Ransomware Surges in Nuspire’s Q2 2023 Threat Report

Nuspire’s latest threat report, which analyzes threat data from Q2 2023, reveals a jump in ransomware activity. In fact, the report identified a whopping 65% increase in activity from CL0P, an emerging player among the top ransomware groups.  

During a recent webinar, Josh Smith, Cyber Threat Analyst, and Justin Heard, Director of Threat Intel & Hunting highlighted their core discoveries and dove into actionable recommendations, empowering organizations to fortify their defenses. Read on to get the key takeaways from their presentation and report. 

Malware: Decrease in overall activity, but rise in ransomware

Q2 By the Numbers
1,831,784 total
563 unique variants detected
152,648 detections per week
21,806 detections per day
-45.51% decrease in total activity from Q1 

JavaScript variants continued to dominate in Q2 2023, nearly doubling the activity Nuspire clocked in Q1.  

“It’s important to note that JavaScript isn’t a favorite tool of threat actors,” said Josh. “However, with Microsoft’s blocking of macros earlier this year, adversaries had to find other tactics to conduct their attacks, hence the rise in JavaScript variants.”   

The most notable finding in the malware space was the jump in ransomware attacks. According to Josh, Nuspire saw an 18% increase in ransomware extortion publications (which signals a successful attack).  

“CL0P ransomware has always made a little bit of noise, but in Q2, it became a key ransomware player with the emergence of the MOVEit Transfer vulnerability,” said Josh. “Our research shows a 65% jump in CL0P activity.”  

When it comes to malware mitigation, Justin emphasized the importance of using endpoint protection platforms. 

“Response is a critical part of maintaining a strong security posture,” said Justin. “By implementing endpoint protection like an EDR solution, security teams can respond more quickly and accurately to real threats.”   

Botnets: Remote access trojan (RAT) activity on the rise

Q2 By the Numbers
1,357,516 total
31 unique botnets detected
113,126 detections per week
16,160 detections per day
15.76% increase in total activity from Q1 

The findings from Nuspire’s analysis underscore Torpig Mebroot’s sustained prominence as the most prevalent botnet. Intermittent activity surges have characterized its operational patterns; however, for the most part, Nuspire has seen a consistent level of detection rates. Notably, the observed increase from Q1 to Q2 registered a modest 1.37%, indicative of Torpig’s resilience and uninterrupted operations.  

A newer botnet, introduced last quarter, also maintained its place at the top of the list: NetSupport RAT.

NetSupport RAT (remote access trojan) operates with a dual purpose: it functions as a legitimate remote administration system and serves as a potential botnet for malicious activities. It provides an array of features, including real-time screen control, file management, registry modification and remote command execution—capabilities that cybercriminals exploit. Typically disseminated through phishing emails, malicious attachments or compromised websites, this trojan empowers attackers with extensive control over infected machines, essentially mimicking the privileges of a physically present user. 

“What makes NetSupport RAT particularly insidious is that NetSupport is a real tool, giving threat actors an added layer of disguise,” Josh said.  

To combat botnets like Torpig Mebroot and NetSupport RAT, threat intelligence is invaluable.  

“Threat intelligence offers essential insights into botnet command-and-control architectures, enabling your organization to detect any communication with unauthorized entities,” said Justin. “Given that botnet interactions occur after infection, recognizing network traffic directed toward malicious destinations provides the opportunity to implement effective countermeasures.” 

Exploits: Activity drops by more than 50%

Q2 By the Numbers
119,584,784 total
290 unique exploits detected
9,965,398 exploits detected per week
1,423,628 exploits detected per day
-52.9% decrease in total activity from Q1 

Exploits dropped by nearly 53% in Q2; however, given the dramatic rise in exploit activity in Q1, it’s unsurprising to see a decrease like this, according to Josh.  

Brute forcing continues to be the most popular exploit by a significant margin, followed by Apache Log4j 

“Threat actors are always angling to get more bang for their buck, which is why they like to exploit vulnerabilities in products with large market share,” said Josh. Apache products are used by around 31% of worldwide websites, and that means a lot of potential targets. This is why security teams must patch immediately because threat actors are already trying to exploit the vulnerability.” 

Industry Spotlight: Financial Services

Ransomware attacks stand as a leading menace to the financial sector. These financially motivated assaults wreak havoc on operations, erode client and public confidence, and potentially lead to data loss. Notably, there was a 43% surge in ransomware extortion incidents targeting financial institutions between Q1 and Q2. 

Financial services organizations must familiarize themselves with the mechanics of ransomware attacks—their life cycle, detection methods and preemptive measures to thwart encryption. Once encryption and ransom notes manifest, it’s already too late. By then, attackers have harvested data and commenced encryption for maximum impact.  

But how do these ransomware operators execute their assaults? The following steps delineate a standard attack pattern: 

  • Discovery: Ransomware operators search for vulnerabilities and exposed entry points, targeting specific organizations or opportunistic weaknesses. 
  • Initial Access: Attackers exploit vulnerabilities, brute force logins or use stolen credentials to gain initial entry. Malware may also be introduced. 
  • Persistence/Escalate Privileges: Attackers establish a foothold, connecting with their control systems. They seek administrative access and exploit internal software vulnerabilities. 
  • Lateral Movement: With persistence secured, attackers spread within the network, exploiting weaknesses, utilizing existing accounts and establishing additional footholds. 
  • Data Exfiltration: Ransomware operators steal data, threatening public release unless demands are met. Large data amounts are transferred, setting the stage for encryption. 
  • Execution: Attackers initiate encryption, impacting users and displaying ransom notes. Public extortion notes are posted on their platform. 
  • The Fallout: Incident response commences. Options include restoring backups, ransom payment or accepting data loss. Operations resume after system restoration.

If you’d like to watch the webinar, you can access it on demand: Watch the Webinar 

You can download the full report to review Nuspire’s Q1 2023 threat data and analysis.

Have you registered for our next event?