Ransomware Resurgence: A Deep Dive into 2023’s Threatscape and Risk Assessment
Author: Kyunghee Kim, Jiho Kim and Huiseong Yang | S2W TALON
Last Modified: Apr 9, 2024
Executive Summary
- In this report, S2W TALON examined the trends of ransomware groups active in 2023 identifying the operational characteristics of each group and describing them from 5 perspectives:
— Activity: The number of victim organizations uploaded to ransomware leak sites increased by 1.6 times in 2023 compared to 2022. 50% of the victim organizations uploaded to leak sites in 2023 were affected by the top 5 ransomware groups with high activity.
— Influence: The number of attacks on specific industries such as the non-profit sector and government increased. Also, ransomware groups that target big organizations with a particularly high percentage have been identified.
— Brand Continuity: 26 groups updated their ransomware versions during 2023. 18 ransomware groups were identified as having possibly rebranded by changing their brand names.
— Extensibility: Ransomware groups operate with a systematized division of roles for organizational operation and infrastructure expansion. They build their main infrastructure on the dark web.
— Vulnerability: At least 13 ransomware groups use vulnerabilities in their attacks. - S2W has set a total of 21 ransomware evaluation metrics by subdividing the above 5 perspectives, and the details of specific evaluation metrics can be found in Chapter 1. Additive Metric and Chapter 2. Subtractive Metric.
— Additive Metric: Activity, Influence, Brand Continuity, Extensibility, Vulnerability
— Subtractive Metric: Availability of decryption tools, Use of publicly available source code or builders, Whether internal resources were revealed, Whether the ransomware group’s infrastructure was taken down - Top 5 ransomware groups by risk score:
— Before applying Subtractive Metric: LockBit, BlackCat, CLOP, BlackBasta, Nokoyawa
— After applying Subtractive Metric: CLOP, BlackBasta, Nokoyawa, Qilin, BlackByte - The ransomware groups are clustered into 6 groups based on the risk score clustering results.
— Destructive, Self Management Expert, Offensive, Follower, Rookie, Enigma. - This report can be used to proactively identify the attack methods used by high-risk ransomware groups and prevent damage.
- The metrics can be further tailored to each organization’s specific interests and industry characteristics to assess which ransomware groups pose the greatest threat, and this is expected to aid in proactive attack prevention.
The analysis subjects of this report are ransomware groups with ransomware leak sites, victim organizations and organizations uploaded to the leak sites, and Extortion-type groups that only perform data exfiltration without using ransomware.
1. Ransomware Threatscape in 2023
- Throughout 2023, a total of 4,245 organizations fell victim to ransomware attacks and had the fact that they were attacked posted on leak sites. This represents a 60% increase compared to 2022.
- In 2023, 72 ransomware groups were identified as operating leak sites where they exposed exfiltrated data. The 5 ransomware groups with the highest number of victimized organizations are as follows:
— LockBit(1,004), BlackCat(402), CLOP(374), PLAY(288), 8Base(203) - New ransomware groups can be categorized into those operating Leak sites and groups utilizing the source code or builder of existing ransomware groups.
— During the second half of 2023, 18 new ransomware groups with Leak sites were discovered. Among them, 5 groups had their Leak site addresses changed, and 2 groups were confirmed to have ceased operations. - During 2023, a total of 57 duplicate victims were publicly disclosed.
— Among these, LockBit was identified as the group exhibiting the most proactive attack patterns against the same victims. - In 2023, the top 5 countries most affected by ransomware attacks were:
— United States of America(2,049), United Kingdom(290), Canada(209), Germany(152), France(136)
— Ransomware groups tend to target countries with higher GDPs and a larger number of big organizations when considering the victim country’s economic power and the number of large organizations by country. - In 2023, the top 5 industries most affected by ransomware attacks were:
— Manufacturing(746), Business Services(458), Retail(336), Construction(318), Education(246)
— The top 5 industries with the highest losses all fall within the high-revenue industries surveyed by BankRate in 2023, suggesting that ransomware groups tend to target industries with larger revenue streams. - A classification of organizations affected by ransomware in 2023 based on revenue revealed that small organizations suffered the most, followed by medium-sized enterprises and big organizations. Top 5 Ransomware groups with the most disclosed attacks against big organizations:
— CLOP(118), LockBit(58), BlackCat(40), BlackBasta(14), AKIRA(9)
— Ransomware groups with a high success rate in targeting big organizations are assessed as likely to be collaborating with technically skilled Pentesters or Affiliates. - Among the 72 ransomware groups active in 2023, at least 26 groups were observed to have updated and enhanced their ransomware versions.
