{"id":22417,"date":"2024-02-20T08:13:27","date_gmt":"2024-02-20T13:13:27","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=22417"},"modified":"2024-02-21T11:18:06","modified_gmt":"2024-02-21T07:18:06","slug":"ransowmare-attacks-in-2023","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/ransowmare-attacks-in-2023\/22417\/","title":{"rendered":"Ransomware: the most high-profile attacks of 2023"},"content":{"rendered":"

Time was when any ransomware incident would spark a lively press and public reaction. Fast forward to the present, and the word \u201cransomware\u201d in a headline doesn\u2019t generate nearly as much interest: such attacks have become commonplace. Nonetheless, they continue to pose a grave threat to corporate security. This review spotlights the biggest and most high-profile incidents that occurred in 2023.<\/p>\n

January 2023: LockBit attack on the UK\u2019s Royal Mail<\/h2>\n

\nThe year kicked off with the LockBit group attacking Royal Mail<\/a>, the UK\u2019s national postal service. The attack paralyzed international mail delivery, leaving millions of letters and parcels stuck in the company\u2019s system. On top of that, the parcel tracking website, online payment system, and several other services were also crippled; and at the Royal Mail distribution center in Northern Ireland, printers began spewing out copies of the LockBit group\u2019s distinctive orange ransom note.<\/p>\n

\"LockBit<\/a>

The LockBit ransom note that printers at the Royal Mail distribution center began printing in earnest. Source<\/a><\/p><\/div>\n

As is commonly the case with modern ransomware attacks, LockBit threatened to post stolen data online unless the ransom was paid. Royal Mail refused to pay up, so the data ended up being published.<\/p>\n

February 2023: ESXiArgs attacks VMware ESXi servers worldwide<\/h2>\n

\nFebruary saw<\/a> a massive automated ESXiArgs ransomware attack on organizations through the RCE vulnerability CVE-2021-21974<\/a> in VMware ESXi servers. Although VMware released a patch for this vulnerability back in early 2021, the attack left more than 3000 VMware ESXi servers encrypted.<\/p>\n

The attack operators demanded just over 2BTC (around $45,000 at the time of the attack). For each individual victim they generated a new Bitcoin wallet and put its address in the ransom note.<\/p>\n

\"ESXiArgs<\/a>

Ransom demand from the original version of ESXiArgs ransomware. Source<\/a><\/p><\/div>\n

Just days after the attack began, the cybercriminals unleashed a new strain<\/a> of the cryptomalware, making it far harder to recover encrypted virtual machines. To make their activities more difficult to trace, they also stopped giving out ransom wallet addresses, prompting victims to make contact through the P2P messenger Tox<\/a> instead.<\/p>\n

March 2023: Clop group widely exploits a zero-day in GoAnywhere MFT<\/h2>\n

\nIn March 2023, the Clop group began widely exploiting a zero-day vulnerability<\/a> in Fortra\u2019s GoAnywhere MFT (managed file transfer) tool. Clop is well-known for its penchant for exploiting vulnerabilities in such services: in 2020\u20132021, the group attacked<\/a> organizations through a hole in Accelon FTA, switching<\/a> in late 2021 to exploiting a vulnerability in SolarWinds Serv-U.<\/p>\n

In total, more than 100 organizations suffered attacks on vulnerable GoAnywhere MFT servers, including Procter & Gamble<\/a>, the City of Toronto<\/a>, and Community Health Systems<\/a> \u2014 one of the largest healthcare providers in the U.S.<\/p>\n

\"Map<\/a>

Map of GoAnywhere MFT servers connected to the internet. Source<\/a><\/p><\/div>\n

April 2023: NCR Aloha POS terminals disabled by BlackCat attack<\/h2>\n

\nIn April, the ALPHV group (aka BlackCat \u2014 \u00a0after the ransomware it uses) attacked<\/a> NCR, a U.S. manufacturer and servicer of ATMs, barcode readers, payment terminals, and other retail and banking equipment.<\/p>\n

