NCC Group Monthly Threat Pulse – April 2023: Ransomware threat remains at high level
The volume of ransomware attacks remained at record highs with 352 attacks in April, the second-highest month on record, according to the latest analysis from NCC Group’s Global Threat Intelligence team.
April’s high level of activity, largely attributed to the top three threat actors, is only surpassed by March’s figures of 459 attacks, which was the result of Cl0p’s exploitation of the GoAnywhere MFT.
In April, the top three most-active threat actors Lockbit 3.0, BlackCat, and BianLian were responsible for 58% of overall ransomware activity monitored in April.
Lockbit 3.0, the most active threat group of 2023, launched 107 out of the 352 attacks monitored, a 10% increase from March. BlackCat (50) and BianLian (46) increased their activity by 67% and 59% respectively. BlackCat’s attack on digital storage device giant Western Digital garnered significant attention, with the group claiming to have stolen 10 terabytes of data and demanding an 8-figure ransom.
Akira, a new ransomware player that NCC Group’s Global Threat Intelligence Team believes to be independent from other well-known groups, made it into the top ten most active groups for the first time, targeting enterprises across a diverse range of industries, from construction through to real estate.
Meanwhile, ransomware-as-a-Service (RaaS) provider Cl0p reduced their activity by 98%, from 129 victims in March, to 3 in April. This is likely the result of patches being applied for the GoAnywhere MFT day-zero vulnerability, exploited by the group and contributing to the high number of victims in March.
Repeating trends from last month's analysis, North America was the target of half of April’s ransomware activity with 172 attacks (50%). Europe followed with 85 attacks (24%), then Asia with 34 attacks (10%).
In April, Industrials (32%) was the most targeted sector with 113 attacks, followed by Consumer Cyclicals (11%) with 39 attacks, and technology (11%) with 37 attacks.
Spotlight: PaperCut printer software vulnerabilities
This month, a duo of critical software vulnerabilities in the systems of print management software company PaperCut known as CVE-2023-27350 and CVE-2023-27351 take the spotlight, due to the volume of organisations that could be impacted, and the potential of the vulnerabilities for exploitation.
PaperCut works with more than 100 million users in over 70 thousand organisations in a variety of industries, including local government, healthcare, and education. Shortly after announcement of the vulnerabilities, search engine for internet-connected devices Shodan indicated roughly 1,700 instances of software being exposed to the internet.
NCC Group’s Global Threat Intelligence team believes organisations yet to update their PaperCut software are already being targeted, as threat actors look to exploit the vulnerability on a global scale.
Matt Hull, Global Head of Threat Intelligence at NCC Group, said:
“We faced another record-breaking volume of ransomware attacks in April, demonstrating how the threat landscape is continuing to evolve at an alarming pace. The recent attack by BlackCat on Western Digital’s network is a prime example of the increasingly malicious nature of these activities, and we believe that this kind of malicious effort – leaking data to encourage ransom payments, known as a double-extortion ransomware attack – is on the rise.
“As we see these growing levels of activity, organisations should remain vigilant and adapt their security measures to stay one step ahead, adopting a comprehensive and multi-layered defence strategy that is malleable to a changing threat landscape. Simple measures such as ensuring patches, as seen with the latest PaperCut vulnerabilities, can often mitigate these risks considerably.”
Keep up to date with our latest insights
Never miss a threat intelligence update - sign up to receive our monthly insights into the emerging advances in threat landscape and for our Threat Monitor webinars here.