GRIT Ransomware Report: November 2023
Additional contributors to this report: Nic Finn, Grayson North, Justin Timothy, Ryan Silver
November 2023 closed with an increase in posted ransomware victims relative to a quieter October, but in keeping with an overall higher rate of victims consistent since March. While total observed victims increased 29% month-over-month from 336 to 433, November’s victims exceeded the CY 2023 average by only 16%, and the rolling average since March 2023 by only 6%, indicating a relatively consistent pace of operations since Q2.We also observed a marginal decrease in the number of observed active ransomware groups, though this was influenced by the arrival and drop-off of several smaller Emerging groups. The most prolific Established ransomware groups, including LockBit, Alphv, and Play continue to account for the highest percentage of observed ransomware victims, and 82% of observed victims were attributed to Ransomware groups that have operated for at least 6 months.
The geographic focus of ransomware remains primarily on the global north, with US-based organizations as the primary victims followed by Western countries in Europe, Canada, and Australia. We note, however, an outsized impact on Chinese organizations in November, with nearly a quarter of 2023’s ransomware attacks against China taking place this month. Impacted organizations in China typically belong to the manufacturing industry, whereas November resulted instead in multiple victims from the energy, automotive, legal, and pharmaceutical industries, further complicating this anomaly. Eastern Europe-based cybercrime actors, which make up much of the ransomware landscape, have traditionally appeared averse to targeting Chinese targets; We will remain alert to continued spikes which could indicate a shift to this approach.
While manufacturing remains the most impacted industry in the United States, impacts against healthcare organizations continue to increase, continuing a concerning trend of disregard for human life and disregard or softening of longstanding affiliate rules in some cases. The largest and most impactful of these attacks are often attributed to Ransomware’s most prolific Established actors, possibly reflecting an operational focus on this sector with the goal of extracting high ransoms.
GRIT continues to observe ransomware group exploitation of viable vulnerabilities, as demonstrated by the widespread exploitation of the Citrix Bleed vulnerability and Clop’s return to scaled exploitation with SysAid. As organizations continue to increase the resilience of their security against ransomware, exploitation of vulnerabilities, particularly in VPNs and storage services, will likely remain a high priority for ransomware groups.
| Total Publicly Posted Ransomware Victims | 443 |
| Number of Active Ransomware Groups | 32 |
| Average Posting Rate (per day) | 14.8 |
Ransomware Trends
November concluded with a 29% month-over-month increase in publicly posted victims, from 336 to 433, slightly above the average monthly victim count of 363 established over the preceding annual year. However, despite this increase in total victim volume, we observed a slight decrease in the number of ransomware groups posting victims–down from 35 to 32.
In total, nine groups who had posted victims in October 2023 claimed no victims in November, and six groups with no observed victims in October claimed new victims in November. Of these newly emerged or re-emerging groups, none claimed greater than six victims, reflecting the continued presence of smaller, low-volume ransomware groups.
The majority (67%) of victims were observed as posted between Tuesday and Thursday, while the least frequent (13%) posting dates were Friday and Saturday.
Ransomware Victims by Country
The United States continues to remain the most frequently impacted country by ransomware attacks. The share of observed attacks impacting US-based organizations remained consistent with the 2023 calendar year average of 49%, at 48% (207) of November’s victims.
The Netherlands has made the “Top Ten list” of victims for the second time this year. November’s victims account for 21% (11) of the Netherland’s total victim count for 2023 (52). BlackBasta accounted for four of these victims, while the other six were each claimed by six other groups.
Canada experienced a decrease in victim volume and victim share relative to baseline–typically ranking in the three most impacted countries behind the US and the United Kingdom–but fell to sixth in November.
Despite enjoying a sharp decline in victims in October, Germany-based organizations experienced an increase in attacks in November, returning them to the “Top Five list.”
Increased Ransomware Impact in China
November saw an unusual increase in ransomware cases in China, where ransomware incidents have historically been few and far between. The first 10 months of 2023 saw 22 reports of ransomware victims in China, while November alone resulted in five victims. The groups AlphV, Bianlian, Lockbit, Qilin, and Rhysida all claimed at least one victim from China during November.
The Industrial and Commercial Bank of China, China’s largest banking firm, was subject to a ransomware attack in November, and a representative for LockBit later claimed responsibility. However, the name of the bank, and any associated exfiltrated data, have not been posted to LockBit’s data leak site at the time of this report.