The ransomware attack shut down the data centers handling the Aloha POS platform \u2014 which is used in restaurants, primarily fast food \u2014 for several days.<\/p>\n

\"NCR<\/a>

NCR Aloha POS platform disabled by the ALPHV\/BlackCat group. Source<\/a><\/p><\/div>\n

Essentially, the platform is a one-stop shop for managing catering operations: from processing payments, taking online orders, and operating a loyalty program, to managing the preparation of dishes in the kitchen and payroll accounting. As a result of the ransomware attack on NCR, many catering establishments were forced<\/a> to revert to pen and paper.<\/p>\n

May 2023: Royal<\/em> ransomware attack on the City of Dallas<\/h2>\n

\nEarly May saw a ransomware attack<\/a> on municipal services in Dallas, Texas \u2014 the ninth most populous city in the U.S. Most affected were IT systems and communications of the Dallas Police Department, and printers on the City of Dallas network began churning out ransom notes.<\/p>\n

\"Royal<\/a>

The Royal ransom note printed out through City of Dallas network printers. Source<\/a><\/p><\/div>\n

Later that month, there was another ransomware attack on an urban municipality: the target<\/a> this time was the City of Augusta in the U.S. state of Georgia, and the perpetrators were the BlackByte group.<\/p>\n

June 2023: Clop group launches massive attacks through vulnerability in MOVEit Transfer<\/h2>\n

\nIn June, the same Clop group responsible for the February attacks on Fortra GoAnywhere MFT began exploiting<\/a> a vulnerability in another managed file transfer tool \u2014 Progress Software\u2019s MOVEit Transfer. This vulnerability, CVE-2023-34362<\/a>, was disclosed and fixed by Progress<\/a> on the last day of May, but as usual, not all clients managed to apply the patches quickly enough.<\/p>\n

This ransomware attack \u2014 one of the largest incidents of the year \u2014 affected numerous organizations, including the oil company Shell<\/a>, the New York City Department of Education<\/a>, the BBC<\/a> media corporation, the British pharmacy chain Boots, the Irish airline Aer Lingus<\/a>, the University of Georgia<\/a>, and the German printing equipment manufacturer Heidelberger Druckmaschinen<\/a>.<\/p>\n

\"Clop<\/a>

The Clop website instructs affected companies to contact the group for negotiations. Source<\/a><\/p><\/div>\n

July 2023: University of Hawaii pays ransom to the NoEscape group<\/h2>\n

\nIn July, the University of Hawaii<\/a> admitted to paying off ransomwarers. The incident itself occurred a month earlier when all eyes were fixed on the attacks on MOVEit. During that time, a relatively new group going by the name of NoEscape infected one of the university departments, Hawaiian Community College, with ransomware.<\/p>\n

Having stolen 65GB of data, the attackers threatened the university with publication. The personal information of 28,000 people was apparently at risk of compromise. It was this fact that convinced the university to pay the ransom to the extortionists.<\/p>\n

\"NoEscape<\/a>

NoEscape announces the hack of the University of Hawaii on its website. Source<\/a><\/p><\/div>\n

Of note is that university staff had to temporarily shut down IT systems to stop the ransomware from spreading. Although the NoEscape group supplied a decryption key upon payment of the ransom, the restoration of the IT infrastructure was expected to take two months.<\/p>\n

August 2023: Rhysida targets the healthcare sector<\/h2>\n

\nAugust was marked by a series of attacks by the Rhysida ransomware group on the healthcare sector. Prospect Medical Holdings (PMH), which operates 16 hospitals and 165 clinics across several American states, was the organization that suffered the most.<\/p>\n

The hackers claimed<\/a> to have stolen 1TB of corporate documents and a 1.3 TB SQL database containing 500,000 social security numbers, passports, driver\u2019s licenses, patient medical records, as well as financial and legal documents. The cybercriminals demanded a 50BTC ransom (then around $1.3 million).<\/p>\n

