Nuspire, a Top 250 managed security services provider (MSSP), has released its Q2 2023 Cyber Threat Report that found CL0p ransomware activity increased by 65% between Q1 and Q2.
The report offers an analysis of the threat landscape, examining threat data spanning malware, botnets and exploits, as well as specific tactics, techniques and procedures (TTPs) organizations should watch out for.
Notable findings from the report include:
- Total ransomware extortion publications increased by nearly 18%.
- Apache vulnerabilities comprise 25% of exploits. Apache Software can be found in approximately 31% of all global websites, making this finding particularly concerning.
- Botnets grew approximately 16% in Q2, with Torpig Mebroot, a trojan renowned for its data-theft capabilities maintaining its position as the top botnet detected.
Cl0p Ransomware's Devastating Impact
Cl0p, a Russian-linked hacker, is known for its large ransom demands, at times starting at $3 million for an opening negotiating point. Its attacks are thought to have recently affected some 16 million people in more than 200 outfits by exploiting a vulnerability in the MOVEit large file transfer application.
The crew has encrypted data belonging to hundreds of universities, financial organizations and multinational corporations. Many of the disrupted organizations have apparently not applied available patches, leaving the door open for the Cl0p operatives. Last month, the U.S. State Department placed a $10 million bounty on Cl0p’s leader, seeking information tying the group to a foreign government.
J.R. Cunningham, Nuspire chief security officer, explained that CL0p and LockBit are at the core of a rise in ransomware attacks:
"Ransomware groups like LockBit and CL0P have driven a significant rise in attacks over the last several months because of their relentless exploitation of zero-day and known vulnerabilities. MOVEit Transfer is a recent example of the scale and scope these attacks can take; however, our data shows that older vulnerabilities like Apache Software continue to be ripe for exploitation. This tells us that many organizations still lack sufficient patch and vulnerability management operations, greatly increasing their risk of exposure."
According to Kaspersky’s SecureList, as one of the most prevalent ransomware strains Lockbit features an affiliate ransomware-as-a-service (RaaS) program offering up to 80% of the ransom demand to participants. Lockbit v3, also known as Lockbit Black, was detected for the first time in June 2022. Three months later, a builder for Lockbit 3 surfaced that allowed anyone to create their own custom version of the malware.
Nuspire's Ransomware Review
Nuspire Q2 2023 in Review:
4.12 Microsoft, Fortinet, HashiCorp and Other Vendors’ April Patches Address Critical and High-Level Vulnerabilities
4.19 Critical RCE Vulnerability Affecting PaperCut Software
4.21 VMware Patches Critical vRealize Vulnerability
5.10 Microsoft’s May 2023 Patch Tuesday Addresses 3 Zero-Days And 6 Critical Vulnerabilities
5.18 CISA Warns of BianLian Ransomware Shifting Focus to Pure Data Extortion
5.22 Vulnerability Revealing Master Password Discovered in KeePass Password Manager
5.25 GitLab Patches Maximum Severity Vulnerability
5.31 Barracuda Patches Zero-Day in Email Security Gateways (ESG)
6.1 Active Exploitation of MOVEit Transfer Due to Zero-Day Vulnerability
6.13 New Critical SSL-VPN Vulnerability Receives Patch from FortiGate
6.16 MOVEit Discloses Second Critical SQL Injection Vulnerability
6.20 Critical Pre-Authentication Command Injection Vulnerability in Patched Zyxel Storage Devices
6.21 VMware Discloses Active Exploitation of Critical Vulnerability in vRealize
6.29 Linux Version of Akira Ransomware Targets VMware ESXi Servers