Headline
Ransomware review: December 2023
In November, ransomware gangs attacked at least 457 victims—the highest monthly count in 2023, after May’s record numbers.
This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim did not pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher.
In November there were 457 total ransomware victims, making it the most active month for ransomware gangs in 2023 so far besides May. The top stories of the month include ALPHV’s shutdown, an increased focus on the healthcare sector, and high-profile attacks on Toyota, Boeing, and more using a Citrix Bleed vulnerability (CVE-2023-4966).
We’ve written about a few ransomware gangs getting shut down this year, including Hive in January and RansomedVC in October, but ALPHV is the latest—and arguably biggest—name to be crossed off of law enforcements’ hit list in 2023. The fate of the gang was sealed in early December, when their data leak sites suddenly became unavailable. Shortly thereafter, researchers at RedSense confirmed that law enforcement was indeed behind the takedown action.
ALPHV’s shutdown represents a huge blow to the ransomware world—and a big win for defenders. With a total of 573 victims since February 2022, it’s no exaggeration to say that ALPHV was second only to LockBit in being organizations’ biggest ransomware threat. The demise of ALPHV can be examined through a few different lenses. For one, it’s a reminder that no ransomware gang—however prolific or well-resourced—is immune to downfall.
The good news in all this is that today’s who’s who can be tomorrow’s nobody. The bad news? That same logic works in reverse as well: Today’s nobody can be tomorrows who’s who.
This is the case we’ve seen with gangs like Medusa or 8BASE. For every head lopped of off the ransomware Hydra, it feels like three more grow in its place. However, none of this is to say that decisive law enforcement action doesn’t deter ransomware gangs to some extent—it does. One can hope that ransomware gangs see a Goliath like ALPHV get felled and think twice about wantonly attacking organizations at the rate we’ve been seeing lately.
In other news, attacks on the healthcare sector last month reached an all-time high at 38 total attacks.
The record follows a steady uptick in attacks on the sector we’ve observed over the past year. According to the findings released by the Department of Health and Human Services last month, there has been a 278% increase in ransomware attacks on health sector over the past four years. “The large breaches reported this year have affected over 88 million individuals, a 60% increase from last year,” the agency also said.
Ransomware attacks on healthcare, 03/22 to 011/23
An attack on Ardent Health Services last month stands as a devastating reification of the trend. The attack, which occurred on Thanksgiving Day, left emergency rooms in multiple hospitals across four US states shut down for five days.
What explains the rise and focus on attacks on the healthcare sector? Well, for one thing, there isn’t a clear bias of one gang disproportionately targeting health care—our data shows LockBit is consistently at the top of the list, as they are likely for most sectors. The explanation, then, likely resides in a combination of facts:
- Ransomware attacks are up overall for all sectors
- Healthcare is easy to attack (Large number of weak points due to use of legacy systems, third-party vendors, etc).
- Healthcare might be more likely to pay (Higher desire to protect sensitive patient data).
Pair this up with a Thanksgiving holiday, and a bigger increase in attacks on health care is somewhat expected.
In other news, ransomware gangs rushed to exploit the Citrix Bleed vulnerability last month, taking advantage of a massive attack surface with over 8,300 vulnerable devices. LockBit led the fray by using the vulnerability to breach the likes of the Industrial and Commercial Bank of China (ICBC), DP World, Allen & Overy, and Boeing. Reported to have been in use as a zero-day since late August, Citrix Bleed provides attackers with the capability to bypass multi-factor authentication (MFA) and hijack legitimate user sessions. It is also said to be very easy to exploit.
Known ransomware attacks by gang, November 2023
Known ransomware attacks by country, November 2023
Known ransomware attacks by industry, November 2023
One of the most interesting developments last month were new reports reinforcing claims that Rhysida may be a rebrand of the infamous Vice Society ransomware gang. Not only does Rhysida share many operational and technical patterns with Vice Society—including using NTDSUtil for backups in ‘temp_l0gs’ and SystemBC for C2 communications—but the distribution of their monthly attacks lines up as well. Vice Society hasn’t been active since June 2023—the same month we witnessed the rise of Rhysida.
Vice Society vs Rhysidia monthly ransomware attacks. Rhysida seems to pick up right where Vice Society dropped off
That being said, a rebrand isn’t confirmed. Perhaps Rhysida is a splinter group. Whatever the explanation, however, it’s almost certain this pattern is no mere coincidence—especially considering the victimology of the two groups is extremely similar (a focus on education and healthcare sectors).