\"Rhysida<\/a>

Ransom note from the Rhysida group. Source<\/a><\/p><\/div>\n

September 2023: BlackCat attacks Caesars and MGM casinos<\/h2>\n

\nIn early September, news broke of a ransomware attack on two of the biggest U.S. hotel and casino chains \u2014 Caesars and MGM<\/a> \u2014 in one stroke. Behind the attacks was the ALPHV\/BlackCat group, mentioned above in connection with the assault on the NCR Aloha POS platform.<\/p>\n

The incident shut down the companies\u2019 entire infrastructure \u2014 from hotel check-in systems to slot machines. Interestingly, the victims responded in very different ways. Caesars decided to pay the extortionists $15 million, half of the original $30 million demand.<\/p>\n

MGM chose not to pay up<\/a>, but rather to restore the infrastructure on its own. The recovery process took nine days, during which time the company lost $100\u00a0million<\/a> (its own estimate), of which $10\u00a0million was direct costs related to restoring the downed IT systems.<\/p>\n

\"BlackCat<\/a>

Caesars and MGM own more than half of Las Vegas casinos<\/p><\/div>\n

October 2023: BianLian group extorts Air Canada<\/h2>\n

\nA month later, the BianLian group targeted<\/a> Canada\u2019s flag carrier, Air Canada. The attackers claim they stole more than 210GB of various information, including employee\/supplier data and confidential documents. In particular, the attackers managed to steal information on technical violations and security issues of the airline.<\/p>\n

\"BianLian<\/a>

The BianLian website demands a ransom from Air Canada Source<\/a><\/p><\/div>\n

November 2023: LockBit group exploits Citrix Bleed vulnerability<\/h2>\n

\nNovember was remembered for a Citrix Bleed vulnerability<\/a> exploited by the LockBit group, which we also discussed above. Although patches for this vulnerability were published a month earlier, at the time of the large-scale attack more than 10,000 publicly accessible servers remained vulnerable. This is what the LockBit ransomware took advantage of to breach the systems of several major companies, steal data, and encrypt files.<\/p>\n

Among the big-name victims was Boeing<\/a>, whose stolen data the attackers ended up publishing without waiting for the ransom to be paid. The ransomware also hit the Industrial and Commercial Bank of China<\/a> (ICBC), the largest commercial bank in the world.<\/p>\n

\"LockBit<\/a>

The LockBit website demands a ransom from Boeing<\/p><\/div>\n

The incident badly hurt the Australian arm of DP World<\/a>, a major UAE-based logistics company that operates dozens of ports and container terminals worldwide. The attack on DP World Australia\u2019s IT systems massively disrupted its logistics operations, leaving some 30,000 containers stranded in Australian ports.<\/p>\n

December 2023: ALPHV\/BlackCat infrastructure seized by law enforcement<\/h2>\n

\nToward the end of the year, a joint operation<\/a> by the FBI, the U.S. Department of Justice, Europol, and law enforcement agencies of several European countries deprived the ALPHV\/BlackCat ransomware group of control over its infrastructure. Having hacked it, they quietly observed the cybercriminals\u2019 actions for several months, collecting data decryption keys and aiding BlackCat victims.<\/p>\n

In this way, the agencies rid more than 500 organizations worldwide of the ransom threat and saved around $68 million in potential payouts. This was followed in December by a final takeover of the servers, putting an end to BlackCat\u2019s operations.<\/p>\n

\"The<\/a>

The joint law enforcement operation to seize ALPHV\/BlackCat infrastructure. Source<\/a><\/p><\/div>\n

Various statistics about the ransomware group\u2019s operations were also made public. According to the FBI, during the two years of its activity, ALPHV\/BlackCat breached more than a thousand organizations, demanded a total of more than $500 million from victims, and received around $300 million in ransom payments.<\/p>\n

How to guard against ransomware attacks<\/h2>\n

\nRansomware attacks are becoming more varied and sophisticated with each passing year, so there isn\u2019t (and can\u2019t be) one killer catch-all tip to prevent incidents. Defense measures must be comprehensive. Focus on the following tasks:\n<\/p>\n