Open in app

Sign in

Write

Sign in

Ransomware Resurgence: A Deep Dive into 2023’s Threatscape and Risk Assessment

S2W
S2W BLOG
Published in
16 min readApr 9, 2024

Author: Kyunghee Kim, Jiho Kim and Huiseong Yang | S2W TALON

Last Modified: Apr 9, 2024

Photo by Billy Huynh on Unsplash

Executive Summary

  • In this report, S2W TALON examined the trends of ransomware groups active in 2023 identifying the operational characteristics of each group and describing them from 5 perspectives:
    Activity: The number of victim organizations uploaded to ransomware leak sites increased by 1.6 times in 2023 compared to 2022. 50% of the victim organizations uploaded to leak sites in 2023 were affected by the top 5 ransomware groups with high activity.
    Influence: The number of attacks on specific industries such as the non-profit sector and government increased. Also, ransomware groups that target big organizations with a particularly high percentage have been identified.
    Brand Continuity: 26 groups updated their ransomware versions during 2023. 18 ransomware groups were identified as having possibly rebranded by changing their brand names.
    Extensibility: Ransomware groups operate with a systematized division of roles for organizational operation and infrastructure expansion. They build their main infrastructure on the dark web.
    Vulnerability: At least 13 ransomware groups use vulnerabilities in their attacks.
  • S2W has set a total of 21 ransomware evaluation metrics by subdividing the above 5 perspectives, and the details of specific evaluation metrics can be found in Chapter 1. Additive Metric and Chapter 2. Subtractive Metric.
    Additive Metric: Activity, Influence, Brand Continuity, Extensibility, Vulnerability
    Subtractive Metric: Availability of decryption tools, Use of publicly available source code or builders, Whether internal resources were revealed, Whether the ransomware group’s infrastructure was taken down
  • Top 5 ransomware groups by risk score:
    Before applying Subtractive Metric: LockBit, BlackCat, CLOP, BlackBasta, Nokoyawa
    After applying Subtractive Metric: CLOP, BlackBasta, Nokoyawa, Qilin, BlackByte
  • The ransomware groups are clustered into 6 groups based on the risk score clustering results.
    — Destructive, Self Management Expert, Offensive, Follower, Rookie, Enigma.
  • This report can be used to proactively identify the attack methods used by high-risk ransomware groups and prevent damage.
  • The metrics can be further tailored to each organization’s specific interests and industry characteristics to assess which ransomware groups pose the greatest threat, and this is expected to aid in proactive attack prevention.

The analysis subjects of this report are ransomware groups with ransomware leak sites, victim organizations and organizations uploaded to the leak sites, and Extortion-type groups that only perform data exfiltration without using ransomware.

1. Ransomware Threatscape in 2023

  • Throughout 2023, a total of 4,245 organizations fell victim to ransomware attacks and had the fact that they were attacked posted on leak sites. This represents a 60% increase compared to 2022.
  • In 2023, 72 ransomware groups were identified as operating leak sites where they exposed exfiltrated data. The 5 ransomware groups with the highest number of victimized organizations are as follows:
    — LockBit(1,004), BlackCat(402), CLOP(374), PLAY(288), 8Base(203)
  • New ransomware groups can be categorized into those operating Leak sites and groups utilizing the source code or builder of existing ransomware groups.
    — During the second half of 2023, 18 new ransomware groups with Leak sites were discovered. Among them, 5 groups had their Leak site addresses changed, and 2 groups were confirmed to have ceased operations.
  • During 2023, a total of 57 duplicate victims were publicly disclosed.
    — Among these, LockBit was identified as the group exhibiting the most proactive attack patterns against the same victims.
  • In 2023, the top 5 countries most affected by ransomware attacks were:
    — United States of America(2,049), United Kingdom(290), Canada(209), Germany(152), France(136)
    — Ransomware groups tend to target countries with higher GDPs and a larger number of big organizations when considering the victim country’s economic power and the number of large organizations by country.
  • In 2023, the top 5 industries most affected by ransomware attacks were:
    — Manufacturing(746), Business Services(458), Retail(336), Construction(318), Education(246)
    — The top 5 industries with the highest losses all fall within the high-revenue industries surveyed by BankRate in 2023, suggesting that ransomware groups tend to target industries with larger revenue streams.
  • A classification of organizations affected by ransomware in 2023 based on revenue revealed that small organizations suffered the most, followed by medium-sized enterprises and big organizations. Top 5 Ransomware groups with the most disclosed attacks against big organizations:
    — CLOP(118), LockBit(58), BlackCat(40), BlackBasta(14), AKIRA(9)
    — Ransomware groups with a high success rate in targeting big organizations are assessed as likely to be collaborating with technically skilled Pentesters or Affiliates.
  • Among the 72 ransomware groups active in 2023, at least 26 groups were observed to have updated and enhanced their ransomware versions.
    — BlackCat was identified as the group with the most version updates.
  • A total of 18 ransomware groups were identified as having rebranded or showing potential for rebranding in 2023. The reasons for rebranding observed by S2W are as follows:
    — Improve Brand Image, Evolve TTPs, Collaborate with others, Disbanding Group
  • Approximately 84% of active ransomware groups in 2023 operated leak sites on the dark web.
    — There has been a recent increase in the use of social media platforms like Telegram and Clearnet domains.
  • At least 13 ransomware groups were identified as exploiting vulnerabilities throughout 2023.
  • Of these groups, approximately 47% utilized remote code execution (RCE) vulnerabilities to gain internal access to corporate networks.