November’s ransomware attacks in China impacted victims in the energy, automotive, legal, and pharmaceutical industries, a departure from the most frequently impacted manufacturing industry, further complicating this potential anomaly.
The variety of groups conducting November’s attacks on China-based organizations may indicate exploration by ransomware groups into targets that have historically escaped largely unscathed by ransomware despite containing lucrative potential victims. China has historically aligned itself with the Eastern European nations where many ransomware actors are thought to reside, but shifting geopolitical relations between those Eastern European countries could open the door to additional future operations.
Industry Trends
Manufacturing retained its long-standing position as the most impacted industry in November, with a marginal increase from 49 to 51 observed victims, but decreasing in proportionate share from 14.58% to 11.78%. While Manufacturing more than doubled the number of victims from “runner-up” industries in October, November brought a tighter concentration of highly impacted industries, with Healthcare and the Retail & Wholesale industries each accounting for approximately 7% of observed victims as the second and third most impacted industries.
November marks the third-most impactful month of the year for Healthcare, with 32 claimed victims, a 33% increase from its monthly industry average of 24; this increase is consistent with our observation of greater impacts on the healthcare industry over at least the past 3 months. Finally, for the first time in 2023, the Automotive industry was observed as one of the most impacted industries, with the industry accounting for 17 victims, more than twice its monthly industry average of 8.
Threat Actor Trends
November closed as LockBit’s most active month since August, retaining its dominance in the ransomware ecosystem with over 25% of observed victim posts. LockBit continues to impact healthcare organizations, with two-thirds of its impacted healthcare organizations in 2023 being victimized in November.
Following a dip in posted victims in October, Alphv returns to the “Top Three” with 46 victims, a 30% increase over its average of 35 monthly victims. Like LockBit before it, Alphv continues to impact healthcare organizations and release attention-seeking media statements, likely in an attempt to shame its victims and discourage non-compliance from future targets.
Play continues its upward trend of victim volume with 44 victims, nearly doubling its average daily rate for the second month in a row. Play has disproportionately impacted the Retail and Wholesale sector, matched only by LockBit.
Overall, a significant portion of the increase in total claimed victims is primarily due to the large increases among Established groups. Lockbit saw a 75% increase in victims posted, Alphv increased their posts by 70%, and smaller increases of 6 to 8 victims were seen from a number of Established groups like Akira, Rhysida, Blackbasta, Knight, and 8Base. Balancing that out, Bianlian, Noescape, and Medusa all saw decreases in victim posts of 47%, 23%, and 26% respectively.
Threat Actor Spotlight: Cactus (Established)
Cactus is a double-extortion ransomware group, which encrypts victim files and exfiltrates sensitive data in order to coerce victims with dual forms of leverage–the need for a decryptor to restore operations, and the need to prevent publishing and dissemination of sensitive data. The ransomware group is believed to have been active since at least March 2023. While the group or its affiliates initially appear to have communicated with victims over the Tox messaging service, it appears to have established its data leak site in July 2023.
Cactus Ransomware is notable for its self-encryption of the Cactus ransomware encryptor, which compresses its code in an attempt to evade antivirus; the encryptor is unlocked through a key in a file named ntuser.dat (distinct from the legitimate ntuser.dat file), which is loaded through a scheduled task. The encryptor also divides encrypted files into micro-buffers, probably in an attempt to speed up the management of encrypted data streams.
Threat actors affiliated with the Cactus ransomware have demonstrated a range of tactics, techniques, and procedures (TTPs) to gain initial access to victim networks, starting with phishing and exploitation of VPN appliances in mid-2023 before expanding to exploitation of vulnerabilities in the business intelligence platform Qlik Sense, and DanaBot malware infection via malvertising campaigns in late 2023.
Post-compromise actions taken by Cactus ransomware operators have employed the SoftPerfect Network Scanner, native PowerShell enumeration commands, Cobalt Strike, the open-source Chisel SOCKS5 tunneling tool, a custom variant of the open-source PS Nmap tool, and legitimate Remote Monitoring and Maintenance (RMM) software, according to multiple open-source security reports. Exfiltration has been observed via the open-source Rclone utility.
