Unit 42 is the threat intelligence and response arm of Palo Alto Networks and has recently released its Ransomware Retrospective 2024: Unit 42 Leak Site Analysis. In the report, Unit 42 found a “49% increase in in victims reported by ransomware leak sites” compared to 2022.
According to Unit 42, 2023 saw specific vulnerabilities like SQL injection for MOVEit and GoAnywhere MFT services, as well as an uptick in attacks targeting zero-day vulnerabilities (a vulnerability on a system or device that has been disclosed but not patched).
The report singled out the MOVEit Transfer hack, undertaken by the Clop Ransomware Gang, which affected more than 3,000 US-based organizations and 8,000 victims globally. The primary sectors hit by these attacks were manufacturing, professional and legal services, and high-tech.
Also: 7 hacking tools that look harmless but can do real damage
As far as motivation is concerned, the report states, “Leak site data reveals at least 25 new ransomware groups emerged in 2023, indicating the continued attraction of ransomware as a profitable criminal activity.” Fortunately, the report indicates, “Despite the appearance of new groups such as Darkrace, CryptNet and U-Bomb, many of these new ransomware threat actors did not last and disappeared during the second half of the year.”
–>
Unit 42 observed 3,998 postings from ransomware leak sites, an increase from 2,679 (for 2022). This was a 49% increase and was likely due to zero-day vulnerabilities, such as “such as CVE-2023-0669 for GoAnywhere MFT or CVE-2023-34362, CVE-2023-35036 and CVE-2023-35708 for MOVEit Transfer SQL Injection.”
The report also states that not all ransomeware attackers are able to leverage zero-day vulnerabilities because some of the groups were discovered to be run by inexperienced actors. One example of this was an unknown group who targeted VMware ESXi environments, in a campaign labeled ESXiArgs, which exploited CVE-2021-21974. That vulnerability had targeted over 3,800 servers and leveraged a flaw that was discovered two years prior to the attack.
Also: The best VPN services
The report also lays out some of the new threat groups that were discovered during the year, such as:
- 8Base
- Abyss
- Akira
- BlackSuit
- Cactus
- CiphBit
- Cloak
In addition, Unit 42 discovered new ransomware leak sites like:
- U-Bomb
- CryptNet
- CrossLink
- Rancoz
- DarkRace
The news was not all bad. 2023 saw the demise of several ransomware groups. According to the report, this is due to “…overexposure and aggressive tactics, which attracted the attention of law enforcement agencies and cybersecurity organizations. These ransomware groups were under a spotlight that led to increased pressure and operational challenges.”
As far as affected industries, Unit 42 made a point of saying the biggest motivating factor was profit, which meant most attack groups focused on “organizations across multiple industries,” with the US comprising 47.6% of the targets. The sectors hit hardest included:
- Manufacturing
- Professional & Legal
- High-tech
- Wholesale & Retail
- Construction
- Healthcare
- Financial Services
Also: 3 security gadgets I never leave home without
The report concluded that 2023 saw a “thriving” landscape for ransomware attacks, which was reflected by the leak sites. It did end with one silver lining: “Although the landscape remains fluid, law enforcement’s growing effectiveness in combating ransomware signals a welcome change.”