Ransomware Trends Q2 2023: Surge in Attacks Across Asia-Pacific, Persistent Multiple Extortion, and Evolving Threat Landscape
The evolution of ransomware has significantly affected businesses in recent years. Current trends indicate that ransomware developers are increasingly inclined to employ multiple extortion strategies. Furthermore, they have expanded their focus to platforms that previously received less scrutiny, such as the macOS operating system. Employing diverse technical methods to evade detection and exploit vulnerabilities across various products, they have made the detection and prevention of ransomware attacks more challenging.
Significant Increase in Ransomware Attacks in the Asia-Pacific Region
There has been a significant increase in ransomware attacks targeting the Asia-Pacific region. According to research by cyber security firm Check Point, the second quarter of 2023 witnessed a ransomware attack on one in every 44 organisations worldwide . Comparatively, the number of attacks in the Asia-Pacific region saw a 29 percent increase compared to the same period in 2022 , indicating an upward trend in ransomware attacks. Among the sectors affected, government/military, healthcare and education/research sectors suffered the highest number of ransomware attacks . In addition, utilities, insurance/legal and consulting organisations have witnessed a rise in ransomware attacks . Recently, a hospital chain in California had to suspend most of its IT services due to ransomware attacks, affecting 17 hospitals and 166 clinics . Consequently, it is crucial for relevant industries and organisations to fortify their cybersecurity measures to safeguard against such threats.
Multiple Extortion Continues
Based on research conducted by cybersecurity firm Palo Alto Networks Unit 42, it was found that as of late 2022, data theft occurred in an average of 70% of ransomware cases. This represents a significant increase compared to mid-2021, data theft occurred in only around 40% of ransomware cases on average . Additionally, research conducted by cybersecurity firm Cisco Talos revealed a substantial 25% increase in the number of data theft extortion cases during the second quarter of 2023, as compared to the first quarter . These findings indicate a continuing and escalating trend of multiple extortion and data theft. In such attacks, ransomware gangs coerce victim organizations by threatening to leak stolen data on the dark web if the ransom is not paid.
Recently, Hawaii Community College even paid a ransom to ransomware gangs to prevent data leakage . Although the ransomware gangs have removed the relevant organisations entries from the data leakage website after receiving the ransom, but it cannot be ruled out that they may continue to ransom the victims or leak the data in the future.
Ransomware Keeps Evolving
Recently, the well-known ransomware gang and service provider LockBit introduced a new variant specifically targeting Apple macOS devices . In addition, according to research by cyber security firm Uptycs revealed that ransomware service provider Cyclops has developed ransomware that can infect all three major operating systems (Windows, Linux, and macOS) . This indicates an increasing trend among ransomware gangs to target various systems. Furthermore, there is a new ransomware Cactus, which exploits vulnerabilities in VPN devices to gain initial access to the victim organisation network and infect the victim organisation devices. The difference between Cactus and other ransomware is that it encrypts the ransomware itself . By encrypting itself, it can bypass detection by antivirus software and network monitoring tools, enabling it to carry out malicious activities undetected.
According to research by cyber security firm Cisco Talos and Vmware, two new ransomware activities emerged in the second quarter of 2023, namely 8Base and MoneyMessage . 8Base was first discovered in March 2022, but its activity increased dramatically from June 2023 onwards. 8Base uses customised Phobos ransomware to conduct data theft and file encryption, and Phobos ransomware is sold in the underground market as ransomware-as-a-service (RaaS) . MoneyMessage ransomware activity was first discovered in March 2023, and similar to 8Base it uses the same double extortion model . Considering the increasing ransomware activity, it is crucial to take immediate action and proactive measures must be implemented to mitigate the risks posed by ransomware attacks.
Exploiting Product Vulnerabilities to Conduct Attacks
Numerous ransomware gangs are actively exploiting product vulnerabilities in various products to execute data theft. For example, Bl00dy, Clop, and LockBit ransomware have been identified targeting product vulnerabilities such as PaperCut, GoAnywhere MFT, and MOVEit Transfer. These vulnerabilities serve as entry points for data theft and facilitate lateral movement within compromised systems . PaperCut is a widely adopted printer and document management solution utilised by enterprises and educational instiutions, while GoAnywhere MFT and MOVEit Transfer are enterprise-level file transfer and collaboration platforms designed to provide secure file sharing and transfer capabilities.
Measures to Strengthen Defence
The evolution of ransomware persists, with attackers expanding their focus beyond operating systems and actively developing novel techniques to evade detection and amplify the impact of their attacks. This presents a substantial challenge for cyber security and data protection efforts, underscoring the critical need for organisations and individuals alike to heighten their security awareness and implement robust protective measures. Urgency and importance lie in strengthening defences against these evolving threats.
HKCERT advises users and system administrators to stay alert and take appropriate protection measures:
- Regular update and upgrade of systems and applications, include operating systems and anti-virus software;
- Change your password regularly, and use Multi-Factor Authentication (MFA) to increase the security of your account;
- Backup important files and data regularly and store the backups offline and in an encrypted location;
- Conduct regular cyber security training to keep abreast of the latest cyber threats and enhance staff ability to recognise cyber-attacks.
- Minimise the number of users with privileged access (e.g. domain administrative rights) to confine the scope and impacts in case of an attack, and use general account in day-to-day operation;
- Harden the network infrastructure and minimise the points of exposure to the Internet;
- Implement endpoint security protection solutions to inspect emails and web content for malicious payloads, detect and quarantine malicious programs to prevent malware infection;
- Build cyber threat intelligence capability  to keep track with most recent threats, and exchange information with peer organisations to pre-empt emerging attacks;
- Ensure network monitoring and security detection are in place and ready to carry out immediate incident response if any abnormal network activities are detected.
For more details or security advice, please refer to the security blog 「Unmasking Cybercrime-as-a-Service: The Dark Side of Digital Convenience」 or 《Incident Response Guideline for SMEs》.