According to Microsoft Threat Intelligence, Cactus ransomware has been deployed by Russia-based threat actor Storm-0216, also classified as Twisted Spider and UNC2198 by Crowdstrike and Mandiant respectively. This threat actor has historically partnered with other Russia-based financially motivated cybercrime groups, including Wizard Spider, Viking Spider, and LockBit, and has been associated with the Egregor and MAZE ransomware variants of ransomware.
We assess with moderate confidence that Cactus’ operators demonstrate a moderate to high level of sophistication, based on observed TTPs, the complexity and uniquity of its encryptor, and the historical association of Storm-0216 actors with deployment of Cactus ransomware.
Other Notable Ransomware Events
Ransomware Groups Exploit Citrix Bleed Vulnerability
On October 10th, 2023, Citrix released a security bulletin detailing two vulnerabilities impacting their NetScaler ADC and NetScaler Gateway products which were quickly dubbed “Citrix Bleed”. One of the vulnerabilities, CVE-2023-4966, is a sensitive information disclosure vulnerability that can be used to extract unsanitized pieces of memory from an unpatched appliance without authorization. The exact section of memory leaked can be manipulated to include Citrix session tokens stored on the exploited device which can be used to take control of a session created by the user who originally requested the token, bypassing multifactor authentication requirements. On October 25th a researcher published a blog post that described the process for exploiting the vulnerabilities and provided a proof-of-concept code for their exploitation.
In early November, GRIT observed widespread exploitation of this vulnerability, with some of the resulting stolen sessions seemingly leveraged for initial access vectors by various ransomware groups. These groups – which included LockBit, Rhysida, and Alphv – were able to exploit this vulnerability to connect to victim networks, and use their existing tradecraft to move laterally, escalate privileges, and ultimately impact the networks of their victims. Concerned with the impact of this vulnerability on the Healthcare industry, the US Department of Health and Human Services issued a Sector Alert on November 30th, 2023, outlining the vulnerability and remediation actions as critical to the safety of healthcare organizations around the country. This incident underscores the necessity of defenders quickly patching external-facing infrastructure, which can be among the most attractive access vectors to threat actors.
SysAid Clop Exploitation
On November 8th, 2023, IT service automation company SysAid released a vulnerability notification detailing a path traversal vulnerability, CVE-2023-47246, impacting on-premises server installations of their SysAid software. The notice and subsequent posts by Microsoft Threat Intelligence allege subsequent exploitation of the vulnerability by the extortion group, Clop, following a quiet period after their mass exploitation of Progress Software’s MOVEit. Incident responders have observed Clop exploiting CVE-2023-47246 to drop a webshell on vulnerable servers, which is then used to run PowerShell scripts to perform reconnaissance and load additional tooling, potentially leading to encryption and data exfiltration. Exploitation of this new vulnerability keeps with Clop’s recent behavior of exploiting zero-day vulnerabilities in public-facing infrastructure to exfiltrate data and extort at scale. While previous campaigns by the group have targeted managed file transfer software including MOVEit and GoAnywhere, the targeting of SysAid suggests a willingness and capability to impact other software types. Clop has traditionally taken an “all at once” approach to its exploitation of zero-day vulnerabilities, likely due to their value and rarity, and decreased utility once a patch is released. We note that while Clop did successfully weaponize and exploit this vulnerability, the scale of this particular campaign appears much narrower than its past operations, likely resulting in substantially lower revenue generation for the group.
Black Suit Ramps up Operations
First observed in May 2023, GRIT and other security researchers quickly noticed similarities between the encryptor of the newly arrived “Black Suit” and the Established ransomware group, Royal. Royal, which at the time of Black Suit’s appearance was still posting victims at a rate of 26 per month, saw its previously healthy post rate reduced to zero in the second half of 2023. At the time, GRIT assessed that Black Suit was the likely planned Rebrand of Royal, which could have been driven by law enforcement pressure following a high-visibility attack against the city of Dallas, Texas in September 2023. However, whether intentional or not, the anticipated transition from Royal to Black Suit was not an immediate one. Royal posted its last large group of ten victims at the end of May 2023, with only three subsequent victims posted afterward. In the meantime, Black Suit showed no signs of increasing their operations to match its predecessor until this month. In November Black Suit reported an all-time high of five victims, including three from the Education industry. While this pace of posted victims does not match that of Royal in “full swing”, it does indicate a possible increase in operational tempo from the group and counters the probability of Royal’s operators abandoning the Black Suit brand after its association became well known. The reason for the pause between Royal’s operations and those of Black Suit is unclear but may have been intended as a “cool off” period from law enforcement attention in lieu of an effective name change. GRIT recommends considering Black Suit as a Rebrand group, and assesses that operations will continue to increase in the short term.
