Ransomware Retrospective 2024: Unit 42 Leak Site Analysis

A pictorial representation of ransomware leak site data tracked by Unit 42. A hand offers money to another hand holding keys. In the background is a computer screen with the biohazard symbol on it.

This post is also available in: 日本語 (Japanese)

Executive Summary

The ransomware landscape experienced significant transformations and challenges in 2023. The year saw a 49% increase in victims reported by ransomware leak sites, with a total of 3,998 posts from various ransomware groups.

What drove this surge of activity? 2023 saw high-profile vulnerabilities like SQL injection for MOVEit and GoAnywhere MFT services. Zero-day exploits for these vulnerabilities drove spikes in ransomware infections by groups like CL0P, LockBit and ALPHV (BlackCat) before defenders could update the vulnerable software.

Leak site data reveals at least 25 new ransomware groups emerged in 2023, indicating the continued attraction of ransomware as a profitable criminal activity. Despite the appearance of new groups such as Darkrace, CryptNet and U-Bomb, many of these new ransomware threat actors did not last and disappeared during the second half of the year.

2023 was an active year for international law enforcement agencies as they intensified their focus on ransomware. This focus led to the decline of groups like Hive and Ragnar Locker, and the near-collapse of ALPHV (BlackCat). Law enforcement actions in 2023 reflect the increasing challenges faced by ransomware groups.

Ransomware threat actors targeted a wide range of victims with no preference for specific industries.

Leak site data collected by Unit 42 indicates that manufacturing was the most affected industry in 2023, signaling significant vulnerabilities in this sector. Although organizations from at least 120 different countries have been impacted by ransomware extortion, the U.S. stood out as the primary target of ransomware. 47% of ransomware leak site posts in 2023 revealed victim organizations based in the U.S.

Palo Alto Networks customers are better protected from the threats discussed in this article through our Next-Generation Firewall with Cloud-Delivered Security Services, including Advanced WildFire, DNS Security, Advanced Threat Prevention and Advanced URL Filtering.

Cortex Xpanse can be used to detect vulnerable services. Cortex XDR and XSIAM customers have been protected from all known active ransomware attacks of 2023 out of the box, without additional protections having to be added to the system. The Anti-Ransomware Module helps prevent encryption behavior, local analysis helps prevent the execution of ransomware binaries, and Behavioral Threat Protection helps prevent ransomware activity. Prisma Cloud Defender Agents can monitor Windows VM instances for known malware.

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Related Unit 42 Topics Ransomware
Ransomware Groups Discussed ALPHV, Akira, CL0P, Hive, LockBit 3.0, Play, Ransomed, Royal, ThreeAM, Trigona, Vice Society

Table of Contents

Leak Sites and Our Dataset
Key Findings
Critical Vulnerabilities
Newcomers in 2023
Goners in 2023
Hive
Ragnar Locker
RansomedVC
Trigona
ALPHV (Blackcat): Almost a Goner
Possible Rebrands
Leak Site Statistics for 2023
Group Distribution
Monthly and Weekly Averages
Affected Industries
Geographic Impact
Conclusion
Protections and Mitigations
Additional Resources

Leak Sites and Our Dataset

Analysis for this article is based on data from ransomware leak sites, sometimes known as dedicated leak sites and abbreviated as DLS.

Ransomware leak sites first appeared in 2019, when Maze ransomware began using a double extortion tactic. Stealing a victim’s files before encrypting them, Maze was the first known ransomware group to establish a leak site to coerce a victim and release stolen data.

These threat actors pressure victims to pay – not only to decrypt their files, but to prevent the attackers from publicly exposing their sensitive data. Since 2019, ransomware groups have increasingly adopted leak sites as part of their operations.

Our team monitors data from these sites, often accessible through the dark web, and we review this data to identify trends. Since leak sites are now commonplace among most ransomware groups, researchers often use this data to determine overall levels of ransomware activity and pinpoint the date a specific ransomware group was first active.

