Nuspire’s latest threat report, which analyzes threat data from Q2 2023, reveals a jump in ransomware activity. In fact, the report identified a whopping 65% increase in activity from CL0P, an emerging player among the top ransomware groups.
During a recent webinar, Josh Smith, Cyber Threat Analyst, and Justin Heard, Director of Threat Intel & Hunting highlighted their core discoveries and dove into actionable recommendations, empowering organizations to fortify their defenses. Read on to get the key takeaways from their presentation and report.
Q2 By the Numbers
563 unique variants detected
152,648 detections per week
21,806 detections per day
-45.51% decrease in total activity from Q1
The most notable finding in the malware space was the jump in ransomware attacks. According to Josh, Nuspire saw an 18% increase in ransomware extortion publications (which signals a successful attack).
“CL0P ransomware has always made a little bit of noise, but in Q2, it became a key ransomware player with the emergence of the MOVEit Transfer vulnerability,” said Josh. “Our research shows a 65% jump in CL0P activity.”
When it comes to malware mitigation, Justin emphasized the importance of using endpoint protection platforms.
“Response is a critical part of maintaining a strong security posture,” said Justin. “By implementing endpoint protection like an EDR solution, security teams can respond more quickly and accurately to real threats.”
Q2 By the Numbers
31 unique botnets detected
113,126 detections per week
16,160 detections per day
15.76% increase in total activity from Q1
The findings from Nuspire’s analysis underscore Torpig Mebroot’s sustained prominence as the most prevalent botnet. Intermittent activity surges have characterized its operational patterns; however, for the most part, Nuspire has seen a consistent level of detection rates. Notably, the observed increase from Q1 to Q2 registered a modest 1.37%, indicative of Torpig’s resilience and uninterrupted operations.
A newer botnet, introduced last quarter, also maintained its place at the top of the list: NetSupport RAT.
NetSupport RAT (remote access trojan) operates with a dual purpose: it functions as a legitimate remote administration system and serves as a potential botnet for malicious activities. It provides an array of features, including real-time screen control, file management, registry modification and remote command execution—capabilities that cybercriminals exploit. Typically disseminated through phishing emails, malicious attachments or compromised websites, this trojan empowers attackers with extensive control over infected machines, essentially mimicking the privileges of a physically present user.
“What makes NetSupport RAT particularly insidious is that NetSupport is a real tool, giving threat actors an added layer of disguise,” Josh said.
To combat botnets like Torpig Mebroot and NetSupport RAT, threat intelligence is invaluable.
“Threat intelligence offers essential insights into botnet command-and-control architectures, enabling your organization to detect any communication with unauthorized entities,” said Justin. “Given that botnet interactions occur after infection, recognizing network traffic directed toward malicious destinations provides the opportunity to implement effective countermeasures.”
Q2 By the Numbers
290 unique exploits detected
9,965,398 exploits detected per week
1,423,628 exploits detected per day
-52.9% decrease in total activity from Q1
Exploits dropped by nearly 53% in Q2; however, given the dramatic rise in exploit activity in Q1, it’s unsurprising to see a decrease like this, according to Josh.
Brute forcing continues to be the most popular exploit by a significant margin, followed by Apache Log4j.
“Threat actors are always angling to get more bang for their buck, which is why they like to exploit vulnerabilities in products with large market share,” said Josh. Apache products are used by around 31% of worldwide websites, and that means a lot of potential targets. This is why security teams must patch immediately because threat actors are already trying to exploit the vulnerability.”
Ransomware attacks stand as a leading menace to the financial sector. These financially motivated assaults wreak havoc on operations, erode client and public confidence, and potentially lead to data loss. Notably, there was a 43% surge in ransomware extortion incidents targeting financial institutions between Q1 and Q2.
Financial services organizations must familiarize themselves with the mechanics of ransomware attacks—their life cycle, detection methods and preemptive measures to thwart encryption. Once encryption and ransom notes manifest, it’s already too late. By then, attackers have harvested data and commenced encryption for maximum impact.
But how do these ransomware operators execute their assaults? The following steps delineate a standard attack pattern:
If you’d like to watch the webinar, you can access it on demand: Watch the Webinar.
You can download the full report to review Nuspire’s Q1 2023 threat data and analysis.