.5 times more than Clop, the second most active group. “However, in March 2023, Clop ramped up the pace and disclosed more attacks than LockBit, claiming 100 victims. Alphv, one of the gangs at the top, has recently announced on the RAMP forum that a new version of their ransomware, called ‘BlackCat 2.0: Sphynx,’ was released,” it added.

Additionally, Clop and Royal got into the top five most prolific gangs after not being in that group in 2022. It seems that they replaced Hive, which was one of the top groups before the FBI took down its operation.

KELA revealed that Clop is the second most active group, targeting more than 100 victims in the first quarter. The most targeted sectors of the group were professional services, technology, healthcare and life sciences. “Clop gained attention in February, when it claimed to have exploited a zero-day vulnerability in the Fortra GoAnywhere MFT (CVE-2023-0669), which allegedly allowed the actors to steal data from 130 organizations. As of March, several companies confirmed data breaches following Clop’s attacks, among them Hitachi Energy, Rubrik, Hatch Bank and City of Toronto,” it added. 

KELA observed 106 victims posted on Clop’s blog since their statement exploiting this flaw, representing 98 percent of their total victims in the first quarter. 

Royal, which emerged only in 2022, targeted over 60 victims in the first quarter. In February, Royal ransomware expanded its operation to target Linux and ESXi servers. The most targeted sectors of the group are manufacturing and industrial products, food and beverages, and professional services. 

KELA observed that one of the actors related to Royal has been active on cybercrime forums, looking for cooperation with initial access brokers to buy network access to companies with revenue of more than USD20 million, the data disclosed. “Other users claimed the actor was Royal’s official representative. The actor called the operation ‘my Royal,’ specifying Windows and ESXi versions, though it’s possible they are Royal’s affiliate team.”

KELA reported that LockBit, Alphv and Royal were responsible for 53 percent of the attacks in the manufacturing and industrial products sector, corresponding to the fact that they’re among the most active ransomware gangs. The next most targeted sectors were professional services, engineering and construction, healthcare and life sciences, and education. Additionally, over 20 percent of the attacks in the education sector were carried out by the Vice Society gang, which is posing a ‘persistent threat’ to the education sector, attacking universities and colleges, as they did in 2022 as well. 

While the U.S. is the most targeted country, it was followed by ransomware and data leak victims from companies in the U.K., Canada, Germany and France.

KELA revealed that new data leak sites and ransomware blogs in the quarter included Vendetta, Medusa, Dark Power, Abyss, and Money Message. In February, the Vendetta ransomware blog was discovered on a subdomain of Cuba ransomware. The group also shared a directory with stolen files hosted on a separate TOR domain.

Around the same time, the Medusa blog was discovered in cybercrime sources, with 13 victims listed. At least one of the victims has confirmed the attack. “There’s no evidence that Medusa is linked to MedusaLocker, a ransomware strain that was first identified in 2019. Unlike many ransomware groups, Medusa doesn’t leak data on the site but asks victims to contact the operation in TOX. However, based on the chatter, the actors don’t seem to be responsive,” the report added.

“In March, KELA observed a new blog named Dark Power Ransomware, with 10 victims listed. Dark Power asks the victims to contact the operation via TOX for obtaining stolen files,” the report said. “In January, the National Cyber and Information Security Agency of the Czech Republic (‘NÚKIB’) detected a ransomware attack targeting the country carried out by Dark Power operators. On March 23, researchers detected a ransomware sample of Dark Power, which confirms that they deploy ransomware. Based on the ransom note, the gang demanded a payment of USD 10,000 in Monero.”

KELA also reported that in March, it discovered a new data leak site called Abyss, with six victims listed. Since January, a threat actor named ‘infoleak222’ was active on Breached shortly before it went down and shared some victims that now appear on Abyss, possibly being related to this operation. 

“In March, a new negotiation portal for extortion victims, titled ‘U-bomb,’ was discovered. Based on the conversations with one of the victims observed by KELA, U-bomb claims to be a ransomware operation, since the actor offered to pay a price for a ‘decrypt tool,’ the report revealed. “The portal authentication page resembles Hive’s negotiation portal; the URL of the U-bomb portal also starts with the string ‘Conti. As of March, there’s no evidence to suggest the new operation is related to Hive and Conti. Currently, U-bomb doesn’t seem to have a data leak site.”

KELA also disclosed that two victims were shared in a new ransomware blog called ‘Money Message’ and discovered in March. “There’s at least one report of a ransomware attack by a group going by the name Money Message,” it added.

Assessing that in 2022, the cybercrime ecosystem in general became more sophisticated and complex, while ransomware and extortion actors continued to use this ecosystem to scale their attacks and make them easier to conduct. In particular, network access sales proved to be a valuable source of leads to these actors. 

To remain ahead of cybercriminals, KELA recommends that enterprise defenders implement a solid security plan that includes strong passwords, multi-factor authentication, up-to-date software, firewalls, and a thorough awareness of cyber adversaries.

Using cybercrime threat intelligence is crucial to know what hackers are doing and stay ahead of the latest threats. This involves monitoring threat actors and cybercrime sources to understand the different types of criminal activities that take place, the kinds of malware and hacking tools that threat actors are using and the vulnerabilities they are exploiting, the types of businesses they are targeting, and the exposure of a specific company’s attack surface. 

In addition, training employees on how to protect themselves online is essential, and making them aware of the risks and how to avoid them.

Last month, the FBI’s Internet Crime Complaint Center (IC3) reported an increase in an additional extortion tactic used to facilitate ransomware in 2022, as the number of reported ransomware incidents has decreased. The hackers pressure victims to pay by threatening to publish the stolen data if they do not pay the ransom. The IC3 report comes in the wake of the cyber landscape providing ample opportunities for criminals and adversaries to target U.S. networks, attack critical infrastructure, hold money and data for ransom, facilitate large-scale fraud schemes, and threaten national security.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related