Ransomware groups shift focus to return-on-investment targeting critical industries: Akamai Research
Akamai Technologies released a new State of the Internet report that spotlights the evolving ransomware landscape. Ransomware on the Move: Exploitation Techniques and the Active Pursuit of Zero-Days finds that the use of Zero-Day and One-Day vulnerabilities has led to a 204 percent increase in total ransomware victims between Q1 2022 and Q1 2023 in Asia-Pacific and Japan (APJ). The report also found that ransomware groups increasingly target the exfiltration of files, the unauthorized extraction or transfer of sensitive information, which has become the primary source of extortion. This new tactic indicates file backup solutions are no longer a sufficient strategy to protect against ransomware.
A deeper examination of the data reveals that essential infrastructure in the region is being actively targeted, as the top five critical industries in APJ that have been attacked by ransomware and are at further risk are manufacturing, business services, construction, retail, as well as energy, utilities, and telecommunications. Unless cybersecurity standards are strengthened, organizations in this sector will continue to be vulnerable to disruption.
The spike in ransomware attacks is due to adversaries shifting the emphasis of their modus operandi from phishing to vulnerability abuse in order to exploit unknown security threats and infiltrate business internal networks to deploy ransomware. LockBit has been the most subscribed Ransomware-as-a-Service and now dominates the ransomware landscape in APJ, accounting for 51 percent of attacks from Q3 2021 to Q2 2023 – followed by the ALPHV and CL0P ransomware groups.
Other key findings of Ransomware on the Move: Exploitation Techniques and the Active Pursuit of Zero-Days include:
- Lockbit is the most prevalent ransomware in each industry in APJ, accounting for 60 percent of attacks in manufacturing, 55.8 percent in business services, 57.7 percent in construction, 45.8 percent in retail, and 28.6 percent in energy.
- The CL0P ransomware group is aggressively exploiting Zero-Day vulnerabilities, like MOVEit, which contributed to the spike in ransomware victims in APJ in Q1 2023, and the ongoing ransomware events in June this year.
- The report also found that the majority of ransomware victims in APJ are small-to-medium sized enterprises (SMEs) with a reported revenue of up to US$50 million.
- Ransomware groups are increasingly targeting the exfiltration of files, which has become the primary source of extortion. This new tactic indicates file backup solutions are no longer a sufficient strategy to protect against ransomware.
- Victims of multiple ransomware attacks were more than 6x more likely to experience the second attack within three months of the first attack.
“Adversaries behind ransomware attacks continue to evolve their techniques and strategies striking at the heart of organizations by exfiltrating their critical and sensitive information,” said Dean Houari, Director of Security Technology and Strategy, at Akamai. “It’s imperative that both the private and public sectors across APJ strengthen collaboration to help organizations defend against ever-growing ransomware threats.”
“Businesses – especially SMEs in APJ – must work to adopt a zero trust architecture starting with software defined microsegmentation in order to effectively mitigate ever evolving cyber attacks as well as Ransomware-as-a-Service. By doing so, they can successfully protect their critical assets, business reputation, and ensure business continuity regardless of the type of attack tool deployed by cyber criminal gangs”, he concluded.
Methodology
The ransomware data used throughout this report was collected from the leak sites of approximately 90 different ransomware groups. It is typical of these groups to report details of their attacks, such as timestamps, victims names, and victim domains. It is important to note that these reports are subject to whatever each ransomware group has a desire to publicize. The success of these reported attacks was not included in this research.
This research focused instead on the victims who were reported. For each analysis, the number of unique victims within each grouping was measured. This victim data was joined with data obtained from ZoomInfo to provide additional details about each victim, such as location, revenue range, and industry. All data was within the 20-month time frame of October 1, 2021 through May 31, 2023