The detailed ransomware trends for the first and second half of 2023, as disclosed by S2W, can be found below.
- Story of H1 2023: Statistical Insights into Ransomware Trends and Impact on Victims
- Story of H1 2023: In-depth Examination of Notable Ransomware Groups and Key Issues
- Story of H2 2023: Statistical Insights into Ransomware Trends and Impact on Victims
- Story of H2 2023: In-depth Examination of Notable Ransomware Groups and Key Issues

2. Ransomware Risk Assessment

This chapter defines the risk assessment criteria developed by S2W for ransomware groups. These criteria are based on the quantitative and qualitative trends that emerged in 2023. We will also present the results of clustering ransomware groups with similar characteristics based on their risk scores.

To evaluate ransomware groups, we developed risk metrics. Scores are assigned based on the severity of each metric, with higher scores indicating greater risk. We then categorize ransomware groups into four risk levels based on their total score. The detailed criteria for this categorization are shown in Table 1.

Table 1. Risk level classification criteria

2.1. Additive Metric

The metrics that increase the risk of a ransomware group are categorized into 5 perspectives: Activity, Influence, Brand Continuity, Extensibility, and Vulnerability.

2.1.1. Activity

We evaluated the risk of ransomware groups from the perspective of “Activity” by assessing their activity levels on leak sites and the patterns of attacks on victim organizations. The detailed metrics are presented in Table 2.

Table 2. Activity Metric

2.1.2. Influence

By analyzing the damage status of affected organizations by industry group and enterprise size, we evaluated the impact of ransomware groups on specific industries. Additionally, we assessed the proficiency of each group based on the number of successful attacks against large organizations, which formed the basis of the “Influence” metric. The detailed metrics are presented in Table 3.

S2W defined critical industries as non-profit organizations (Education, Medical, Welfare, Culture, Environmental Organizations) and Government agencies

Table 3. Influence Metric

2.1.3. Brand Continuity

We assessed the risk level of ransomware groups using the “Brand Continuity” metric, which includes ransomware binary updates, expansion of the target environment, rebranding history, and active period. The detailed criteria are shown in Table 4.

Table 4. Brand Continuity Metric

2.1.4. Extensibility

To evaluate the “Extensibility” of ransomware groups, we analyzed their activities and infrastructure on the dark web, considering their collaboration with various groups. This also includes how they use their own tools and maintain the infrastructure for effective attacks and managing victims. The detailed criteria are presented in Table 5.

Table 5. Extensibility Metric

2.1.5. Vulnerability

Finally, the risk of ransomware groups was assessed using the “Vulnerability” metric, which is based on their ability to exploit vulnerabilities and the impact of those exploited vulnerabilities. The detailed criteria are shown in Table 6.

EPSS(Exploit Prediction Scoring System) is a data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild.