— BlackCat was identified as the group with the most version updates. - A total of 18 ransomware groups were identified as having rebranded or showing potential for rebranding in 2023. The reasons for rebranding observed by S2W are as follows:
— Improve Brand Image, Evolve TTPs, Collaborate with others, Disbanding Group - Approximately 84% of active ransomware groups in 2023 operated leak sites on the dark web.
— There has been a recent increase in the use of social media platforms like Telegram and Clearnet domains. - At least 13 ransomware groups were identified as exploiting vulnerabilities throughout 2023.
- Of these groups, approximately 47% utilized remote code execution (RCE) vulnerabilities to gain internal access to corporate networks.
The detailed ransomware trends for the first and second half of 2023, as disclosed by S2W, can be found below.
- Story of H1 2023: Statistical Insights into Ransomware Trends and Impact on Victims
- Story of H1 2023: In-depth Examination of Notable Ransomware Groups and Key Issues
- Story of H2 2023: Statistical Insights into Ransomware Trends and Impact on Victims
- Story of H2 2023: In-depth Examination of Notable Ransomware Groups and Key Issues
2. Ransomware Risk Assessment
This chapter defines the risk assessment criteria developed by S2W for ransomware groups. These criteria are based on the quantitative and qualitative trends that emerged in 2023. We will also present the results of clustering ransomware groups with similar characteristics based on their risk scores.
To evaluate ransomware groups, we developed risk metrics. Scores are assigned based on the severity of each metric, with higher scores indicating greater risk. We then categorize ransomware groups into four risk levels based on their total score. The detailed criteria for this categorization are shown in Table 1.
2.1. Additive Metric
The metrics that increase the risk of a ransomware group are categorized into 5 perspectives: Activity, Influence, Brand Continuity, Extensibility, and Vulnerability.
2.1.1. Activity
We evaluated the risk of ransomware groups from the perspective of “Activity” by assessing their activity levels on leak sites and the patterns of attacks on victim organizations. The detailed metrics are presented in Table 2.
2.1.2. Influence
By analyzing the damage status of affected organizations by industry group and enterprise size, we evaluated the impact of ransomware groups on specific industries. Additionally, we assessed the proficiency of each group based on the number of successful attacks against large organizations, which formed the basis of the “Influence” metric. The detailed metrics are presented in Table 3.
S2W defined critical industries as non-profit organizations (Education, Medical, Welfare, Culture, Environmental Organizations) and Government agencies
2.1.3. Brand Continuity
We assessed the risk level of ransomware groups using the “Brand Continuity” metric, which includes ransomware binary updates, expansion of the target environment, rebranding history, and active period. The detailed criteria are shown in Table 4.
2.1.4. Extensibility
To evaluate the “Extensibility” of ransomware groups, we analyzed their activities and infrastructure on the dark web, considering their collaboration with various groups. This also includes how they use their own tools and maintain the infrastructure for effective attacks and managing victims. The detailed criteria are presented in Table 5.
2.1.5. Vulnerability
Finally, the risk of ransomware groups was assessed using the “Vulnerability” metric, which is based on their ability to exploit vulnerabilities and the impact of those exploited vulnerabilities. The detailed criteria are shown in Table 6.
EPSS(Exploit Prediction Scoring System) is a data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild.
2.2. Subtractive Metric
In contrast to the aforementioned Additive Metric, there exist metrics that lower the risk posed by ransomware groups. The detailed criteria are shown in Table 7.
2.3. Evaluation of Ransomware Groups’ Risk Level
In order to determine how much impact the subtractive metrics have on measuring the risk of ransomware groups, S2W evaluated the risk of ransomware groups by dividing them based on whether the subtractive metric is applied or not.
2.3.1. Risk measurement results before applying subtractive metrics
The top 5 ransomware groups with the highest scores without applying subtractive metrics were identified as LockBit, BlackCat, CLOP, BlackBasta, and Nokoyawa.
The LockBit group, which had the highest total score, was classified as Highly Severe for all metrics except the Influence metric, which was classified as Severe.
According to the Affiliate Rules mentioned on their leak site, the LockBit group is prohibited from attacking industries categorized as “Critical Infrastructure”, suggesting that the LockBit group’s influence in this particular industry may be relatively small compared to other groups.
The BlackCat group, like LockBit, was classified as Severe only in the Influence metric, and Highly Severe in all other metrics.
In particular, the BlackCat group scored very high in the Activity metric. To increase the likelihood that victims would pay the ransom, the group employed blackmail tactics leveraging the U.S. Securities and Exchange Commission’s (SEC) rule that requires data disclosure on a specific form (1.05 of Form 8-K) within four business days after a cyberattack.
