Arete releases Q3 crimeware report on ransomware trends and shifts in cyber threat landscape

Multiple ransomware groups demonstrated increased aggression and use of pressure tactics in

negotiations, including one group making unsubstantiated threats of physical violence.

Arete, a global cyber risk management company, released its Crimeware Report highlighting trends and shifts in the cyber threat landscape observed by Arete in Q3 of 2023. The report leverages data collected during Arete incident response engagements and explores the rise and fall of ransomware variants, trends in ransom demands and payments, critical infrastructure impacts, and geopolitical implications. 

ALPHV/BlackCat dethroned LockBit as the most prevalent ransomware variant Arete observed in Q3, as

LockBit encountered internal instability, and ALPHV/BlackCat increased the volume and speed of its attacks. The number of identified threat groups increased slightly compared to Q2, but Q3 saw a greater variety in unnamed variants.

Q3 was marked by instability and an increase in unnamed ransomware variants, potentially due to affiliates shifting between names to find the highest profits while reducing exposure to law enforcement. Wellknown Ransomware-as-a-Service (RaaS) operators like ALPHV/BlackCat, LockBit, and Akira are competing for high-quality affiliates.

Across the ransomware incident response cases Arete responded to in Q3, several notable trends emerged:

• Multiple ransomware groups demonstrated increased aggression and use of pressure tactics in

negotiations, including one group making unsubstantiated threats of physical violence.

• Cl0p continued impacting victims from the MoveIt exploit campaign, using torrents for faster

data exfiltration.

• Luna Moth returned in high volumes, using call-back phishing with Peloton lures to gain initial

access. The group primarily targets law firms in exfiltration-only extortion events.

Meanwhile, global geopolitical instability continues to reverberate through the cyber domain. More than

100 threat actor groups are conducting malicious cyber activity in relation to the Israel/Hamas conflict.

Collateral cyber damage is minimal at this time but may escalate to impact non-participating organizations as the conflict continues.

Arete responded to nearly 50% more ALPHV/BlackCat engagements in Q3 compared with Q2, as the group expanded operations and began working with more affiliates. Meanwhile, Lockbit ransomware activity remained stable despite the group’s internal conflicts. Akira’s operations took the biggest hit, potentially indicating that its affiliates are moving to work with different ransomware operators. INC ransomware surged onto the scene in Q3 as a previously unseen operation. Luna Moth rounded out the top 5 in Q3, with most of their activity centered in September after appearing to take the summer months off. Cl0p failed to make the top 5 in Q3 due to a slight decline in activity.

Ransomware groups demand the highest average ransoms from Critical Infrastructure ($440K) and Financial Services Companies ($394K), likely due to the pressure for up-time in those industries combined with the associated revenue of those companies. Retail ($315K) and Professional Services Firms ($214K) come in third and fourth among industries as threat actors take advantage of perceived reputational harm that comes from a publicized ransomware attack. Because most ransomware engagements Arete responds to involve double extortion, in which threat actors both encrypt and exfiltrate an organization’s data, these numbers primarily reflect ransoms demanded to decrypt and prevent the publication of stolen data.

Throughout Q3, LockBit showed indications of internal disorganization and conflict with its affiliates.

Arete observed an increasing number of engagements across Q2 and Q3 in which LockBit encrypted systems twice or used multiple LockBit variants in the same victim environment. In at least three engagements where LockBit 2.0 ransomware was identified, LockBit 3.0 or LockBit Black ransomware variants were also present. This dual infection pattern causes restoration delays after payment but, as of October 2023, has yet to result in multiple payments.

Across Arete’s ransomware engagements in Q3, 46% of impacted organizations fell within the 16 critical

infrastructure sectors designated by the Cybersecurity and Infrastructure Security Agency (CISA). Community and Government-based Operations and Essential Functions encompass the government facilities sector and government-adjacent community functions. That sector was most impacted by ransomware and extortion incidents, followed by Transportation and Logistics, Housing-related Services, and Financial Services. In Transportation and Logistics, no industrial control system (ICS) impacts were reported.

The end of Q3 saw deadly attacks in Israel, reigniting the conflict between Israel and Hamas in the Middle

East. Over 100 cyber threat groups are engaging in malicious cyber activity surrounding the conflict.

Most of the activity consists of low-skill website defacement and distributed denial-of-service (DDoS)

attacks that, while disruptive, have little long-term impact on organizations. However, some malicious

activity posed a significant threat to Israeli critical infrastructure. In at least one instance, threat actors

accessed an alert app used by the Israeli government to communicate with citizens. Threat actors are also

distributing a fake version of the app pre-loaded with spyware.