Small Businesses in Crosshairs of Evolving Ransomware Tactics

In a significant shift, ransomware threat operators are abandoning their pursuit of high-profile targets in favor of smaller, less fortified organizations, according to a recent report by a cybersecurity company. The report highlights a staggering 47% surge in the number of new ransomware victims during the latter half of 2022. Many of these victims, it appears, were small businesses lacking mature cybersecurity defenses. During the first half of 2023, a noteworthy 57% of the victims attributed to the notorious LockBit gang, known for their audacious attacks on entities like the Royal Mail and Taiwan Semiconductor Manufacturing Company (TSMC), were organizations employing up to 200 personnel—meeting the criteria for small businesses as defined in the report.

Another concerning trend is that small businesses constituted nearly half, at 45%, of all victims of the BlackCat ransomware during the same period. Nevertheless, the dynamics were different for the Clop ransomware, with only 27% of victims being small businesses, while large enterprises comprised half of their targets. LockBit has maintained its top position as the most prevalent ransomware family since 2022, affecting 26.09% of victim organizations, as per the report. Following closely behind were BlackCat (10.59%) and Clop (10.09%). LockBit’s notoriety extended to orchestrating one in every six attacks targeting US government offices in 2022.

The global landscape for ransomware attacks has undergone a dramatic transformation, with the number of victim organizations surging by 45.27% in the first half of 2023 compared to the second half of 2022, reaching a staggering 2001 victims. In an unsettling development, US-based organizations bore the brunt of this surge, constituting almost half of all ransomware victims (949) in the first half of 2023. This marked a staggering 69.94% increase compared to the preceding six months. During a media event titled ‘Risk to Resilience World Tour Breakfast’ on September 21, a senior threat researcher from a cybersecurity company elucidated the shifting ransomware landscape. The researcher noted that there has been a proliferation of smaller ransomware groups, altering the dynamics considerably. He remarked, “Whereas there used to be three to five big ones and a tail, there are now three big ones and a very long tail.” One significant factor contributing to the rise of these smaller ransomware groups has been the leakage of source codes employed by LockBit and Conti in recent years. This leakage has enabled other threat actors to repurpose and create new ransomware variants, further fueling the crisis. The researcher also highlighted a disturbing trend among ransomware groups: many are forgoing file encryption in favor of threats to expose sensitive information and publicize incidents. “There’s a tendency for new groups not to do ransomware anymore, they just hack and then extort,” The researcher explained.

The cybersecurity company’s report underscored an 11.3% increase in the number of new ransomware-as-a-service (RaaS) groups in the first half of 2023, compared to the preceding six months, reaching a total of 69 such groups. At a breakfast event, a crucial point emphasized was the necessity for organizations to shift their focus from mere cybersecurity to cyber-resilience. The ever-expanding attack surface demands an assumption from organizations that they will inevitably face cyberattacks. Consequently, there should be a heightened emphasis on incident response and recovery, transforming cybersecurity into a business risk rather than solely an IT concern. The researcher noted a shift in the modus operandi of cybercriminals, making ransomware attacks increasingly challenging to prevent. These threat actors now employ a variety of unconventional methods to infiltrate networks, departing from traditional social engineering tactics. The researcher aptly summarized the evolving landscape: “Ransomware has become a hacking operation with a ransomware payload instead of just a ransomware attack.”

In this rapidly evolving landscape, organizations, especially small businesses, must remain vigilant and prioritize cyber resilience as they navigate the ever-growing threat of ransomware. At SpearTip, we analyze the configurations and interactions of companies’ network infrastructure with the precision of a skilled penetration tester. SpearTip seeks to discover vulnerabilities in firewall systems and enables companies to dedicate their resources to evaluate and prioritize fixes. This will provide visibility of actual network gaps, including existing false negatives. SpearTip provides clear remediation steps for all uncovered weaknesses to ensure a strengthened security posture. Our assessments leave no stone unturned in examining how companies leverage their current technology. We review application and operating system access controls and analyze physical access to their systems. We conclude with detailed reports and recommendations to keep companies compliant and safe, according to industry standards. 43% of data breaches involve attacks against web applications. Companies can protect their business from breaches that originate through web applications with our array of assessments.

If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.