This provides the best overall picture of ransomware activity, but the true number of attacks is far higher.
In November there were 457 total ransomware victims, making it the most active month for ransomware gangs in 2023 so far besides May. The top stories of the month include ALPHV's shutdown, an increased focus on the healthcare sector, and high-profile attacks on Toyota, Boeing, and more using a Citrix Bleed vulnerability.
We've written about a few ransomware gangs getting shut down this year, including Hive in January and RansomedVC in October, but ALPHV is the latest-and arguably biggest-name to be crossed off of law enforcements' hit list in 2023.
ALPHV's shutdown represents a huge blow to the ransomware world-and a big win for defenders.
With a total of 573 victims since February 2022, it's no exaggeration to say that ALPHV was second only to LockBit in being organizations' biggest ransomware threat.
For one, it's a reminder that no ransomware gang-however prolific or well-resourced-is immune to downfall.
One can hope that ransomware gangs see a Goliath like ALPHV get felled and think twice about wantonly attacking organizations at the rate we've been seeing lately.
In other news, attacks on the healthcare sector last month reached an all-time high at 38 total attacks.
The record follows a steady uptick in attacks on the sector we've observed over the past year.
According to the findings released by the Department of Health and Human Services last month, there has been a 278% increase in ransomware attacks on health sector over the past four years.
An attack on Ardent Health Services last month stands as a devastating reification of the trend.
The attack, which occurred on Thanksgiving Day, left emergency rooms in multiple hospitals across four US states shut down for five days.
Ransomware attacks are up overall for all sectors Healthcare is easy to attack.
In other news, ransomware gangs rushed to exploit the Citrix Bleed vulnerability last month, taking advantage of a massive attack surface with over 8,300 vulnerable devices.
Reported to have been in use as a zero-day since late August, Citrix Bleed provides attackers with the capability to bypass multi-factor authentication and hijack legitimate user sessions.
One of the most interesting developments last month were new reports reinforcing claims that Rhysida may be a rebrand of the infamous Vice Society ransomware gang.
Not only does Rhysida share many operational and technical patterns with Vice Society-including using NTDSUtil for backups in 'temp l0gs' and SystemBC for C2 communications-but the distribution of their monthly attacks lines up as well.
Vice Society vs Rhysidia monthly ransomware attacks.
First detected in August 2022, Meow ransomware, linked to the Conti v2 variant, reappeared after vanishing in February 2023.
ThreatDown automatically quarantining LockBit ransomware.
This Cyber News was published on www.malwarebytes.com. Publication date: Wed, 13 Dec 2023 20:13:04 +0000