What businesses can learn from the malware that rocked 2023
- Written by Tyler Moffitt, Sr. Security Analyst & Community Manager. OpenText
The only real mistake is the one from which we learn nothing” -- Henry Ford
Last year saw a rise in malware attacks, both in quantity and sophistication, and the emergence of the next generation of malware groups poised to replace notorious gangs such as REvil. Now, only a couple of months into the new year, malware continues to be the primary weapon of choice for cybercriminals seeking to monetise breaches.
While its impossible to predict what 2024 has in store with complete certainty, we can look to past trends to get a better understanding of how these groups operate, the tools they emplo, and the kinds of businesses most at risk. Past knowledge is key to being able to predict where the industry is moving so we can better prepare and remain resilient. So, with this in mind, what insights can businesses glean from 2023's nastiest malware groups?
RaaS becomes the new standard
The average ransom payment skyrocketed in 2023, rapidly approaching three-quarters of a million dollars. This prompted gangs to explore new ways of capitalising on this form of attack—enter Ransomware-as-a-Service (RaaS).
This “business model” treats ransomware attacks as a service, allowing cybercriminals to purchase and launch attacks with relative ease, providing all the tools and infrastructure necessary for ransomware campaigns. It is designed to make it easier for even entry level cybercriminals to launch ransomware attacks, as they do not need to have the technical expertise to develop their own ransomware payloads or command and control servers. They become an affiliate working for the Ransomware authors’ business model and all parties involved profit share the ransom. The affiliate is responsible for conducting the attack and then facilitating the payment in cryptocurrency which in many cases the victim must be walked through. These are the riskiest tasks that leave the most footprint which is why affiliates are always the most likely to get apprehended by law enforcement. Elite Ransomware authors appear to have concluded that profit sharing and risk mitigation are top contributors to their consistent success and reliable evasion from authorities. All of the top ransomware families and campaigns in 2023 have been orchestrated using this RaaS model and we have no expectation of this stopping anytime soon.
This shift towards RaaS highlights just how tenacious cybercriminals are in finding new ways to launch and spread their attacks, but there is good news. According to research, only 29% of businesses pay ransom, an all-time low. These numbers indicate businesses are taking threats seriously and investing in security to be in a position where they do not need to pay ransom.
The top ransomware families of 2023
Cl0p
Cl0p is known for its sophisticated attack techniques and its ability to target a wide range of organisations. Cl0p ransomware is often delivered via phishing emails from botnets, which are emails that appear to be from a legitimate source. These emails often contain malicious attachments or links that, when clicked and launched, will infect the entire network and prepare for ransomware deployment.
Black Cat
Black Cat is a successor to the REvil ransomware, which was one of the most active ransomware groups in 2021. Attackers identify the weakest link in a system and break in through a vulnerability there. Most of the time, this is users falling for a phishing link, but sometimes software vulnerabilities are exploited. Once inside, they grab the most sensitive data, steal it, and then encrypt the environment to cause panic.
AKIRA
Akira ransomware, presumed to be a descendant of the Conti ransomware group, focuses on small to medium-sized businesses. They employ a web-based JavaScript terminal emulator to give a vintage and retro aesthetic to their data leak website and encrypt all files with an .AKIRA file extension.
Lockbit 3.0
Lockbit ransomware was responsible for around one fifth of all ransomware attacks last year! It is now in its third epoch and more modular and evasive than its predecessors. The encrypted files are now also given a random 9-character file extension. The CISA agency reports that they primarily target US small to medium-sized businesses and have made almost $100 million in payments with an average ransom amount of $85,000 per victim. Interesting internal workings that contribute to their success include assuring payment by allowing affiliates to receive ransom payments before sending a cut to the core group. This is completely the opposite of other RaaS groups that require the core payload group to be paid first and then distribute the affiliates cut.
Royal
Believed to be the successor to the Ryuk ransomware group, Royal targets IT, Finance, Materials, Healthcare, and government organisations. The group has its own brand and changes encrypted files' extension to ".royal". They also use a unique partial encryption approach that allows the attackers to choose a specific percentage of data in a file to encrypt, which helps evade detection.
What can businesses learn from last year's threats?
With new and returning faces entering the ransomware scene, the complexity of attacks is only growing. Still, with a healthy dose of preparedness and the right security partner, businesses can stay ahead. Choose a solution that uses real-time, global threat intelligence and machine learning to stop threats. Look for protection with multi-layered shielding to detect and prevent attacks at numerous different attack stages, test backups regularly, and set alerts so admins can easily see if something's amiss.
However, preventing attacks will always start with stronger awareness among employees. Be suspicious of any emails, texts, phone calls or social media messages that ask for personal info. Additionally, regular cybersecurity awareness training and phishing simulations help keep data safe and secure.
The trajectory set in 2023, with the rise of RaaS and the decentralisation of malware, has ushered in a new era of cybercrime. Rather than taking a wait-and-see approach, businesses of every size must take steps to protect themselves, and through a combination of awareness, understanding, and the right support, businesses can remain resilient again emerging threats.
Tyler Moffitt, Sr. Security Analyst & Community Manager. OpenText
