Skip to main content

Should I stay or should I go: how major gangs’ shutdown affected ransomware trends for 2023

May 11, 2023

Ransomware has been making headlines for several years in a row. In their quest for profit, attackers have targeted almost every type of organization, from healthcare and educational institutions to service providers and industrial enterprises, affecting nearly every aspect of daily life. This year, these groups are still managing to come up with new, elaborate techniques or even attribute features of former gangs among top players that have currently ceased operations. Ahead of the Anti-Ransomware Day, Kaspersky has released a new report reviewing last year’s ransomware predictions and providing insights into what to expect in 2023.

In 2022, Kaspersky solutions detected more than 74.2M attempted ransomware attacks, a 20 percent increase than in 2021 (61.7M). At the same time, in the beginning of 2023 we saw a slight decline in the number of ransomware attacks – however, they became more sophisticated and targeted. Moreover, the top five most influential and prolific ransomware groups have drastically changed over the last year. The deceased REvil and Conti, that were placed the second and the third in H1 2022 respectively in terms of attacks, in Q1 2023 they were replaced by Vice Society and BlackCat. The remaining ransomware groups that formed TOP5 in Q1 2023, are Clop and Royal.

The review of last year’s ransomware trends shows that all of them persisted. In the course of 2022 and the beginning of 2023, there were several cross-platform ransomware modifications that caught researchers’ eyes, such as Luna and Black Basta. Ransomware gangs have also become more industrialized, with groups such as BlackCat adjusting their techniques over the year. For now employees of victim organizations must check to see if they are listed in the stolen data, thus increasing the pressure on the affected organization to pay a ransom. The geopolitical situation has seen some ransomware groups take sides in conflicts – including the Eternity stealer. The group behind it created a whole ecosystem, with a new ransomware variant.

For the 2023, Kaspersky experts have presented three key ransomware threat landscape development trends. The first refers to more embedded functionality used by various ransomware groups such as self-spreading functionality or an imitation of it. Black Basta, LockBit, and Play are among most significant examples of ransomware that spreads on its own.

The next trend to recently emerge is a driver abuse for malicious purposes – an old trick. Some of vulnerabilities in AV driver were exploited by AvosLocker and Cuba ransomware families, however, Kaspersky experts’ observations show that even the gaming industry can fall victim to this sort of attack. Reportedly, the Genshin Impact anti-cheat driver was used to kill endpoint protection on the target machine. And the trend continues to be watched with high-profile victims such as government institutions in European countries.

Finally, Kaspersky experts draw attention to how the largest ransomware gangs are adopting capabilities from either leaked code, or code sold by other cybercriminals, which may improve their malware’s functions. Recently LockBbit group adopted code, at least 25 percent of the leaked Conti code, and issued a new version based entirely on it. These types of initiatives provide affiliates with similarities and facilities to work with ransomware families that they were previously used to working with. Such moves can strengthen their offensive capabilities – and that should keep in mind in companies’ defense strategy.

“Ransomware gangs continually surprise us, and never stop developing their techniques and procedures. What we’ve been watching throughout the last one and a half year is that they are gradually turning their services into full-fledged businesses. This fact makes even amateur attackers quite dangerous,” comments Dmitry Galov, senior security researcher at Kaspersky’s Global Research and Analysis Team. “So, to make your business and your personal data safe, it’s very important to keep your cybersecurity services updated.”

Learn more about current ransomware trends in the full report on Securelist.

·       On May 11 at 4 PM CET, Sergey Lozhkin, Dmitry Galov, Marc Rivero, and Dan Demeter, Kaspersky's GReAT will discuss the latest trends in the ransomware market, focusing on new ransomware groups, their techniques and targets. Register for the webinar here:  https://kas.pr/u9i6

On May 12, which is Anti-Ransomware Day, Kaspersky encourages organizations to follow these best practices that help safeguard your organization against ransomware:

·       Always keep software updated on all the devices you use to prevent attackers from exploiting vulnerabilities and infiltrating your network.

·       Focus your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to outgoing traffic to detect cybercriminals’ connections to your network. Set up offline backups that intruders cannot tamper with. Make sure you can access them quickly when needed or in an emergency.

·       Enable ransomware protection for all endpoints. There is a free Kaspersky Anti-Ransomware Tool for Business that shields computers and servers from ransomware and other types of malware, prevents exploits and is compatible with already installed security solutions.

·       Install anti-APT and EDR solutions, enabling capabilities for advanced threat discovery and detection, investigation and timely remediation of incidents. Provide your SOC team with access to the latest threat intelligence and regularly upskill them with professional training. All of the above is available within Kaspersky Expert Security framework.

·       Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for Kaspersky’s TI, providing cyberattack data and insights gathered by our team for over 20 years. To help businesses enable effective defenses in these turbulent times, Kaspersky has announced access to independent, continuously updated and globally sourced information on ongoing cyberattacks and threats, at no charge. Request access to this offer here.




Should I stay or should I go: how major gangs’ shutdown affected ransomware trends for 2023

Ransomware has been making headlines for several years in a row. In their quest for profit, attackers have targeted almost every type of organization, from healthcare and educational institutions to service providers and industrial enterprises, affecting nearly every aspect of daily life. This year, these groups are still managing to come up with new, elaborate techniques or even attribute features of former gangs among top players that have currently ceased operations. Ahead of the Anti-Ransomware Day, Kaspersky has released a new report reviewing last year’s ransomware predictions and providing insights into what to expect in 2023.
Kaspersky logo

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help over 200,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

Related Articles Press Releases