{ "id": "cefb5fcd-24d7-438b-858b-f2172ca680f9", "created_at": "2026-04-06T00:15:37.716404Z", "updated_at": "2026-04-10T13:12:34.456961Z", "deleted_at": null, "sha1_hash": "4496ca5e5ed6f84b91c9b595ca25ccab1dc3c541", "title": "Ransomware review: March 2023", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2974333, "plain_text": "Ransomware review: March 2023\r\nPublished: 2023-03-08 · Archived: 2026-04-05 20:11:39 UTC\r\nThreat Intelligence Team\r\nMarch 8, 2023\r\nThreat Intelligence Team\r\nThis article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who builds a monthly\r\npicture of ransomware activity by monitoring the information published by ransomware gangs on their Dark Web\r\nleak sites. This information represents victims who were successfully attacked but opted not to pay a ransom.\r\nIt seems like LockBit wasn’t content with having us merely crown them as one of the five most serious\r\ncyberthreats facing businesses in 2023. In February, the most widely used ransomware-as-a-service (RaaS) posted\r\na total of 126 victims on its leak site—a record high since we started tracking the leaks in February 2022.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/03/ransomware-review-march-2023\r\nPage 1 of 7\n\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/03/ransomware-review-march-2023\r\nPage 2 of 7\n\nCompanies attacked along LockBit’s warpath last month include financial software firm ION Group and Pierce\r\nTransit, a public transit operator in Washington state. LockBit claimed that ION Group had paid the ransom and\r\ndemanded $2 million from Pierce Transit.\r\nSpeaking of ransom demands, it seems like that’s another area where LockBit broke records last month.\r\nIn early February LockBit tried to get $80 million out of the UK’s Royal Mail—the largest demand since asking\r\nContinental for $50 million in 2022. Royal Mail rejected the demand, calling it ‘absurd’, and LockBit\r\nconsequently published the files it stole from the company—but not without also leaking a chat history showing\r\nthe negotiations between the two parties, which featured the unusual sight of a Royal Mail negotiator giving the\r\nfeared ransomware gang the runaround.\r\nArticle continues below this ad.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/03/ransomware-review-march-2023\r\nPage 3 of 7\n\nConfirmed attacks by Vice Society, the ransomware gang infamous for wreaking havoc on the education sector,\r\nreached their three-month low last month. The apparently Russian-based group tallied just two victims on its leak\r\nsite in February, but—true to their modus operandi—both of them were educational institutions: Guildford County\r\nSchool, a specialist music academy in London, and Mount Saint Mary College, a liberal arts college in New York.\r\nNeedless to say, we’re not banking on this persistent education sector threat going away anytime soon.\r\nAfter LockBit, ALPHV (aka BlackCat) and Royal again topped the list of most known victims last month. But as\r\nit turns out, these two groups have more in common than just their high placements: Both are considered big\r\ndangers to healthcare organizations. The US Department of Health and Human Services (HHS) even released a\r\ndetailed report on Royal and ALPHV in mid-January 2023 outlining the dual threat to the US health sector. Last\r\nmonth, however, Royal and ALPHV apparently only attacked one healthcare organization between them—\r\nALPHV’s attack on the Pennsylvania-based Lehigh Valley Health Network. Their combined 48 leaked victims last\r\nmonth were across a range of industries, mainly centered around manufacturing, logistics, and services. It just\r\ngoes to show that just because ransomware is used to target one sector in one month that doesn’t necessarily mean\r\nit won’t be used against a different industry in another month.\r\nEver since we first reported on it in November 2022, witnessing the emergence of the Play ransomware gang over\r\nthe months has been one of those “Aw, they grow up so fast (and evil)” type of situations. After their surge in\r\nDecember activity fell by about 76 percent in January, it made something of a comeback last month with 11\r\nknown victims, including the City of Oakland, where an attack shutdown many of the city’s services. In fact, the\r\nsituation was so bad in Oakland that the Interim City Administrator declared a state of emergency shortly\r\nafterwards.\r\nNew ransomware groups\r\nMedusa\r\nNot since we introduced Royal ransomware in November 2022 have we seen a new gang burst onto the scene with\r\nas much activity as Medusa did in February. The group published 20 victims on its leak site, making it the third\r\nmost active ransomware last month. Among its victims are Tonga Communications Corporation (TCC), a state-owned telecommunications company, and oil and gas regulator company PetroChina Indonesia.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/03/ransomware-review-march-2023\r\nPage 4 of 7\n\nV is Vendetta\r\nV is Vendetta is a newcomer that published three victims in February on a site that follows the not-so-new practice\r\nof branding itself with imagery ripped from a particular mid-2000s dystopian action film. The site is noteworthy\r\nnot only for its awful “teenager’s bedroom” design but also for using a subdomain of the Cuba ransomware dark\r\nweb site.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/03/ransomware-review-march-2023\r\nPage 5 of 7\n\nDPRK’s ransomware antics\r\nIn early February, CISA released an alert highlighting the continuous state-sponsored ransomware activities by the\r\nDemocratic People’s Republic of Korea (DPRK) against organizations in the US healthcare sector and other vital\r\ninfrastructure sectors.