The volume of ransomware and other cyber extortion attacks may have dwindled in 2022 in a trend most likely linked to Russia’s war on Ukraine, but with actors such as Clop/Cl0p making hay this year following their successful exploitation of vulnerabilities in popular managed file transfer services (MFTs), recorded victims of cyber extortion were up 46% in 2023, according to Orange Cyberdefense’s Security Navigator 2024 report, published last week.
Orange’s threat analysts attribute this significant increase to the Clop gang, which targeted two zero-days in MFT products this year, Fortra’s GoAnywhere and Progress Software’s MOVEit, the latter of which enabled it to rack up a total of 2,591 victims affecting between 77 and 83 million individuals.
Also as a result of Clop’s victimology, large enterprises were the majority of victims of extortion attacks in Orange’s metrics, accounting for 40% of 8,948 observed victims, compared to 23% among medium-sized organisations and 25% among small businesses.
The largest number of victims by geography were all found English-speaking countries, over 50% in the US, 6% in the UK, and 2% in Canada. However, Orange also observed significant year-on-year (YoY) volume increases in India (up 97%), Oceania (up 73%), and Africa (up 70%).
“This year’s report underlines the unpredictable environment we face today, and we see our teams working harder than ever as the number of detected incidents continues to increase,” said Orange Cyberdefense CEO Hugues Foulon.
“Whilst we are seeing a surge in the number of large businesses impacted by cyber extortion [40%], small and medium businesses together are making up nearly half of all victims [48%].
“Together with our customers, we are pursuing an unwavering policy of awareness and support for our increasingly interconnected world. We are adapting to new technologies and preparing for new threat actors by continuing to anticipate, detect and contain attacks when they emerge,” said Foulon.
During 2023, Orange’s team tracked a variety of extortion groups, including 31 newcomers that had never been seen before, and 23 that had been operational in 2022, while 25 other groups faded away during the period.
Approximately half of cyber extortion gangs have a life of about six months, just over 20% survive for seven to 12 months, and only 10% make it beyond a year, as groups both dissolve and evolve into others, highlighting the challenges faced by law enforcement agencies and defenders attempting to bring them down.
Orange said it had never seen as many active cyber extortion actors as in the past 12 months, and this was likely a consequence of the war in Ukraine, creating a gap that is now being filled by new groups.
Politically motivated extortion
One of the biggest cyber criminal casualties of the war in Ukraine was the Conti group, which possibly orchestrated its own demise in 2022 after an internal spat over the gang’s declaration of support for Russia.
A year down the line, and Orange’s analyst’s have observed a growing blurriness to the distinction between cyber extortion gangs and hacktivists, with multiple cyber criminals professing their support for Russia or Ukraine – and more recently, Israel or Hamas.
This “crossover” trend is happening in both directions, too, with hacktivist operations such as the Killnet-linked Anonymous Sudan seen demanding money with menaces in order not to inflict distributed denial of service (DDoS) attacks on its victims.
Orange said that the cyber extortion ecosystem has now become so sophisticated that it is far more effective operationally than the law enforcement agencies and authorities tasked with disrupting in, and even though 2023 saw significant takedowns of some prominent gangs – Hive in January and RagnarLocker more recently – such actions have had little impact on a wider scale.
However, wrote the report’s authors, all is not necessarily lost. “The most promising efforts are those that are taken collectively, [so] just as cyber criminals use and re-use their resources and capabilities, so should we as defenders,” they said.
“Witnessing the successful law enforcement actions and collaboration between different law enforcement agencies and countries shows that collectively we can have an impact. Additionally, we see governments committing [to] and joining the fight against cyber extortion, hopefully helping by sharing information, training, and developing technologies that can assist with this goal and positively impact efforts.
“The defender’s space has become at least as busy as the offenders space, which hopefully means that in the near future those efforts will show some effect,” they concluded.