Table 6. Vulnerability Metric

2.2. Subtractive Metric

In contrast to the aforementioned Additive Metric, there exist metrics that lower the risk posed by ransomware groups. The detailed criteria are shown in Table 7.

Table 7. Subtractive Metric

2.3. Evaluation of Ransomware Groups’ Risk Level

In order to determine how much impact the subtractive metrics have on measuring the risk of ransomware groups, S2W evaluated the risk of ransomware groups by dividing them based on whether the subtractive metric is applied or not.

2.3.1. Risk measurement results before applying subtractive metrics

The top 5 ransomware groups with the highest scores without applying subtractive metrics were identified as LockBit, BlackCat, CLOP, BlackBasta, and Nokoyawa.

Figure 1. Top 5 groups with the highest combined risk metric values (before applying the subtractive metrics)

The LockBit group, which had the highest total score, was classified as Highly Severe for all metrics except the Influence metric, which was classified as Severe.

According to the Affiliate Rules mentioned on their leak site, the LockBit group is prohibited from attacking industries categorized as “Critical Infrastructure”, suggesting that the LockBit group’s influence in this particular industry may be relatively small compared to other groups.

Figure 2. LockBit Group’s risk assessment results

The BlackCat group, like LockBit, was classified as Severe only in the Influence metric, and Highly Severe in all other metrics.

In particular, the BlackCat group scored very high in the Activity metric. To increase the likelihood that victims would pay the ransom, the group employed blackmail tactics leveraging the U.S. Securities and Exchange Commission’s (SEC) rule that requires data disclosure on a specific form (1.05 of Form 8-K) within four business days after a cyberattack.

It is highly unusual for a ransomware group to abuse policy and publicly pressure a victim organization on a leak site, suggesting that the BlackCat group is a very clever and sophisticated group of strategists.

Figure 3. BlackCat Group risk assessment results

The CLOP group was categorized as Highly Severe in the Influence, Brand Continuity, and Vulnerability metrics, and Severe in the Activity metric.

Specifically, the CLOP group has a history of exploiting various high-impact 0-day vulnerabilities and tends to generate a large number of victims in a short period of time after exploiting a vulnerability, followed by a relatively low level of activity on its leak sites during other periods.

This raises the possibility that the CLOP group routinely spends a lot of time developing 0-day vulnerabilities. However, the CLOP group does not have a strong presence on the dark web or Telegram, which is why the extensibility metric is Moderate.

Figure 4. CLOP group risk assessment results

The BlackBasta group has a Low Vulnerability metric due to the lack of 0-day vulnerabilities or exploits against products with large numbers of users.

However, the group has a high percentage of attacks against big organizations and major industries, which suggests that the BlackBasta group may have highly skilled pentesters who can infiltrate the internal networks of big organizations or may be working with affiliates.

The Nokoyawa group is one of the groups that scored strongly on the Vulnerability metric. Additionally, the Nokoyawa group’s operators are active on the dark web and have publicly listed affiliates, which contributed to the group being categorized as Highly Severe on the Extensibility metric.

Figure 5. Risk assessment results of BlackBasta and Nokoyawa Group

2.3.2. Risk measurement results after applying subtractive metrics

After applying the subtractive metrics, the LockBit and BlackCat groups, which were in the top 5 groups with the highest scores, were downgraded due to the deduction of points for infrastructure breaches, and the Qilin and BlackByte groups were newly ranked in the top 5 groups.

The risk levels of each of the top 5 groups, as redefined after the subtractive metrics were applied, are shown in Figure 6.

Figure 6. Top 5 groups with high risk metric sum values (after applying subtractive metrics)

Of the original top 5 groups, CLOP, BlackBasta, and Nokoyawa did not have any deduction factors, so they remained in the top group even after the subtractive metric was applied.

Figure 7. Top 3 groups with the highest combined risk metric values (after applying subtractive metrics)

The Qilin group scored Highly Severe in the Extensibility and Brand Continuity metrics. They are actively promoting their RaaS program on the dark web and are using ransomware that targets Linux operating systems in addition to Windows to maintain brand continuity.

Figure 8. Qilin Group risk assessment results

The BlackByte group performs strongly on activity volume and brand continuity metrics, especially given that the group has been updating versions of its ransomware and improving its functionality using different programming languages such as C#, C++, and Go since its first discovery in July 2021 until December 2023.

