The ’resiliency of threat actors’ in the ransomware arena is ‘noteworthy’, says chief information security officer

Global ransomware attacks reached a record high in 2023, but in Q4 last year reports about these incidents tailed off – firms should therefore remain “vigilant” to cyber criminals’ next steps, according to cyber underwriting specialist Corvus Insurance.

According to the firm’s Q4 2023 Ransomware report, published on 30 January 2024, there was a total of 4,496 victims worldwide on ransomware leak sites last year – surpassing 2022’s total of 2,670 by 68%.

Reported ransomware attacks in 2023’s Q4, however, dropped by 7% from Q3 following the take down of ransomware gang BlackCat, also known as ALPHV, in December and banking trojan Qakbot in August.

Corvus Insurance observed a total of 1,278 victims on ransomware leak sites in the final quarter of 2023.

In 2022 and 2021, to compare, there were 2,670 and 3,048 ransomware cases respectively – reflecting an ebb and flow in attacks.

Corvus Insurance’s chief information security officer, Jason Rebholz, said that “while ransomware activity spiked to an all-time high in 2023, the real story here is the incredible impact law enforcement had on these groups as we closed out the year”.

However, “unfortunately, there’s no time to celebrate,” he added.

“Threat actors are resilient and have quickly pivoted to new malware, which means everyone must remain vigilant in their commitment to mitigating these threats.”

Corvus Insurance began tracking the data for its research report in December 2020, using intelligence from more than 100 ransomware groups.

UK threats

Speaking exclusively to Insurance Times, CFC Underwriting cyber product leader Philippa Berry said that in Q4 2023, the frequency of ransomware attacks was “stable” across UK SMEs.

But the firm had observed a “change” between first and third party attacks.

A third party cyber attack refers to when a cyber criminal targets a vendor, supplier or contractor of an organisation in order to gain sensitive information about the company’s partners or customers.

Berry explained: “We’ve seen more third party ransomware attacks in the last quarter, but the risk that most SMEs are facing – and will increase as the economic climate continues to worsen – is actually cyber crime.

“Typically, you do see an increase in fraud and crime when there is a weaker economy, so I expect that will be an issue for SME clients.

“[Ransomware] hasn’t necessarily gone away, but [it] has dominated so much in the last two years [that] there will probably be a focus back towards crime risk for our clients.”

Crime risk can include social engineering, for example – this is where victims are manipulated to reveal confidential or personal information.

Beyond SMEs, Berry said that cyber criminals tend to target sectors that “hold a large amount [of funds] and make a lot of transfers” – like real estate and education. Although in general, cyber crime is “industry agnostic”, she added.

Berry further noted that cyber criminals are “moving back into traditional cyber crime”, such as theft of funds where they’re stealing fiat currency directly, because it’s become “increasingly difficult” for them to “convert crypto or e-currency into fiat”.

Global threats

Corvus Insurance’s aforementioned report, meanwhile, said it “identified a noticeable shift to other malware strains, such as Pikabot and DarkGate”.

This type of malware was used to gain initial access to victims’ networks.

In addition to the shift in cyber criminals’ focus, they are also increasing in number, according to the underwriter.

The firm highlighted that the number of active ransomware groups increased by 34% in 2023.

At least 10 new threat actor groups have also used Babuk’s encryptor following the leak of the ransomware’s source code on a hacking forum in 2021.

In terms of the industries targeted, Corvus Insurance said the transportation, logistics and storage sectors “experienced consistent increases” in ransomware attacks throughout last year – the firm added that “given the nature of the work, businesses in [these fields] are sensitive to business interruption and may present attractive targets to threat actors looking to put pressure on victims to pay for decryption”.

Rebholz said: “While many will remember 2023 for its record-setting number of ransomware attacks, what is equally noteworthy is the resiliency of threat actors who, despite growing action from law enforcement, were quick to use new forms of malware to secure initial access.

“Throughout 2024, we will undoubtedly witness much of the same activity, as criminals continue to attack, shift, re-brand and strike again.

“Businesses should remain prepared with enhanced security controls and cyber insurance policies to help minimise risk.”

Corvus Insurance – which has offices worldwide, including the UK – was founded in 2017 and is a wholly owned subsidiary of The Travelers Companies.