It is highly unusual for a ransomware group to abuse policy and publicly pressure a victim organization on a leak site, suggesting that the BlackCat group is a very clever and sophisticated group of strategists.
The CLOP group was categorized as Highly Severe in the Influence, Brand Continuity, and Vulnerability metrics, and Severe in the Activity metric.
Specifically, the CLOP group has a history of exploiting various high-impact 0-day vulnerabilities and tends to generate a large number of victims in a short period of time after exploiting a vulnerability, followed by a relatively low level of activity on its leak sites during other periods.
This raises the possibility that the CLOP group routinely spends a lot of time developing 0-day vulnerabilities. However, the CLOP group does not have a strong presence on the dark web or Telegram, which is why the extensibility metric is Moderate.
The BlackBasta group has a Low Vulnerability metric due to the lack of 0-day vulnerabilities or exploits against products with large numbers of users.
However, the group has a high percentage of attacks against big organizations and major industries, which suggests that the BlackBasta group may have highly skilled pentesters who can infiltrate the internal networks of big organizations or may be working with affiliates.
The Nokoyawa group is one of the groups that scored strongly on the Vulnerability metric. Additionally, the Nokoyawa group’s operators are active on the dark web and have publicly listed affiliates, which contributed to the group being categorized as Highly Severe on the Extensibility metric.
2.3.2. Risk measurement results after applying subtractive metrics
After applying the subtractive metrics, the LockBit and BlackCat groups, which were in the top 5 groups with the highest scores, were downgraded due to the deduction of points for infrastructure breaches, and the Qilin and BlackByte groups were newly ranked in the top 5 groups.
The risk levels of each of the top 5 groups, as redefined after the subtractive metrics were applied, are shown in Figure 6.
Of the original top 5 groups, CLOP, BlackBasta, and Nokoyawa did not have any deduction factors, so they remained in the top group even after the subtractive metric was applied.
The Qilin group scored Highly Severe in the Extensibility and Brand Continuity metrics. They are actively promoting their RaaS program on the dark web and are using ransomware that targets Linux operating systems in addition to Windows to maintain brand continuity.
The BlackByte group performs strongly on activity volume and brand continuity metrics, especially given that the group has been updating versions of its ransomware and improving its functionality using different programming languages such as C#, C++, and Go since its first discovery in July 2021 until December 2023.
While the above is a risk assessment of each group based on ransomware group activities in 2023, there was a major issue with the LockBit group in February 2024 when some of their infrastructure was taken down.
When we calculated the score based on the activity in 2023 before this event, the combined risk metric for the LockBit group was 38.7 out of 50, which is very high. However, after the infrastructure take-down issue in
2024 was factored into the risk measure, the total score decreased to 27.07. The scoring scheme presented in this report allows us to quantitatively measure the risk of ransomware groups by reflecting changing metrics.
2.4. Risk-based clustering of groups active in 2023
In addition to measuring the risk of each ransomware group, S2W also worked on clustering ransomware groups with similar characteristics based on the scoring results.
2.4.1. Clustering Ransomware Groups
The Hierarchical Clustering technique based on Ward Distance was used in this process, and the schematic process is shown in Figure 11.
Using the risk metric values of the different ransomware groups, the hierarchical clustering technique was used to evaluate the similarity between each group, and the groups with high similarity were clustered together.
As a result of this clustering process, the 72 ransomware groups were divided into 6 clusters, as shown in Figure 12, and S2W named each cluster Enigma, Follower Group, Rookie Group, Self-Management Expert Group, Destructive Group, and Offensive Group.
When the 6 clusters were separated by the sum of the risk metrics, the Destructive Group ranked highest in all metrics, while the Rookie Group ranked lowest in all metrics.
2.4.2. Analysis of Each Clusters
Destructive Group
The Destructive Group, with the highest scores across all metrics, consists exclusively of ransomware groups that have been active for more than three years and includes CLOP, BlackCat, and LockBit. These groups also uploaded the most victims to leak sites in 2023, with each group scoring at the Highly Severe level.
Self Management Expert Group
The Self Management Expert Group consists of 23 ransomware groups that are strong in the Activity, Extensibility, and Brand Continuity metrics. The ransomware groups in this cluster are characterized by a strong presence on the dark web and a variety of infrastructures besides the dark web, such as Twitter and Telegram. With the exception of the Vulnerability metric, the Self Management Expert Group scores well across all metrics, suggesting that it has a high potential to become a Destructive Group.
We further divided the Self Management Expert cluster into subclusters by examining the groups that clustered first with similar overall metrics. We subsequently analyzed them as depicted in Figure 16. An interesting finding is that ransomware groups that are rebranding or have been previously associated tend to be located in the same subcluster.
