May 30 Webinar | SOC Talk: Automating Threat Response
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
May 14, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
The second quarter of 2023 was prolific for ransomware groups, with several notable newcomers and records shattered. Following the previous quarter’s record-breaking numbers, Q2 2023 saw another large surge in organizations named on double-extortion ransomware data-leak websites. We also observed one of the most serious ransomware campaigns ever recorded.
ReliaQuest’s Threat Research Team monitors the activity of ransomware groups and their data-leak sites. Our quarterly ransomware report gives the big picture of that activity in Q2 2023; below, we offer just the highlights of the quarter’s emerging trends and developments.
Download the full report >
The most impactful ransomware-related event was the “Clop” ransomware gang’s exploitation of a zero-day vulnerability (CVE-2023-34362) in the MOVEit Transfer Software. Clop claimed to have stolen the data of hundreds of companies and began naming victims on June 14, 2023—89 MOVEit victims were publicized in June alone. Since then, that number has crept close to 250, making this one of the largest extortion campaigns by a ransomware group we’ve ever observed.
Clearly, Clop’s unique approach to targeting enterprise file-transfer software/platforms has been effective. The group began exploiting vulnerabilities in such products in December 2020, breaching more than 100 companies through a zero-day vulnerability in Accellion file-transfer software. In February 2023, the group took responsibility for another such campaign, targeting GoAnywhere software and compromising over 130 organizations.
The MOVEit campaign was undoubtedly Clop’s largest and most impactful, compromising multiple large companies. The move towards single-extortion attacks—avoiding data encryption and focusing solely on data theft—is a unique ransomware-group trend that may become common among other groups. For more information on Clop and the MOVEit campaign, check out our blog covering the campaign.
In March 2023, users began noticing that their Zimbra servers had become encrypted and that the new “Malas” ransomware gang had left ransom notes in encrypted folders. The notes detailed an unusual demand: make a donation to a nonprofit organization that the attackers approved of. A donation would mean access to a decrypting tool and a promise not to leak the data—demands more closely aligned with hacktivism than traditional ransomware extortion. Malas’s campaign is just one example of how the lines dividing cybercriminals, nation-state threat actors, and hacktivists are becoming more difficult to distinguish.
In mid-May 2023, Malas launched a dark-web data-leak site and immediately named 169 affected companies, securing the second-highest number in Q2 2023. The group only exposed the configuration files of victims’ Zimbra servers, which likely resulted in a low impact. By comparison, Clop placed fifth in terms of numbers but made the greatest impact with MOVEit.
In the second quarter of 2023, close to 1,400 organizations were named on ransomware and data-extortion websites. This marked a substantial increase (66%) from Q1 2023, which saw close to 850 affected organizations. What makes this increase even more impressive is that Q1 2023 had set the record for the most victims we ever recorded, but Q2 2023 shattered that record with 500 more. The number of organizations being named on ransomware websites has more than doubled over the past two quarters, highlighting a sudden growth in ransomware operations.
Figure 1: Number of victims named on 20 most-active ransomware data-leak sites, Q2 2023
As expected, other records were broken in the past quarter. May 2023 is now the month with the highest number of ransomware victims we have ever recorded. Close to 600 organizations were named to ransomware data-leak sites in May, a 46.7% increase from the previous record in March 2023. The high count in May was driven by the ransomware groups Malas and “8Base” naming a lot of affected organizations shortly after launching their data-leak sites.
Figure 2: Number of ransomware victims named, by month, since June 2022
With regard to extortion-only gangs, few organizations were named on data-leak sites. Even so, there was a noticeable rise compared to Q1 2023, but it was likely caused by natural deviations in quarterly numbers. The “Karakurt Hacking Team” was the most active extortion-only group, making up close to 95% of victims.
Figure 3: Number of extortion victims named, by month, since June 2022
We can’t end the discussion of extortion-only attacks without noting that Clop hasn’t deployed ransomware in any of its file-transfer software attacks (Accellion, GoAnywhere, or MOVEit). Instead, Clop simply stole data and threatened to publicly release it if victims didn’t make ransom payments. By skipping encryption, Clop could conduct attacks much faster and more efficiently, targeting hundreds of companies at once.
In extortion-only attacks, ransomware groups don’t always leave ransom notes, so attacks can be harder to detect. Instead, threat actors typically reach out to affected organizations via email or other communication, making them aware of the breach and ransom demands. Clop has taken an even less traditional approach in its latest MOVEit campaign: requesting that victims contact Clop if they have been compromised. This puts the burden on the companies to figure out if they had been breached.
The US remained the country most targeted by ransomware groups, by a wide margin. Nearly half of all companies named on data-leak sites in Q2 2023 operated in the US. Following the US were the UK, Germany, Canada, and France—the same five countries targeted most in Q1 2023, but with slight shifts, such as Germany rising to third place from fifth. The appeal of those five countries likely lies in their numerous wealthy organizations: typical targets for ransomware groups.
Figure 4: Countries most targeted by ransomware attacks
The sectors most targeted changed slightly in Q2 2023. The professional, scientific, and technical services sector was the most popular, comprising 20.2% of all the affected organizations. The manufacturing sector closely followed, with 19.6%. The remaining sectors in the top five were finance and insurance, healthcare and social assistance, and construction. Healthcare remained a popular target despite many ransomware groups claiming to avoid targeting that sector; this trend has persisted since Q1 2023.
Figure 5: Sectors most targeted by ransomware attacks
Our full quarterly ransomware report offers:
Want more ransomware intel? Read our other blogs about ransomware-related targets and events, such as Clop’s MOVEit campaign, Cobalt Strike team servers, and a “Gootloader” campaign. You can also read our extensive ransomware defense guide, which highlights strategies to prepare for and defend against ransomware attacks. Prefer to listen? Our threat research podcast, ShadowTalk, offers up weekly discussions of new ransomware and cybercrime.