Alphv SEC filing
Alphv made headlines this month while in the process of extorting MeridianLink, a financial services company. On November 15th, the threat group released a post on their data leak site expressing concern over a lack of communication from the victim and shared screenshots of an alleged complaint submitted to the Securities and Exchange Commission (SEC), reporting the breach. The threat actor claimed in the complaint that, despite knowing about the data breach, MeridianLink had not yet filed an 8-K form, so they “did it for them.” Form 8-K is a US government form used to notify investors of major events that may be important to shareholders of public companies, and submission of the form within four business days became a requirement in the event of material cybersecurity events following rule changes in July 2023. While it is unlikely that the victim in this case will face any extra retribution from the SEC as a result of Alphv’s actions, it accomplished the group’s likely goal of attracting substantial attention to the incident, applying pressure to the victim and future victims.
LockBit’s New Ransom Rules
In September, LockBit circulated a poll to its affiliates proposing changes to internal rules surrounding how affiliates may negotiate ransom amounts. The suggested changes, likely inspired by recent reductions in payments, mostly applied to how affiliates may formulate their initial ransom demand and how much of a discount they would be allowed to accept. Presumably driven by feedback from this survey, LockBit adopted two new rules governing their affiliate’s ransom negotiation process beginning the first of October.
The first rule change provided some guidance to affiliates on initial ransom demands, outlining a demand scale based on a victim’s revenue. For companies with revenue of up to $100 million USD, the guidelines suggest initial demands between 3 and 10 percent of annual revenue. For companies up to $1 billion USD in revenue, the guideline suggests initial demands between .5 and 5 percent. Finally, for victims with revenue in excess of $1 billion USD, the guideline suggests initial demands between .1 and 3 percent.
While this new suggested demand scale is intended to standardize the initial demand, it goes hand in hand with a concurrent new rule stating that affiliates may not accept any discounts to this initial amount exceeding 50 percent. In the absence of such prior rules, affiliates were left to their own devices on accepting victims’ counter offers, resulting in occasional deep cuts to ransom demands in pursuit of settlement. This new guidance is likely intended to prevent inexperienced or “desperate” affiliates from accepting significantly reduced payment from the victim, a move that the leadership of the LockBit group hopes will lead to larger payments in aggregate.
GRIT has observed tight adherence to this new set of rules by LockBit in recent months, but we assess that a possible decrease in successful settlements could lead to discord within the group, particularly as we assess that the rules will result in a lower number of settlements overall. As one of several Established Ransomware as a Service (RaaS) groups, LockBit must compete for a limited pool of skilled affiliates, who perform the hands-on-keyboard portion of ransomware attacks, typically pocketing around 80% of any payments. While every affiliate has different motivations, affiliates are often incentivized to make a deal with their victims even if the agreed-upon amount is substantially reduced from initial demands, because costs have already been incurred and a small payment is better than no payment at all. In contrast, LockBit leadership may be driven by increasing average payment size as a matter of brand and prestige and is likely less sensitive to individual instances of non-payment. If these new rules lead to decreased affiliate revenue in the mid to long-term, current affiliates may opt out of continued support or pursue affiliation with other groups.
New Ransomware Groups Tracked by GRIT in October 2023:
Meow Leaks (Emerging)
The Emerging threat group Meow Leaks was first observed publicly claiming victims in late November. The group has thus far claimed six victims to their data leak site, with the majority (5) being within the United States and one victim in Ireland. Each of the group’s six victims belongs to different industries, preventing–to date–the formation of a discernable pattern to the group’s victimization.
In March 2023, Kaspersky released a decryptor for a ransomware strain that was based on the leaked Conti ransomware builder. Although Kaspersky did not name the ransomware strain “Meow”, other security reporting has called the encryptor “Meow.” At this time, the connection between the Meow ransomware strain and the Meow Leaks data leak site cannot be verified, but GRIT is monitoring for any indication of ties.
