Threat groups such as Karakurt, Donut, RansomHouse, and BianLian had beenextorting ransoms without actually encrypting data in compromised systems…

In evaluating data trends in its security cloud from April 2022 to April 2023, a cybersecurity firm has produced a report of the cyber trends its global protection ecosystem experienced.

The data showed that the Ransomware-as-as-Service (RaaS) model had likely been responsible for the 40% increase in ransomware attack frequency in the system in the past year. One of the most noteworthy trends that aligned with this growth in 2023 was the growth of encryption-less extortion, a style of cyberattack that prioritizes data exfiltration over disruptive encryption methods.

In terms of double-extortion ransomware attacks, the firm’s clients in the United States were the most targeted, comprising 40% of all victims. The combined number of attacks on clients from Canada, the United Kingdom, and Germany formed less than half of the attacks that targeted US entities in the firm’s user base.

Next, the most prevalent ransomware families being tracked included BlackBasta, BlackCat, Clop, Karakurt, and LockBit.

Other findings

During the period of data analysis, the most-targeted market sector in the firm’s global security cloud protection ecosystem was manufacturing, where intellectual property and critical infrastructure were attractive targets for ransomware groups. All ransomware groups being tracked had some involvement in targeting this sector, including automotive, electronics, and textiles. However, the BlackBasta ransomware family was particularly interested in manufacturing organizations, targeting these types of businesses more than 26% of the time in the firm’s ecosystem. Also:

    • The year of data showed 44 ransomware families in action, up from the 19 detected in 2021.
    • There was increasing popularity of “encryptionless extortion” attacks that were pioneered by ransomware groups like Babuk and SnapMC.
    • The encryptionless extortion method skips over the process of encryption, and employs the same tactic of threatening to leak victims’ data online if they did not pay. This tactic results in faster and larger profits for ransomware gangs by eliminating software development cycles and decryption support. It is harder to detect, and receive less attention from the authorities because it does not lock key files and systems or cause the downtime associated with recovery. Therefore, such attacks tend to not disrupt their victims’ business operations, which could result in lower reporting rates.
    • Over the last year, researchers saw a number of new families adopt the tactic, including Karakurt, Donut, RansomHouse, and BianLian.

According to Deepen Desai, Global CISO and Head of Security Research, Zscaler, Inc., which provided the data analysis findings: “Ransomware authors are increasingly staying under the radar by launching encryption-less attacks which involve large volumes of data exfiltration. Organizations must move away from using legacy point products and instead migrate to a fully integrated zero trust platform that minimizes their attack surface, prevents compromise, reduces the blast radius in the event of a successful attack, and prevents data exfiltration.”