\r\nThe agencies have reason to believe cryptocurrency ransom payments from such operations support DPRK’s\r\n“national-level priorities and objectives.” The report states:\r\nThe authoring agencies assess that an unspecified amount of revenue from these cryptocurrency\r\noperations supports DPRK national-level priorities and objectives, including cyber operations targeting\r\nthe United States and South Korea governments—specific targets include Department of Defense\r\nInformation Networks and Defense Industrial Base member networks,\r\nIn the last few years, two new ransomware strains from DPRK have surfaced: Maui and H0lyGh0st.\r\nUS Marshal Service ransomware attack\r\nIt seems ransomware attackers are going after the big fish again.\r\nAt least, it’s been a while since a federal agency like the US Marshals Service (USMS) was hit with\r\nransomware. In late February 2023 a threat actor managed to infiltrate the agency and to get hold of sensitive\r\ninformation about staff and fugitives.\r\nIt’s far from rare to see a ransomware attack on governments, to be sure. State, Local, Tribal, and Territorial\r\n(SLTT) governments were hammered by ransomware throughout 2022. Attacks on the federal government,\r\nhowever, remain few and far between.\r\nIf there’s one thing this attack taught us, it’s that no organization is safe from ransomware—but that’s not all. It’s\r\nalso the most eye-catching attack on the fabric of the US since the Colonial Pipeline attack by the DarkSide\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/03/ransomware-review-march-2023\r\nPage 6 of 7\n\nransomware gang. There is no word about who is responsible for the attack or whether or not there has been a\r\nransom demand.\r\nIf this is the work of a regular ransomware gang rather than a political statement, it’s a surprise that they’re this\r\nbold (or frankly, stupid, for thinking the federal government would ever pay them). Attacking a federal\r\ngovernment paints a huge target on their backs.\r\nWe know there have been times where affiliates of ransomware gangs go rogue and attack an organization\r\nthat’s off-limits according to the gangs’ rules—but until more information is released, many details about the\r\nUSMS breach remain speculative.\r\nHow to avoid ransomware\r\nBlock common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems\r\nquickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can\r\ndetect exploits and malware used to deliver ransomware.\r\nDetect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks\r\nand assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.\r\nStop malicious encryption. Deploy Endpoint Detection and Response software like ThreatDown\r\nEDR that uses multiple different detection techniques to identify ransomware.\r\nCreate offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them\r\nregularly to make sure you can restore essential business functions swiftly.\r\nWrite an incident response plan. The period after a ransomware attack can be chaotic. Make a plan that\r\noutlines how you’ll isolate an outbreak, communicate with stakeholders, and restore your systems.\r\nSource: https://www.malwarebytes.com/blog/threat-intelligence/2023/03/ransomware-review-march-2023\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/03/ransomware-review-march-2023\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.malwarebytes.com/blog/threat-intelligence/2023/03/ransomware-review-march-2023" ], "report_names": [ "ransomware-review-march-2023" ], "threat_actors": [ { "id": "40ec2da8-7156-4bff-b878-41984eb70df4", "created_at": "2024-02-02T02:00:04.080917Z", "updated_at": "2026-04-10T02:00:03.555365Z", "deleted_at": null, "main_name": "Storm-0530", "aliases": [ "DEV-0530", "H0lyGh0st" ], "source_name": "MISPGALAXY:Storm-0530", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a6814184-2133-4520-b7b3-63e6b7be2f64", "created_at": "2025-08-07T02:03:25.019385Z", "updated_at": "2026-04-10T02:00:03.859468Z", "deleted_at": null, "main_name": "GOLD VICTOR", "aliases": [ "DEV-0832 ", "STAC5279 ", "Vanilla Tempest ", "Vice Society", "Vice Spider " ], "source_name": "Secureworks:GOLD VICTOR", "tools": [ "Advanced IP Scanner", "Advanced Port Scanner", "HelloKitty ransomware", "INC ransomware", "MEGAsync", "Neshta", "PAExec", "PolyVice ransomware", "PortStarter", "PsExec", "QuantumLocker ransomware", "Rhysida ransomware", "Supper", "SystemBC", "Zeppelin ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "84aa9dbe-e992-4dce-9d80-af3b2de058c0", "created_at": "2024-02-02T02:00:04.041676Z", "updated_at": "2026-04-10T02:00:03.537352Z", "deleted_at": null, "main_name": "Vanilla Tempest", "aliases": [ "DEV-0832", "Vice Society" ], "source_name": "MISPGALAXY:Vanilla Tempest", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0cfbbc-2acf-4cc8-afe1-1859679c522c", "created_at": "2022-10-25T16:07:24.373716Z", "updated_at": "2026-04-10T02:00:04.963615Z", "deleted_at": null, "main_name": "Vendetta", "aliases": [ "TA2719" ], "source_name": "ETDA:Vendetta", "tools": [ "AsyncRAT", "Atros2.CKPN", "Nancrat", "NanoCore", "NanoCore RAT", "ReZer0", "Remcos", "RemcosRAT", "Remvio", "RoboSki", "Socmer", "Zurten" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434537, "ts_updated_at": 1775826754, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4496ca5e5ed6f84b91c9b595ca25ccab1dc3c541.pdf", "text": "https://archive.orkl.eu/4496ca5e5ed6f84b91c9b595ca25ccab1dc3c541.txt", "img": "https://archive.orkl.eu/4496ca5e5ed6f84b91c9b595ca25ccab1dc3c541.jpg" } }