Corvus Insurance recently analyzed data from the dark web and ransomware leak sites that uncovered a 60% increase in ransomware victims in March 2023, marking the highest monthly victim count observed in the past two years. We sat down with Ryan Bell, Threat Intelligence Manager at Corvus Insurance, to discuss the company's findings and their industry implications in greater detail.
What is the significance of Corvus Insurance's newly analyzed data from the dark web and ransomware leak sites, and what does it tell us about the current state of ransomware attacks?
Based on data drawn from our threat intelligence sources, Corvus observed 452 new ransomware victims on leak sites in March 2023 which is the highest monthly number seen in the past two years. We found that the overall number of ransomware victims listed on dark web leak sites increased by 60% between January and February of this year, climbing another 69% from February to March.
The relative reprieve from ransomware in 2022 wasn’t going to last forever. Just a few months into 2023, ransomware is already showing a resurgence. Threat actors carrying out these attacks have demonstrated a rich appetite for exploiting software vulnerabilities against a large number of targets. As the effectiveness of some of the more “traditional” attack vectors wane, attackers aren’t wasting time to identify — and opt for — new methodologies.
As an example, think of something like sending mass amounts of phishing emails. This is akin to sitting there with a fishing rod. You may get some bites, or you may not. Compare this to what CL0P did, which was find and exploit a single vulnerability, giving them access to over 100 different organizations in the span of a few days. To a ransomware group, this is like catching a whale. This is a trend that’s likely to persist; making the current state of ransomware active and dangerous.
Analyzing this data allows us to better identify and predict where cyber attacks are headed, and provides some semblance of a guide to forecast the “weather” of ransomware. This early warning gives organizations more time to prepare and to not lower their defenses.
Can you provide more information about the CL0P ransomware gang's attack campaign targeting GoAnywhere, and how significant was their impact on the 22% of March's claimed ransomware victims?
The CL0P ransomware gang is partially responsible for the increased numbers in March. CL0P claims to have compromised over 130 organizations by exploiting vulnerable GoAnywhere file transfer software and began publishing victims en masse on its leak site. The group did this by identifying a software vulnerability and quickly exploiting it at scale — a tactic we’ll likely see more of.
CL0P listed nearly as many victims in a single month as it did in all of 2021 and 2022 combined, indicating that the flurry of activity in March is not necessarily representative of their typical behavior. However, even without CL0P’s contribution, the number of claimed ransomware victims in March would have been a 31% increase over February 2023, a 23% increase YoY, and would remain one of the highest months on record. With or without CL0P’s campaign, ransomware victim metrics this year are far above the typical threshold for February and March.
How do the YoY increases in ransomware attacks in February and March 2023 compare to previous years, and what does this indicate for future trends?
It’s fair to say that ransomware attacks in February and especially March 2023 have been far above normal levels. February 2023 saw a 31% increase over the prior year while March was a whopping 60% higher than last year and 141% higher than two years ago.
While ransomware attacks began to show signs of cooling off in 2022, this new data shows that threat actors are back and using better tactics to compromise organizations. Our concern is that too many enterprises are likely still on the back foot when it comes to shoring up their defenses. Ransomware continues to be lucrative for threat actors and they’ve made shifts to continue monetizing, which means there will very likely continue to be more attacks. In particular, we are keeping an eye out for increased large-scale attacks like CL0P’s GoAnywhere campaign. Vulnerabilities that allow a ransomware group to exploit dozens or even hundreds of victims in a short time are a jackpot for threat actors.
This makes a robust vulnerability management program all the more important. The time delta between when security software updates are released and when threat actors are able to take advantage of a new vulnerability seems to keep getting smaller. It’s more crucial to stay on top of software vulnerabilities than it ever was before.
In light of these findings, what should cyber insurers and enterprises be doing to strengthen their defenses against ransomware attacks, and how can they remain vigilant in the face of such well-equipped ransomware groups?
Although ransomware attacks were down in 2022, they came back with a vengeance right as 2023 began. Given these trends, it’s critical that cyber insurers remain vigilant, and enterprises and insurance carriers alike can’t start lowering their defenses. There’s no question that vulnerability management is especially paramount. The year is young and we’ve already seen two major ransomware campaigns leveraging a software vulnerability to extort a large number of victims in a short time.
Cyber insurers, like Corvus, will continue to closely monitor the threat landscape to protect insureds and contribute to the collective defense of the community. The security controls that insurance carriers require are more applicable now than ever, and it’s imperative for cyber insurers to stay privy to real-time data. Reviewing quarterly or annual reports rooted in outdated statistics and trends isn’t going to cut it. The threat landscape is ever changing and evolving day by day, week by week — so enterprises and cyber insurance partners need to do the same.