Figure 9. BlackByte Group’s Risk Assessment Results

While the above is a risk assessment of each group based on ransomware group activities in 2023, there was a major issue with the LockBit group in February 2024 when some of their infrastructure was taken down.

When we calculated the score based on the activity in 2023 before this event, the combined risk metric for the LockBit group was 38.7 out of 50, which is very high. However, after the infrastructure take-down issue in

2024 was factored into the risk measure, the total score decreased to 27.07. The scoring scheme presented in this report allows us to quantitatively measure the risk of ransomware groups by reflecting changing metrics.

Figure 10. Change in score for the LockBit group’s infrastructure take-down issue.

2.4. Risk-based clustering of groups active in 2023

In addition to measuring the risk of each ransomware group, S2W also worked on clustering ransomware groups with similar characteristics based on the scoring results.

2.4.1. Clustering Ransomware Groups

The Hierarchical Clustering technique based on Ward Distance was used in this process, and the schematic process is shown in Figure 11.

Figure 11. Clustering process

Using the risk metric values of the different ransomware groups, the hierarchical clustering technique was used to evaluate the similarity between each group, and the groups with high similarity were clustered together.

As a result of this clustering process, the 72 ransomware groups were divided into 6 clusters, as shown in Figure 12, and S2W named each cluster Enigma, Follower Group, Rookie Group, Self-Management Expert Group, Destructive Group, and Offensive Group.

Figure 12. Clustering results of ransomware groups

When the 6 clusters were separated by the sum of the risk metrics, the Destructive Group ranked highest in all metrics, while the Rookie Group ranked lowest in all metrics.

Figure 13. Cluster ranking based on the sum value of risk metrics

2.4.2. Analysis of Each Clusters

Destructive Group

The Destructive Group, with the highest scores across all metrics, consists exclusively of ransomware groups that have been active for more than three years and includes CLOP, BlackCat, and LockBit. These groups also uploaded the most victims to leak sites in 2023, with each group scoring at the Highly Severe level.

Figure 14. Risk assessment results for the Destructive Group

Self Management Expert Group

The Self Management Expert Group consists of 23 ransomware groups that are strong in the Activity, Extensibility, and Brand Continuity metrics. The ransomware groups in this cluster are characterized by a strong presence on the dark web and a variety of infrastructures besides the dark web, such as Twitter and Telegram. With the exception of the Vulnerability metric, the Self Management Expert Group scores well across all metrics, suggesting that it has a high potential to become a Destructive Group.

Table 8. Ransomware groups in the Self-Management Expert Group
Figure 15. Risk Measure Results of the Self-Management Expert Group

We further divided the Self Management Expert cluster into subclusters by examining the groups that clustered first with similar overall metrics. We subsequently analyzed them as depicted in Figure 16. An interesting finding is that ransomware groups that are rebranding or have been previously associated tend to be located in the same subcluster.

  • Rebranding Groups: Royal — BlackSuit / Cyclops — Knight
  • Existing Association with Conti: BlackBasta, BlackByte, AKIRA
Figure 16. Ransomware groups with known associations (Self Management Expert Group)

Offensive Group

The Offensive Group consists of five ransomware groups and shows strength in the Vulnerability metric compared to the other clusters. All ransomware groups in this cluster have a CVSS score of 8.0 or higher and at least one exploit with an EPSS score of 80% or higher during 2023.

Table 9. Ransomware groups in the Offensive Group
Figure 17. Risk assessment results for the Offensive Group

Follower Group

The Follower Group consists of 13 ransomware groups. This cluster has a relatively low score in the Activity metric but is strong in the Influence metric due to the high percentage of uploaded victims targeting big organizations and major industries. Furthermore, it was found that the Follower Group includes extortion-type groups that, instead of using ransomware, primarily resort to data exfiltration to extort affected companies.

Table 10. Ransomware groups in the Follower Group
Figure 18. Risk assessment results of the Follower Group

Similar to the Self Management Expert cluster, the Follower cluster shows similar overall metrics, leading us to separate the first clustered group into subclusters, which are shown in Figure 19. Ransomware groups with rebranding relationships were also found in the Follower Group.

