The ransomware rollercoaster continues as criminals advance their business models

Ransomware shows no signs of slowing, with ransomware activity ending 13 times higher than at the start of 2023 as a proportion of all malware detections, according to Fortinet.

Ransomware detections 1H 2023

FortiGuard Labs has documented substantial spikes in ransomware variant growth in recent years, largely fueled by the adoption of Ransomware-as-a-Service (RaaS).

However, FortiGuard Labs found that fewer organizations detected ransomware in the first half of 2023 (13%) compared to this time five years ago (22%). Despite the overall decline, organizations must keep their guard up.

This supports the trend that FortiGuard Labs has seen over the last couple of years, that ransomware and other attacks are becoming increasingly more targeted thanks to the growing sophistication of attackers and the desire to increase the return on investment (ROI) per attack. Research also found that the volume of ransomware detections continues to be volatile, closing 1H 2023 13x higher than the end of 2022 but still on a downward trend overall when comparing year-over-year.

Since its inception, Fortinet has been a core contributor of exploitation activity data in support of the Exploit Prediction Scoring System (EPSS). This project aims to leverage a myriad of data sources to predict the likelihood and when a vulnerability will be exploited in the wild. FortiGuard Labs analyzed six years of data spanning more than 11,000 published vulnerabilities that detected exploitation and found that the Common Vulnerabilities and Exposures (CVEs) categorized with a high EPSS score (top 1% severity) are 327x more likely to be exploited within seven days than any other vulnerability.

This analysis can serve as the canary in the coal mine, giving CISOs and security teams an early indication of targeted attacks against their organizations. Like the Red Zone, introduced in the last report, this intelligence can help security teams systematically prioritize patching efforts to minimize their organizations’ risk.

EPSS exploitation

The analysis by FortiGuard Labs around EPSS exploitation in the wild expands upon the efforts to define the Red Zone, which helps quantify the proportion of available vulnerabilities on endpoints that are being actively attacked. In the second half of 2022, the Red Zone was around 8.9%, meaning that about 1,500 CVEs of the more than 16,500 known CVEs were observed under attack.

In the first half of 2023, that number dropped slightly to 8.3%. The delta between the 2H 2022 and 1H 2023 is minimal and would seem to be the sweet spot for malicious actors targeting vulnerabilities on endpoints. Still, it is important to note that the number of vulnerabilities discovered, present, and exploited constantly fluctuates. These variables and the effectiveness of an organization’s patch management strategy could dramatically decrease its Red Zone surface.

For the first time in the history of the report, FortiGuard Labs tracked the number of threat actors behind the trends. Research revealed that 41 (30%) of the 138 cyberthreat groups MITRE tracks were active in the 1H 2023. Of those, Turla, StrongPity, Winnti, OceanLotus, and WildNeutron were the most active based on malware detections.

Malware families and variants exploded

In 1H 2023, FortiGuard Labs detected more than 10,000 unique exploits, up 68% from five years ago. The spike in unique exploit detections highlights the sheer volume of malicious attacks security teams must be aware of and how attacks have multiplied and diversified in a relatively short amount of time. The report also shows over a 75% drop in exploitation attempts per organization over a five-year window and a 10% dip in severe exploits, suggesting that while malicious actor exploit toolkits have grown, the attacks are much more targeted than five years ago.

In addition to the significant uptick in malware families and variants, another surprising finding is that the number of malware families that propagate to at least 10% of global organizations (a notable prevalence threshold) has doubled over the last five years. This escalation in malware volume and prevalence can be attributed to more cybercriminal and APT groups expanding operations and diversifying their attacks in recent years.

A significant focus of the last report was the surge in wiper malware largely tied to the Russian-Ukraine conflict. That increase persisted throughout 2022 but slowed over the first half of 2023. FortiGuard Labs continues to observe wipers being used by nation-state actors, although the adoption of this type of malware by cybercriminals continues to grow as they target organizations in technology, manufacturing, government, telecommunications, and healthcare sectors.

Botnets lingering in networks longer than ever

While the report finds more active botnets (+27%) and a higher incidence rate among organizations over the last half-decade (+126%), one of the more shocking findings is the exponential increase in the total number of “active days”, which FortiGuard Labs defines as the amount of time that transpires between the first hit of a given botnet attempt on a sensor and the last.

Over the first six months of 2023, the average time botnets lingered before command and control (C2) communications ceased was 83 days, representing over a 1,000x increase from five years ago. This is another example where reducing the response time is critical because the longer organizations allow botnets to linger, the greater the damage and risk to their business.

“Disrupting cybercrime is a global effort that comprises strong, trusted relationships and collaboration across public and private sectors, as well as investing in AI-powered security services that can help overwhelmed security teams coordinate actionable threat intelligence in real time across their organization. Security teams cannot afford to sit idle with targeted threats at an all-time high,” said Derek Manky, Chief Security Strategist & Global VP Threat Intelligence, FortiGuard Labs.