In 2023, Mandiant observed a significant uptick in ransomware activity, particularly noting a sharp rise in data theft and public data leak site use. The cybersecurity firm reported these findings in a blog post, highlighting an overall increase in ransomware families, changes in deployment timelines, and the tools used by attackers. This research was based on incident response cases directly handled by Mandiant.
The company noted a substantial rise in the use of public data leak sites, intended to shame victims into paying ransoms, with a 30% increase in new sites. Posts on these sites surged by 75% compared to the previous year, marking 2023 as the highest volume of posts since Mandiant began tracking in 2020.
Source: Ransomware incident response investigations 2018-2023
Mandiant’s analysis revealed that over 50 new ransomware variants emerged last year, with a third being offshoots of existing families. The blog post suggested that some of this new activity might be due to previously established actors forming new alliances or rebranding.
The report also detailed the prevalence of data theft during ransomware attacks. Nearly 60% of incidents involved confirmed or suspected data theft, even though this process took longer than simply encrypting systems.
The median time between initial access and ransomware deployment was 6.11 days for incidents with data theft, compared to 1.76 days for those without. This efficiency in data theft has improved from the previous year, indicating that threat actors are becoming more adept at locating and exfiltrating valuable data.
A notable trend was the increased use of legitimate tools by ransomware actors to avoid detection. Mandiant observed a rise from 23% in 2022 to 41% in 2023 in the use of such tools, with AnyDesk usage nearly doubling. This shift away from developing or purchasing zero-day exploits towards exploiting known vulnerabilities or using stolen credentials was a significant change in their tactics.
In 2023, attackers also favored cryptocurrencies other than Bitcoin for ransom payments, likely due to increased tracing efforts. For instance, the Kuiper ransomware group preferred Monero, penalizing victims who paid in Bitcoin. Despite these trends, Bitcoin remains the primary choice due to its availability on most exchanges.
Law enforcement actions disrupted major ransomware groups like LockBit and BlackCat/Alphv. Significant actions included the indictment and sanctioning of the alleged LockBit leader, “LockBitSupp,” and a coordinated operation dubbed “Endgame” that targeted botnets and malware droppers used by ransomware gangs.
While these efforts have had some short-term impacts, Mandiant noted that threat actors tend to be resilient and adapt to such disruptions.
Start Growing with Cloudways Today.
Our Clients Love us because we never compromise on these
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.