New Player: MEOW
First detected in August 2022, Meow ransomware, linked to the Conti v2 variant, reappeared after vanishing in February 2023. The group published nine victims to its leak site in November.
Operating as MeowCorp or MeowCorp2022, it encrypts files with a “.MEOW” extension and sends ransom notes demanding contact via email or Telegram. Using ChaCha20 and RSA-4096 encryption, Meow is related to other malware strains originating from the leaked Conti variant. Its dark web site shows a limited victim list, including the high-profile entity Sloan Kettering Cancer Center.
Preventing Ransomware with ThreatDown
ThreatDown detecting LockBit ransomware
ThreatDown automatically quarantining LockBit ransomware
ThreatDown Bundles combinesthe technologies and services that resource constrained IT teams need into four streamlined, cost-effective bundles that take down threats, take down ransomware gangs:
- ThreatDown Core Bundle: Next-gen AV and threat surface reduction. A simple yet superior solution integrating award-winning endpoint protection technologies.
- ThreatDown Advanced Bundle: Everything included in core plus Managed Threat Hunting and Ransomware Rollback. Tailored for smaller security teams with limited resources.
- ThreatDown Elite Bundle: Everything in Advanced plus 24/7/365 expert monitoring and response by Malwarebytes MDR analysts. Purpose-built for organizations with small (to non-existent) security teams that lack the resources to address all security alerts.
- ThreatDown Ultimate Bundle: Everything in Elite plus protection from whole categories of malicious websites. Perfect for teams looking for a one-and-done shortcut to cybersecurity done right.
Try ThreatDown bundles today
Related news
By Deeba Ahmed Mikhail Vasiliev, a Russian-Canadian citizen faces four years in a Canadian prison and is likely to be extradited to the US after completing his sentence. This is a post from HackRead.com Read the original post: LockBit Affiliate Sentenced to 4 Years in Canada, Faces Extradition
Talos IR observed operations involving Play, Cactus, BlackSuit and NoEscape ransomware for the first time this quarter.
Citrix is warning of two zero-day security vulnerabilities in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that are being actively exploited in the wild. The flaws are listed below - CVE-2023-6548 (CVSS score: 5.5) - Authenticated (low privileged) remote code execution on Management Interface (requires access to NSIP, CLIP, or SNIP with management
By Deeba Ahmed The latest Xfinity data breach is linked to the critical Citrix Bleed vulnerability. This is a post from HackRead.com Read the original post: Xfinity Rocked with Data Breach Impacting 36 Million Users
Citrix Bleed is being actively exploited by at least six cybercrime groups.
Multiple threat actors, including LockBit ransomware affiliates, are actively exploiting a recently disclosed critical security flaw in Citrix NetScaler application delivery control (ADC) and Gateway appliances to obtain initial access to target environments. The joint advisory comes from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI),
By Deeba Ahmed Earlier, Boeing acknowledged a cyberattack amidst claims by the Lockbit ransomware gang of breaching its security and stealing data. This is a post from HackRead.com Read the original post: Lockbit Ransomware Leaks Boeing Data Trove
The Arid Viper threat actor is actively trying to install spyware on targeted devices in the Middle East, using fake dating apps as lures.
By Waqas Mandiant Investigates Zero-Day Exploitation in Citrix Vulnerability, CVE-2023-4966. This is a post from HackRead.com Read the original post: Mandiant Tracks Four Uncategorized Groups Exploiting Citrix Vulnerability
Plus: Major vulnerability fixes are now available for a number of enterprise giants, including Cisco, VMWare, Citrix, and SAP.
In the race over Citrix's latest vulnerability, the bad guys have a huge head start, with broad implications for businesses and critical infrastructure providers worldwide.
The latest threat to Citrix NetScaler, CVE-2023-4966, was exploited as a zero-day bug for months before a patch was issued. Researchers expect exploitation efforts to surge.
Citrix is warning of exploitation of a recently disclosed critical security flaw in NetScaler ADC and Gateway appliances that could result in exposure of sensitive information. Tracked as CVE-2023-4966 (CVSS score: 9.4), the vulnerability impacts the following supported versions - NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50 NetScaler ADC and NetScaler Gateway 13.1 before
Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA ?virtual?server.