Final Thoughts
November continued an escalated trend of ransomware activity, with monthly observed ransomware victims in the 400+ range since March 2023. As smaller, Emerging groups continue to come and go, and a small cohort progresses into Developing and Established groups, the most prolific Established actors continue to account for a disproportionate share of observed victims. While this reflects the continued viability and efficacy of these cybercriminal enterprises, our methodology is unable to capture the scope of impacts from low-maturity or independent ransomware operators who do not publicly claim ransomware victims. Given this incomplete visibility, we must acknowledge that the full scope and impact of ransomware on a global scale is higher, and possibly increasing at scale with those observed in this report.
Continued attention-seeking behavior and impacts against sensitive organizations, such as healthcare, reflect possible continued “testing of the waters” or a departure from previous norms in favor of ransom extraction, and we assess that further departure and increased targeting of sensitive organizations are likely in the future. Recently observed tactics such as tertiary victim extortion and repeated encryption are likely designed as much to deter future non-compliance as to “shame” present non-compliant victims. An interesting anomaly to this behavior is the ransomware group Play, which continues to present an increasing stream of victims while maintaining a relatively low profile publicly.
Increased impacts on Chinese industries will remain a point of collection for GRIT going forward, particularly given the potential profitability of Chinese victims and dependent on the law enforcement response received. While November holds the potential to present as an anomalous month in terms of Chinese organizational victims, it could also mark the opening of a new market segment for financially motivated cybercrime.
As the year comes to a close, we anticipate a continuation or increase in operations and opportunities to exploit undiscovered vulnerabilities or defensive teams with staff out on holiday leave. GRIT observed this behavior in a surge of observed victims in December 2023, and the cybersecurity community is well-tuned to the frequency of “holiday drops” in the form of last-minute vulnerabilities. GRIT will continue to monitor for increases in ransomware activity and wishes our fellow defenders a peaceful and uneventful holiday season.
The GRIT Ransomware Taxonomy
By subdividing ransomware groups, GRIT can obtain more detailed insights into how ransomware groups progress in their level of operational maturity and can classify and identify potential rebranding activity.
We distinguish ransomware groups by placing them into these six categories:
EMERGING
This category is reserved for new ransomware groups within their first three months of operations. These organizations may be short-lived, resulting in an Ephemeral group; may be determined to have Splintered or Rebranded from an Established group; or may move on to further develop their operations and TTPs over time.
EPHEMERAL
These groups are short-lived, with varied but low victim rates. Observed victims are usually posted in a single or short series of large postings rather than a continuous flow over time. Ephemeral groups, by definition, terminate operations, spin-off, or rebrand within three months of formation. These groups may or may not have dedicated infrastructure (i.e., data leak sites and chat support) as part of their operations.
DEVELOPING
These groups have conducted operations for three months or longer, resulting in a recurring flow of victims. Developing groups do not appear to be directly linked to other ransomware groups as a Splinter or Rebrand but may include some experienced ransomware operators. Developing groups generally improve their people, processes, or technology over time by recruiting additional members, refining TTPs, or improving the quality of their associated ransomware and encryption. These groups generally have dedicated infrastructure (i.e., data leak sites and chat support) as part of their operations.
SPLINTER
These groups consist of a plurality of members from previously Developing or Established groups and may have formed either by choice or due to exclusion. These groups may be identified by very similar or overlapping TTPs and tooling or through HUMINT gathered through interactions with personas on the deep and dark web. Splinter groups differ from Rebrands by the continued existence of the original organization as the Splinter group operates.
REBRAND
These groups consist in whole, or in part, of former Developing or Established groups. Rebrands often maintain the same people, processes, and technology as the original group. Rebrands are generally undertaken in order to minimize attention from law enforcement or intelligence officials or to avoid negative publicity.
ESTABLISHED
These groups have operated successfully for at least nine months and have well-defined and consistent tactics, techniques, and procedures. Established groups often possess functional business units that enable sustained ransomware operations, with specialists focused on areas such as personnel, encryption, negotiations, etc. These organizations successfully employ technology and redundant infrastructure to support their operations.
There are multiple routes a group can take through the various classifications, and no one route is standard. While one group may begin as “Ephemeral” and move their way through the ranks to “Full-time,” another group may enter as a “Rebrand” as part of a larger obfuscation strategy to avoid attention from law enforcement.