Research | Our Q3 report details what's new in the world of ransomware.
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Find cyber threats that have evaded your defenses.
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Brands of the world trust ReliaQuest to achieve their security goals.
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
The latest threat research report from ReliaQuest Threat Research research team.
The latest white papers focused on security operations strategy, technology & insight.
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
November 30, 2023
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
In the third quarter of 2023 (Q3 2023) ransomware activity continued to bombard many countries and industry sectors, after a record-breaking Q2 2023. ReliaQuest observed numerous high-profile ransomware campaigns, large-scale extortion attempts using innovative techniques, and several new groups that quickly made their presence known.
Drawing on our continuous monitoring and analysis of ransomware groups and their respective data-leak sites, we’ll reveal our insights into Q3 2023, beginning with two key events of the past three months.
The “Rhysida” ransomware-as-a-service (RaaS) group has heavily targeted the education sector since May 2023—40% of all its compromises were entities involved in that sector. In Q3 2023, Rhysida expanded their scope to perform cyber-threat activity against hospitals and medical clinics across the US. Rhysida not only stole sensitive data, including Social Security numbers and patient files, but it also auctioned off healthcare data on dark-websites.
Rhysida’s attacks on the healthcare sector have brought devastating effects. In one campaign, the group disrupted the operations of 17 hospitals and 166 clinics across the US after encrypting the systems of a healthcare organization. The group’s activities prompted the US Department of Health and Human Services (HHS) to issue a warning about Rhysida in August 2023.
HHS suggests several defensive strategies and best practices, including:
Clop continued its MOVEit campaign, which had begun in late May 2023, and began an extended operation to extort compromised companies. Clop used various tactics to pressure organizations into negotiating ransom payments, such as:
Clop seemed to conclude its MOVEit campaign in mid-September 2023, when it last updated its data-leak site. The group only named four new companies in August and one in mid-September. Most of the group’s activity took place in July 2023, when the group achieved a remarkable feat by naming more than three times the number of organizations to its data-leak site than the “LockBit” group did. Clop’s MOVEit campaign illustrated the group’s ability to inflict significant damage, quickly.
ReliaQuest saw Clop attempting to exploit MOVEit vulnerabilities in several of our customers’ environments; we developed these mitigation steps for organizations to protect against similar campaigns:
Q2 2023’s record-breaking stats were attributed to the launch of large-scale campaigns by brand new groups, such as “Malas.” In Q3 2023, although ransomware gangs named 6.9% fewer organizations on data-leak websites than they did in the previous quarter, they remained voracious. Almost twice as many compromised entities were named on data-leak sites in Q3 2023 than a year prior.
Overall, ransomware activity throughout 2023 has become noticeably more prolific, compared to the previous year.
Figure 1: The percentage of ransomware attacks that occurred each month, September 2022–23, out of all ransomware attacks throughout the year
During Q3 2023, LockBit, Clop, and ALPHV were the most active ransomware groups (naming the most compromised entities on their data-leak sites; see Figure 2). Clop regained its position as the second most active, surpassing Malas the previous quarter.
Since May 2023, no new entities have been listed on Malas’s data-leak site, suggesting that the group might have folded. Clop’s rise was driven by its MOVEit campaign, which became the most impactful extortion campaign we’ve ever witnessed.
Figure 2: Top 20 active ransomware groups, as ranked by percentage of all compromised companies named on data-leak sites
“LostTrust”—probably a rebrand of “MetaEncryptor”—took eighth place in Q3 2023. What makes this remarkable is that LostTrust only created its data-leak site on September 26, 2023, just four days before the end of the quarter. In that short period, the group fired off the names of more than 50 victims, quickly establishing a reputation as a formidable threat.
We noticed that multiple companies named on LostTrust’s site had also been listed on the leak sites of other ransomware groups. Those companies may have been targeted twice, or LostTrust affiliates could be attempting to re-extort them.
The most targeted country in Q3 2023 was the US, accounting for nearly half of all entities named on ransomware data-leak sites. This is usually the case, owing to multiple factors:
Figure 3: Ten countries most targeted by ransomware groups
The UK experienced a 37.9% increase in targeting since the previous quarter. Australia and Italy each saw significant increases: of 60% and 55.5%, respectively—this can be attributed to smaller-scale ransomware operations, such as Rhysida attacks on Italy and Australia.
In terms of sectoral targeting patterns, no major shifts took place in Q3 2023. The professional, scientific, and technical services; manufacturing; and construction sectors bore the brunt of attacks by ransomware groups, likely owing to three key factors these sectors share:
Figure 4: Sectors most targeted by ransomware groups
As Clop concludes its MOVEit campaign, the group will probably move into a temporary phase to plan its next move; it’s realistically possible that we won’t see Clop in the top 5 again next quarter. We’ve seen Clop performing minimal or no activity for extended periods before launching large-scale attacks (see Figure 3), such as before its exploitation of vulnerabilities in MOVEit (beginning late May 2023), GoAnywhere (February–March 2023), and Accellion (December 2020) software.
Figure 5: Percentage of companies named to Clop’s leak site by month, January 2022–September 2023
Clop has demonstrated a particular interest in targeting enterprise MFT solutions to conduct extortion-only attacks. By choosing to not deploy ransomware in its major campaigns (MOVEit, GoAnywhere, Accellion), the group nimbly exfiltrated the data of hundreds of organizations in less than a week. Clop’s success is likely to inspire other ransomware groups to favor extortion over dropping ransomware, as well as target vulnerabilities in supply chains.
Other shifts will probably be tied to new ransomware groups. The lifespan of most new groups tends to be relatively short (one to three months), so it wouldn’t be surprising if we see few or no victims affected by new groups, such as LostTrust. Nascent ransomware groups often struggle to host data-leak sites, and lack the skills to develop tools that bypass new defenses. In some cases, they buckle under the threat of law enforcement.
It’s likely that we’ll also see some established groups cease operating or experience disruptions in Q4 2023. The start of the quarter has already witnessed the law-enforcement seizure of the “Ragnar Locker” ransomware gang’s dark-websites. That group has been active since December 2019 and waged many a high-profile attack campaign, such as one resulting in 52 US organizations across ten critical-infrastructure sectors being compromised. Ukrainian hacktivists have also allegedly hacked the “Trigona” ransomware servers, reportedly wiping all data from them.
Figure 6: Trigona’s data-leak site displaying message from Ukrainian Cyber Alliance (October 2023)
Our comprehensive quarterly ransomware report further excavates the ransomware landscape of Q3 2023, offering the following insights:
Want more ransomware intel? Read our other blogs about ransomware-related insights and events, such as Clop’s MOVEit extortion campaign, three malware loaders that are often used to deploy ransomware, and a multinational operation that disrupted “QakBot,” a banking trojan used to deliver ransomware.
You can also explore our comprehensive ransomware defense guide that highlights strategies to prepare for, and defend against, ransomware attacks. Prefer to listen? Tune in to our threat-research podcast, ShadowTalk, which features weekly discussions of emerging ransomware and cybercrime trends.
Get a live demo of our security operations platform, GreyMatter, and learn how you can improve visibility, reduce complexity, and manage risk in your organization.