However, defenders should use leak site data with caution because it might not always reflect actuality. A ransomware group might start without a leak site as it builds its infrastructure and expands operations. Furthermore, if a victim offers immediate payment, the ransomware incident might not appear on a group’s leak site. As a result, leak sites do not always provide a clear or accurate picture of a ransomware group's activities. The true scope of ransomware's impact might be different from what these sites suggest.

Despite these drawbacks, data pulled from ransomware leak sites provides valuable insight on the state of ransomware operations in 2023.

Key Findings

The dataset we have compiled reveals the rise and fall of ransomware groups in 2023, along with affected industries and geographical distribution of attacks. Most importantly, the volume of ransomware activity reflects the large-scale impact of zero-day exploits targeting critical vulnerabilities.

Critical Vulnerabilities

In 2023, we observed 3,998 posts from ransomware leak sites, compared to 2,679 posts in 2022. This marks approximately a 49% increase for the year as illustrated below in Figure 1.

Image 1 is a column graph comparing ransomware leak site reports from 2022 to 2023. There were 2,679 instances in 2022. There were 3,998 in 2023.
Figure 1. Comparison of ransomware leak site posts in 2022 and 2023.

The increase in activity can likely be attributed to zero-day exploits targeting critical vulnerabilities such as CVE-2023-0669 for GoAnywhere MFT or CVE-2023-34362, CVE-2023-35036 and CVE-2023-35708 for MOVEit Transfer SQL Injection.

CL0P has taken credit for exploiting the MOVEit transfer vulnerability. In June 2023, the U.S. Cybersecurity and Infrastructure Agency (CISA) estimated TA505, a group known for leveraging CL0P ransomware, has compromised more than 3,000 US-based organizations and approximately 8,000 victims globally. The scale of these attacks forced vulnerable organizations to shorten their response times so they could effectively counter the threat. However, the sheer volume of data from compromised websites also forced ransomware groups to adapt.

For example, the CL0P ransomware group updated its extortion tactics in 2023. By midyear, CL0P was leveraging torrents to distribute stolen data – a quicker and more efficient method than hosting stolen data on the group’s Tor website. We previously reported this activity in September 2023, and our article provides notable insight on recent CL0P ransomware operations.

CL0P was not the only group exploiting critical vulnerabilities. Ransomware groups like LockBit, Medusa, ALPHV (BlackCat) and others leveraged a zero-day exploit for the Citrix Bleed vulnerability CVE-2023-4966, which led to numerous compromises by these groups in November 2023.

When reviewing the number of compromises reported by ransomware leak sites in 2023 on a month-by-month basis, we find increased compromises during certain months as shown below in Figure 2. These increases loosely align with the dates ransomware groups began exploiting specific vulnerabilities.

Image 2 is a bar graph comparing monthly counts of leak site posts by ransomware groups in 2023. Included are specific vulnerabilities. These include GoAnywhere, PaperCut CVE-2023-27350, MOVEit and Citrix Bleed.
Figure 2. Bar graph showing monthly count of ransomware leak site reports in 2023.

Not all ransomware threat actors are capable of leveraging zero-day vulnerabilities. Some ransomware groups are run by inexperienced threat actors who will leverage anything at their disposal.

For example, an unknown ransomware group targeted VMware ESXi environments during a campaign nicknamed ESXiArgs. This campaign exploited CVE-2021-21974, a vulnerability already two years old at the time of the attacks.

According to CISA, ESXiArgs impacted over 3,800 servers. These types of campaigns are usually not posted on ransomware leak sites because the threat actors are interested in a quick payout instead of extorting victims for maximum impact or selling their data. Even though these groups use older exploits, their campaigns can have as much impact as efforts by more experienced ransomware threat actors.

But experienced or not, ransomware threat actors have come and gone in the evolving threat landscape. Let's review the new ransomware threat actors seen in 2023.

Newcomers in 2023

Due to high payouts by victims in recent years, cybercriminals are often enticed by the idea of ransomware as a source of revenue. As these criminals form new ransomware groups, not every attempt is successful or sustainable.

A new ransomware group must consider several challenges not applicable to other malware, such as communicating with victims and increased operational security. The public nature of ransomware operations increases their risk of detection by law enforcement agencies, security vendors and other defenders.

Ransomware groups must also consider their competition. Profit sharing, software capabilities and affiliate support can significantly impact a new group's standing in the highly competitive criminal market for ransomware.

Despite these challenges, the data reveals 25 new leak sites in 2023. These groups have at least launched a ransomware-as-a-service (RaaS) offering, hoping to become a contender in the ransomware marketplace. The names of these threat groups are shown below in Table 1.

8Base Cyclops RA Group
Abyss DarkRace Rancoz
Akira Hunters International Ransomed.Vc
BlackSuit INC Rhysida
Cactus Knight ThreeAM
CiphBit LostTrust (MetaEncryptor) Trigona
Cloak NoEscape U-Bomb
CrossLock Meow
CryptNet Money Message

Table 1. Names of 25 new leak sites for ransomware that appeared in 2023.

Of note, at least three of these sites were reported as first active sometime in 2022. But we consider these ransomware families as new in our analysis for two reasons. First, even if analysis indicates these ransomware families started operations sometime in 2022, they were all first publicly reported in 2023. Second, leak sites are necessary to become a notable player in today’s criminal ransomware market.

The three ransomware families that reportedly started in 2022 with newly established leak sites in 2023 are:

The new groups reflected by leak site data reveal a competitive criminal market for ransomware. Of the 25 groups with newly established leak sites in 2023, at least five had no new posts in the second half of 2023, indicating these groups might have shut down. Table 2 shows a list of these new ransomware leak sites that might have shut down before the end of 2023.

Group Date of Last Leak Site Post
U-Bomb March 20, 2023
CryptNet April 15, 2023
CrossLock May 2, 2023
Rancoz May 2, 2023
DarkRace June 8, 2023

Table 2. Last known date of leak site posts from five new ransomware groups in 2023.

A lack of leak site posts does not necessarily mean these groups have ceased operations. Criminals from these groups could have moved to other types of operations, retreated from public view or merged with other ransomware groups.

If some of these groups did not last the entire year, new threat actors can fill the void. The second half of 2023 revealed posts from 12 new leak sites, indicating these groups might have started later in the year, as indicated below in Table 3.

Group Date of First Leak Site Post
BlackSuit June 18, 2023
Cyclops July 4, 2023
Cactus July 17, 2023
INC Aug. 8, 2023
ThreeAM Aug. 14, 2023
LostTrust (MetaEncryptor) Aug. 16, 2023
Cloak Aug. 23, 2023
Ransomed.Vc Aug. 24, 2023
Meow Sept. 4, 2023
Knight Sept. 11, 2023
CiphBit Sept. 15, 2023
Hunters International Oct. 19, 2023

Table 3. First date of leak site posts from 12 ransomware groups in 2023.

These 25 new leak sites contributed to approximately 25% of the total ransomware posts from 2023. Of these new groups, Akira led with the most posts as illustrated in Figure 3.

First observed in March 2023, Akira has been described as a fast-growing ransomware group, and researchers have linked this group to Conti through cryptocurrency transactions associated with the Conti leadership team.

Second place in the number of leak site posts in 2023 is 8Base ransomware. 8Base is one of the ransomware groups active since 2022, but this group started publicly disclosing its victims in May 2023.

Image 3 is a column chart of post count of new 2023 ransomware leak sites. The top three posts are from Akira, 8Base, NoEscape.
Figure 3. Posts from leak sites established in 2023.

Goners in 2023

2023 saw the downfall of several prominent ransomware groups. Reasons include overexposure and aggressive tactics, which attracted the attention of law enforcement agencies and cybersecurity organizations. These ransomware groups were under a spotlight that led to increased pressure and operational challenges.

The crucial role played by international law enforcement agencies in 2023 cannot be overstated. Their increased collaborative efforts led to major successes in disrupting ransomware operations.

These actions include providing decryption keys to victims, seizing infrastructure and arresting key threat actors. Law enforcement efforts destabilized notable ransomware groups and prevented them from earning as much money. The results forced affiliates to abandon these groups and seek more profitable alternatives.

Let's review some of the notable ransomware operations that appear to have ceased activity in 2023.

Hive

One of the most prolific groups in 2022, Hive ransomware was shut down as part of a law enforcement-led operation reported in January 2023. This operation captured the group's decryption keys and offered them to victims worldwide, saving victims over $130 million in potential ransom payments.

The FBI seized Hive ransomware's main site as shown below in Figure 4. Hive affiliates scattered, and this group disappeared for the remainder of 2023.

Image 4 is a screenshot of the Tor site for Hive ransomware after it had been seized by the FBI. This hidden site has been seized. Hive logo and name. The Federal Bureau Of Investigation seized this site as part of a coordinated law enforcement action taken against Hive Ransomware. There are six logos of law enforcement agencies from around the world and multiple flags of countries.
Figure 4. Screenshot of Tor site for Hive ransomware seized by the FBI. Source: SecurityWeek.

Ragnar Locker

Ragnar Locker also felt the wrath of international law enforcement agencies. This group originally started in 2019 and had been very active since then.

In October 2023, Europol reported a coordinated international law enforcement effort that seized Ragnar Locker infrastructure, and the main perpetrator was subsequently presented to the Paris Judicial Court. Figure 5 shows a screenshot of Rangar Locker's Tor site in 2023 shortly after it was taken over by law enforcement.

Image 5 is a screenshot of the Tor site for Ragnar Locker after its seizure by law enforcement. This service has been seized as part of a coordinated international law enforcement action against the RagnarLocker group. There are many logos of law enforcement agencies from around the world.
Figure 5. Screenshot of Tor site for Ragnar Locker seized by law enforcement. Source: Europol.

Ransomed.Vc

Ransomed.Vc started operations in August 2023 and brought attention to itself by claiming responsibility for a compromise of Sony in September. Also known simply as Ransomed, this group ceased operations and put its available infrastructure up for auction near the end of October, making its success very short-lived.

The shutdown likely occurred due to law enforcement intervention. The following month, six individuals affiliated with this group were allegedly arrested.

Trigona

Trigona was another noteworthy ransomware departure in 2023. First spotted in 2022, Trigona was taken down not from law enforcement action, but from the efforts of pro-Ukrainian hacktivists.

A hacktivist group that calls itself the Ukrainian Cyber Alliance took advantage of a Critical vulnerability in Confluence and used a zero-day exploit to access Trigona's infrastructure. The hacktivist group erased all of Trigona's data, an action that ultimately led to the ransomware group's demise.

Below, Figure 6 shows a screenshot of Trigona's Tor site after it was defaced by the Ukrainian Cyber Alliance.

Image 6 is a screenshot of Trigona’s Tor site after it had been defaced by the Ukrainian Cyber Alliance. Picture of owl made out of circuits. Trigona is gone! The servers of the Trigona ransomware gang has been exfiltrated and wiped out. Welcome to the world you created for others. Hacked by Ukrainian Cyber Alliance. Disrupting Russian criminal enterprises (both public and private) since 2014.
Figure 6. Screenshot of Trigona’s Tor site defaced by the Ukrainian Cyber Alliance. Source: @vx_herm1t on X (Twitter).

ALPHV (BlackCat): Almost a Goner

Also known as BlackCat, the ALPHV group was hit hard during 2023. In December, the FBI disrupted ALPHV (BlackCat) operations and released a decryption tool that allowed compromised victims to recover their data. This was a huge setback for ALPHV, and it offered incentives to keep its criminal affiliates from being spooked by the FBI. Meanwhile, other ransomware groups like LockBit began poaching ALPHV affiliates.

The ALPHV group has since responded to the FBI disruption and fought back against law enforcement action. But if this group cannot fix its reputation, it could shut down and rebrand as a new ransomware gang.

Possible Rebrands

2023 also saw the sudden disappearance of Royal ransomware and Vice Society. Both were active in 2022 through the first half of 2023 performing multi-extortion strategies, and both have attracted the attention of law enforcement.

Royal ransomware was created by former members of Conti, and it has been involved in multiple high-profile attacks against critical infrastructure. The Royal leak site ceased operations sometime in July 2023. Various sources have reported similarities in code between Royal and the newly established BlackSuit ransomware, indicating a possible rebranding from Royal to BlackSuit.

Vice Society attracted the attention of the public and law enforcement by targeting organizations in healthcare and education. This group stopped posting on its leak site in June 2023, but Vice Society might not have completely vanished. Multiple researchers have linked Vice Society to the newly established Rhysida ransomware, suggesting a rebrand.

One of the new ransomware groups in 2023 appears to have been rebranded during the same year. Leak site data indicates Cyclops ransomware was active in July 2023, but a version 2.0 update of Cyclops was rebranded as Knight ransomware. Cyclops had no more leak site posts after July 2023, while Knight’s leak site posts started later that year in September.

Leak Site Statistics for 2023

Analyzing leak site data provides key insight into the ransomware threat. We reviewed 3,998 leak site posts from 2023, and this data suggests the most active groups, the most affected industries and areas of the world that have been hit hardest by ransomware.

Group Distribution

Of the 3,998 leak site posts from 2023, LockBit ransomware remains the most active, with 928 organizations accounting for 23% of the total.

Operating since 2019 with minimal breaks, LockBit has been the most prolific ransomware group for two years in a row now. With the downfall of groups like Conti, Hive and Ragnar Locker, LockBit has become the ransomware of choice for many threat actors who have subsequently become its affiliates.

LockBit has launched multiple variants that affect both Linux and Windows operating systems. By repurposing freely available software tools and taking advantage of LockBit’s fast encryption, affiliates can tailor ransomware operations to meet their individual needs.

Second place in leak posts was ALPHV (BlackCat) ransomware, with roughly 9.7% of the total leak site posts in 2023. Third place was CL0P ransomware, with approximately 9.1% of 2023’s posts.

CL0P is notorious for utilizing zero-day exploits of critical vulnerabilities like those for Progress Software's MOVEit and Fortra’s GoAnywhere MFT. However, the number of organizations reported by CL0P on the group's leak site might not accurately reflect the full impact of these vulnerabilities.

For example, CL0P's leak site data indicates it had compromised 364 organizations during the year, but a report analyzing CL0P's exploitation of the MOVEit vulnerability in 2023 states 2,730 organizations were affected. This is a prime example of the disparities we often find between leak site data and real-world impact.

Figure 7 illustrates the leak site post count from different ransomware families in 2023.

Image 7 is a column chart of post count of all 2023 ransomware leak site posts by group. The top three posts are from LockBit 3.0, ALPHV, Cl0p. LockBit is significantly higher than the rest.
Figure 7. Leak site posts in 2023 sorted by ransomware group.

Monthly and Weekly Averages

The 3,998 ransomware posts we reviewed mean ransomware groups generated an average of 333 posts per month in 2023. This annual number also equates to an average of almost 77 posts each week. The numbers for 2023 show a growth in ransomware activity compared to 2022.

2022 saw a total of 2,679 leak site posts with an average of 223 each month and an average of 52 each week. The annual total marks a 49% increase of ransomware leak site posts in 2023 compared to the previous year.

The number of leak site reports in 2023 was highest in July, with 495 posts. CL0P had the most posts that month, probably due to its large-scale exploitation of the MOVEit vulnerability.

According to the leak site post count, January and February were the least active months for ransomware in 2023. A line graph illustrating the occurrence of leak site posts throughout the year is shown in Figure 8.

Image 8 is a chart of leak site post counts by month through all of 2023. The highest amount is over 70 in August.
Figure 8. Ransomware leak site post distribution through 2023.

Affected Industries

Some ransomware groups might focus on specific countries or industries, but most are opportunistic and primarily concerned with making a profit. As a result, many ransomware groups compromise organizations across multiple industries.