- Rebranding Groups: Royal — BlackSuit / Cyclops — Knight
- Existing Association with Conti: BlackBasta, BlackByte, AKIRA
Offensive Group
The Offensive Group consists of five ransomware groups and shows strength in the Vulnerability metric compared to the other clusters. All ransomware groups in this cluster have a CVSS score of 8.0 or higher and at least one exploit with an EPSS score of 80% or higher during 2023.
Follower Group
The Follower Group consists of 13 ransomware groups. This cluster has a relatively low score in the Activity metric but is strong in the Influence metric due to the high percentage of uploaded victims targeting big organizations and major industries. Furthermore, it was found that the Follower Group includes extortion-type groups that, instead of using ransomware, primarily resort to data exfiltration to extort affected companies.
Similar to the Self Management Expert cluster, the Follower cluster shows similar overall metrics, leading us to separate the first clustered group into subclusters, which are shown in Figure 19. Ransomware groups with rebranding relationships were also found in the Follower Group.
- Rebranding Groups: Hive-Hunters / LostTrust — Metaencryptor
Rookie Group
The Rookie Group consists of ransomware groups that have been active for a year or less, or show little activity on the dark web and leak sites. Everest and CryptNet, which have been identified on dark web forums, score relatively high on Extensibility, but the other ransomware groups do not stand out across all metrics and are considered a potentially dangerous cluster.
Enigma
Finally, Enigma is a cluster composed solely of the Werewolves group, which is unique in its own right. Discovered in the second half of 2023, the Werewolves group has no activity on the dark web, and its leak sites are only deployed on Clearnet. Furthermore, many of the uploaded victims were identified as having a history of being uploaded by the LockBit group, and unusually, the group uploaded compromises against Russian organizations.
To determine the most threatening ransomware groups in 2023, we considered both the risk of each ransomware group and the clustering results. From the ransomware groups belonging to the top 2 clusters, the Destructive Group and the Self Management Expert Group, we selected the top 3 ransomware groups per group with the highest combined risk metrics. The selected groups are shown in Figure 22.
LockBit and BlackCat, even with the subtractive metric applied, still ranked in the top 10 in the combined risk metrics of the ransomware groups, proving that they are still influential ransomware.
Using this risk scoring scheme, we quantitatively measure the risk of each ransomware group and cluster ransomware with similar characteristics to identify the ransomware groups that pose the greatest threat. The risk scoring system presented in this report is expected to enable rapid and quantitative risk assessment in the future, even as new ransomware groups emerge and their activities change.
Conclusion
1. Results of risk measurement by ransomware group
- We measured the risk of each ransomware group according to the 21 metrics we developed.
- Before applying the subtractive metrics, the top 5 groups with the highest risk levels were as follows:
— Top 5 Groups: LockBit, BlackCat, CLOP, BlackBasta, Nokoyawa - After applying the subtractive metrics, the risk of ransomware groups was reassessed, and the top 5 groups were:
— Top 5 Groups: CLOP, BlackBasta, Nokoyawa, Qilin, BlackByte
2. Ransomware group clustering results
- We clustered ransomware groups with common characteristics based on the sum of the risk metrics of each ransomware group, and the characteristics of each cluster were as follows:
— Destructive Group: The cluster with the highest level of risk across all 5 additive metrics.
— Self Management Expert Group: Clusters that are active on the dark web and leverage a variety of infrastructures, including Telegram and Twitter.
— Offensive Group: Clusters with a history of exploiting high-impact vulnerabilities throughout 2023.
— Follower Group: Clusters characterized by a high proportion of targets in large organizations and high-profit industries, including extortion-type groups that blackmail victims through data breaches.
— Rookie Group: Clusters that have been active for less than a year and have a low level of activity on leak sites, indicating a potential risk level.
— Enigma: A cluster independently organized by the Werewolves group, characterized by infrastructure built on Clearnet and targeting Russian organizations.
3. Takeaway
- This report allows us to prioritize and address the attack methods used by high-risk ransomware groups, enabling proactive measures to prevent damage.
- To propose countermeasures for each metric that increases the risk of ransomware groups, we utilized mitigations provided by MITRE Framework, D3FEND, and RE&CT. Detailed mitigations by metric are attached in Appendix A.
- In the future, these metrics can be adjusted based on the specific industries and characteristics of each organization to evaluate which ransomware groups pose the greatest threat, aiding in proactive attack prevention.
Appendix. A
Mitigation for metrics that increase the risk of ransomware groups
Appendix. B
Identified duplicate victims uploaded in 2023
Homepage: https://s2w.inc
Facebook: https://www.facebook.com/S2WLAB
Twitter: https://twitter.com/S2W_Official