According to a recent research, the number of ransomware assaults on businesses globally increased by about 25% in May, the largest amount recorded so far this year – and the spike is attributed in part to the arrival of a new gang known as 8BASE.
One of the largest cybersecurity consulting firms in the world, NCC Group, has released a brand-new Cyber Threat Intelligence report that demonstrates that ransomware attacks were particularly prevalent in May 2023.
The May flood, when contrasted with ransomware measurements from the earlier month, showed a 56% expansion in the quantity of assaults revealed.
According to the study, 436 ransomware victims were reported in May, compared to 352 in April.
Matt Hull, Global Head of Threat Intelligence at NCC Group, stated, “We continue to see heightened levels of ransomware activity in 2023, as each month surpasses the volume of attacks witnessed during the same period in the previous year.”
The new kid on the block, a group that goes by the name of 8BASE, is a part of the reason for the increase.
Over 15% of all May victims’ data was published by the gang last month, including 67 victims.
The report found that Akira, a second ransomware group, also made a lot of noise among hackers in May but seems to have less of an online presence than other groups.
The study found that the gang carried out 28 attacks in May, which was their highest total ever and a 250% increase from the six victims it had in April. Only in March was Akira first discovered.
Body said, “The development of new ransomware bunches like 8base and Akira raises equivalent worries and warrants consideration,” regardless of whether the famous Lockbit posse is as yet viewed as the most dynamic danger entertainer as of now.
Despite a 27% decrease in attacks compared to April (107 victims), Lockbit 3.0 continues to be the most active threat actor in 2023, surpassing 8BASE and accounting for 18% (78 victims) of the attacks in May.
Additionally, the research team discovered several additional new ransomware groups in May; BlackSuit, MalasLocker, and RAGroup.
High profile targets become the norm
In addition to the findings of the study, Hull stated that this year has also seen an increase in the number of attacks on prominent organizations.
Body said those assaults have been “dominatingly drove by Russian-talking danger entertainer Cl0p,” alluding to the current month’s Cl0p exploits of the Moveit document move framework and its Walk zero-day assaults on the Fortra Go Anyplace record the executives framework.
About 130 casualties were guaranteed in the Go Anyplace assaults, while the MOVEIt outsider programming is at present being used by huge number of nations around the world.
As the MOVEit gang releases more victim names each day, security insiders anticipate that the number of victims will easily exceed 200, including major companies such as Shell, British Airways, Ernst & Young, NortonLife Lock, and Telos.
Hitachi, Procter & Gamble (P&G), Rubrik, Shell, and Virgin are among the GoAnywhere victims.
According to Hull, the MOVEit exploit “has led to greater public attention towards the evolving threat landscape, which contributes to a growing understanding of the severity and impact of ransomware incidents can have, and why organizations must be proactive in their cyber defenses.” This is one reason why organizations must be proactive in their cyber defenses.
What we know about 8BASE
One of the reasons cited by the intelligence report for the high number of attacks attributed to 8BASE is that a lot of the data the group released last month included attacks from April 2022.
The group, as is typical for a dark leak site, has a page for victims and downloads, rules for negotiating, and will only accept Bitcoin ransom payments.
Similar to the majority of other gangs, 8BASE asserts that they are “honest and simple pentesters” seeking financial gain for the greater good.
We are straightforward and sincere pentesters. The group stated in its “About Us” section, “We offer businesses the most loyal conditions for the return of their data.”
According to 8BASE, “this list only contains those companies that have neglected the privacy and importance of their employees’ and customers’ data.”
The Telegram channel of 8BASE, on the other hand, tells a very different story.
The group only created the account on May 15 and posts dozens of downloadable files that appear to contain troves of identifiable company records, employee IDs, driver’s licenses, and passports from South American, Panamanian, Australian, and US businesses.
The technology, agricultural, transportation, and financial sectors are among the alleged 8BASE victims, in addition to at least six law offices and legal entities.
On June 19, the Port Blue Hotel Group, a prestigious hotel chain on the Spanish coast, was named as the most recent victim on the 8BASE leak site.
The group wrote in a post, “Port Blue Hotel Group is a chain of boutique hotels in ideal places to relax.”
The group stated, “Never the less, they do not know how to store personal data, particularly the passports of their clients.”
8BASE claimed that “more than 300 lines of passports and other personal data were downloaded.”
The gang gave the hotel group until June 26 to pay an undisclosed ransom or else its data would be made public.
The intelligence report from the NCC says that 8BASE typically uses “double extortion” on its victims.
Before encrypting the company’s data files and/or network servers in a double extortion attack, the hackers will break into their target and exfiltrate any sensitive information they can get their hands on.
The hackers then demand payment in exchange for the victim receiving a decryption key and the deletion of the breached data.
Since most businesses don’t need a decryption key to restore their data, the method probably developed as they began to actively create and store backups of their network systems.
Regardless of whether an organization requires and haggles for the decoding key, it might find the information unsalvageably harmed once reestablished.
Even if a ransom is paid, the hackers may still decide to publish or sell the stolen data because they can easily make copies of it for later use.
Location meets industry sector
The way that groups targeted victims based on their geographic location, industry sector, and type of data were other trends that stood out in the research.
Not surprisingly, North America claimed more than half of all victims in May, making it the most targeted region in the world.
As a result of 8BASE’s fifteen victims in the region, the southern continent saw an 89% increase in attacks, with 24% occurring in Europe and 8% in South America.
Concerning business, Thirty percent of the total was set for the industrial sector, followed by fifteen percent for technology, a threefold increase from the previous month. The remaining affected sectors were consumer cyclical industries like retail, entertainment, and real estate.
The most well known sorts of information for cybercriminals to follow are actually recognizable data (PII) and licensed innovation (IP).