  • Rebranding Groups: Hive-Hunters / LostTrust — Metaencryptor
Figure 19. Ransomware groups with known associations (Follower Group)

Rookie Group

The Rookie Group consists of ransomware groups that have been active for a year or less, or show little activity on the dark web and leak sites. Everest and CryptNet, which have been identified on dark web forums, score relatively high on Extensibility, but the other ransomware groups do not stand out across all metrics and are considered a potentially dangerous cluster.

Table 11. Ransomware groups in the Rookie Group
Figure 20. Risk assessment results for the Rookie Group

Enigma

Finally, Enigma is a cluster composed solely of the Werewolves group, which is unique in its own right. Discovered in the second half of 2023, the Werewolves group has no activity on the dark web, and its leak sites are only deployed on Clearnet. Furthermore, many of the uploaded victims were identified as having a history of being uploaded by the LockBit group, and unusually, the group uploaded compromises against Russian organizations.

Figure 21. Risk assessment results for Enigma Group

To determine the most threatening ransomware groups in 2023, we considered both the risk of each ransomware group and the clustering results. From the ransomware groups belonging to the top 2 clusters, the Destructive Group and the Self Management Expert Group, we selected the top 3 ransomware groups per group with the highest combined risk metrics. The selected groups are shown in Figure 22.

LockBit and BlackCat, even with the subtractive metric applied, still ranked in the top 10 in the combined risk metrics of the ransomware groups, proving that they are still influential ransomware.

Figure 22. Ransomware groups with the highest risk levels in 2023

Using this risk scoring scheme, we quantitatively measure the risk of each ransomware group and cluster ransomware with similar characteristics to identify the ransomware groups that pose the greatest threat. The risk scoring system presented in this report is expected to enable rapid and quantitative risk assessment in the future, even as new ransomware groups emerge and their activities change.

Conclusion

1. Results of risk measurement by ransomware group

  • We measured the risk of each ransomware group according to the 21 metrics we developed.
  • Before applying the subtractive metrics, the top 5 groups with the highest risk levels were as follows:
    Top 5 Groups: LockBit, BlackCat, CLOP, BlackBasta, Nokoyawa
  • After applying the subtractive metrics, the risk of ransomware groups was reassessed, and the top 5 groups were:
    Top 5 Groups: CLOP, BlackBasta, Nokoyawa, Qilin, BlackByte

2. Ransomware group clustering results

  • We clustered ransomware groups with common characteristics based on the sum of the risk metrics of each ransomware group, and the characteristics of each cluster were as follows:
    Destructive Group: The cluster with the highest level of risk across all 5 additive metrics.
    Self Management Expert Group: Clusters that are active on the dark web and leverage a variety of infrastructures, including Telegram and Twitter.
    Offensive Group: Clusters with a history of exploiting high-impact vulnerabilities throughout 2023.
    Follower Group: Clusters characterized by a high proportion of targets in large organizations and high-profit industries, including extortion-type groups that blackmail victims through data breaches.
    Rookie Group: Clusters that have been active for less than a year and have a low level of activity on leak sites, indicating a potential risk level.
    Enigma: A cluster independently organized by the Werewolves group, characterized by infrastructure built on Clearnet and targeting Russian organizations.

3. Takeaway

  • This report allows us to prioritize and address the attack methods used by high-risk ransomware groups, enabling proactive measures to prevent damage.
  • To propose countermeasures for each metric that increases the risk of ransomware groups, we utilized mitigations provided by MITRE Framework, D3FEND, and RE&CT. Detailed mitigations by metric are attached in Appendix A.
  • In the future, these metrics can be adjusted based on the specific industries and characteristics of each organization to evaluate which ransomware groups pose the greatest threat, aiding in proactive attack prevention.

Appendix. A

Mitigation for metrics that increase the risk of ransomware groups

Appendix. B

Identified duplicate victims uploaded in 2023

Homepage: https://s2w.inc
Facebook: https://www.facebook.com/S2WLAB
Twitter: https://twitter.com/S2W_Official

--

--

S2W
S2W BLOG

Written by S2W

624 Followers
Editor for

S2W is specializing in cybersecurity data analysis for cyber threat intelligence.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams