Ransomware attacks dip in H123, but targeted attacks soar: Report

Ransomware incidents are down, but the volume and impact of targeted attacks are on the rise. Cybersecurity firm Fortinet has detected that only 13% organisations in the first half of 2023 were hit by ransomware attacks as compared to 22% five years ago (22%). 

In its 1H 2023 Global Threat Landscape Report, published on Monday, the cyber security firm however said that it is not to say criminals have stopped using ransomware. Instead, they are being more targeted with their attacks, choosing to infect high-value companies over individual users. Nonetheless, ransomware remains one of the biggest, most dangerous attack threats organisations face.

In recent years, more sophisticated attackers have shifted to targeted ransomware approaches in search of bigger payouts. These attackers target very specific organisations based on their ability  to pay large ransoms, using customised tactics, techniques and procedures, Derek Manky, Chief Security Strategist & Global VP Threat Intelligence, FortiGuard Labs.

According to researchers from cyber security firm CyberArk, these attackers are very creative, often going to great lengths to understand a victim’s technology stack so they can identify and exploit vulnerabilities, while pinpointing the most valuable data to encrypt and hold for ransom.

For example, the Play ransomware group that targeted the City of Oakland earlier this year is now hitting managed service providers (MSPs) around the globe in a cyber-attack campaign to distribute ransomware to their downstream customers.

Play's targets appear to be midsized businesses in the finance, legal, software, shipping, law enforcement, and logistics sectors in the US, Australia, UK, Italy, and other countries.

They’re also extremely patient before deploying the ransomware payload. That said, during this time, attackers often target data backups so the organisation cannot restore files after they’ve been encrypted. And these attackers expect to be compensated for putting in the extra work, said the researchers.

Perhaps the most troubling thing about targeted ransomware attacks is that just because an organisation has been targeted once, it doesn’t mean it won’t happen again. To maintain persistence on target networks, attackers often construct backdoors that allow them to re-enter at will. Most companies cannot withstand the business impact of one ransomware attack, let alone two.

Another research report by cyber security firm Rapid7, published on 18 August, also found that at least 1,500 organisations have fallen victim to ransomware globally in the first half of 2023. The research found that attackers used techniques such as brute force attacks and credential stuffing to steal information.

While the top three ransomware gangs in the first half of the year, such as Lockbit, BlackCat or ALPHV and Cl0p, have remained stable, new groups are continuing to emerge onto the landscape. Akira, a ransomware group that reportedly launched just at the end of Q1 2023, has already amassed 60 known victims.

The Fortinet research also found that the volume of ransomware detections continues to be volatile, closing 1H 2023 13 fold higher than the end of 2022 but still notice a downward trend overall when comparing year-over-year.

Manky said, “Disrupting cybercrime is a global effort that comprises strong, trusted relationships and collaboration across public and private sectors, as well as investing in AI-powered security services that can help CIO/CISOs coordinate actionable threat intelligence in real time across their organisation.”