Leak site posts in 2023 reveal the manufacturing industry was most impacted by ransomware, with 14% of the total posts as shown below in Figure 9.

Image 9 is a column chart of industries affected in 2023 by ransomware leak site posts. The top three industries are manufacturing, professional and legal services and high technology.
Figure 9. Leak site post distribution by industry in 2023.

Why was manufacturing hit the most by ransomware? Manufacturers usually have limited visibility into their operational technology (OT) systems, often lack adequate network monitoring and occasionally fail to implement best security practices.

Geographic Impact

Leak site data reveals most victims in 2023 were based in the U.S., with 47.6% of the total posts. The U.K. was second at 6.5%, then Canada at 4.6% and Germany at 4%. See Figure 10 for a pie chart showing the most affected locations.

Image 10 is a pie graph of leak site post distribution by country in 2023. The majority is the United States at 47.6%, followed by the UK at 6.5%, Canada at 4.6%, Germany at 4%, and France at 3.4%.
Figure 10. Leak site post distribution by country in 2023.

Organizations in the U.S. have been the top target of ransomware since leak sites first appeared in 2019. The U.S. presents a very attractive target, especially when examining the Forbes Global 2000, which ranks the largest companies in the world according to sales, profits, assets and market value. In 2023, the U.S. accounted for 610 of these organizations, consisting of almost 31% of the Forbes Global 2000, indicating a high concentration of wealthy targets.

While ransomware groups tend to target wealthy regions like the U.S., this threat remains a widespread global issue. Leak site data from 2023 reveals victims from at least 120 different countries across the world.

Conclusion

2023 presented a thriving and evolving ransomware landscape as reflected in posts from ransomware leak sites. Posts from these sites indicate a notable increase in activity, and this data also reflects new ransomware groups that have appeared and existing groups that have declined. Although the landscape remains fluid, law enforcement's growing effectiveness in combating ransomware signals a welcome change.

Ransomware groups such as CL0P have used zero-day exploits against newly discovered critical vulnerabilities, which represent a complex challenge for potential victims. While ransomware leak site data can provide valuable insight on the threat landscape, this data might not accurately reflect the full impact of a vulnerability. Organizations must not only be vigilant about known vulnerabilities, but they must also develop strategies to quickly respond to and mitigate the impact of zero-day exploits.

Protections and Mitigations

Palo Alto Networks customers are better protected from ransomware through the following products:

  • Advanced WildFire: The Advanced WildFire machine-learning models and analysis techniques are frequently updated with information discovered from our day-to-day research on ransomware.
  • Cortex Xpanse: Cortex Xpanse can be used to detect vulnerable services exposed directly to the internet that might be exploitable and infected by ransomware.
  • Cortex XDR and XSIAM: All known ransomware samples are prevented by the XDR agent out of the box using the following modules:
    • Anti-ransomware module to prevent encryption behaviors on Windows
    • Local Analysis prevention for ransomware binaries on Windows
    • Behavioral Threat Protection (BTP) rule helps prevent ransomware activity on Windows as well as Linux
  • Next-Generation Firewall (NGFW) with Cloud-Delivered Security Services:
    • Advanced URL Filtering and DNS Security block related malicious URLs and domains as ransomware, command and control (C2), and malware categories.
    • Advanced Threat Prevention can block ransomware threats at both the network and application layers, including port scans, buffer overflows and remote code execution.
  • Prisma Cloud: Any cloud infrastructure running Windows virtual machines (VMs) should monitor their Windows-based VMs using Cortex XDR Cloud Agents or Prisma Cloud Defender Agents. Both agents will monitor the Windows VM instances for known malware, using signatures pulled from Palo Alto Networks WildFire.

If you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America Toll-Free: 866.486.4842 (866.4.UNIT42)
  • EMEA: +31.20.299.3130
  • APAC: +65.6983.8730
  • Japan: +81.50.1790.0200

Additional Resources

The following reports were referenced in this article. These can provide more insight on ransomware operations, individual ransomware families or specific operations related to ransomware in 2023.

Updated on Feb. 20, 2024 at 12:56 p.m. PT.