{ "id": "a0d8cde9-526f-48c0-9605-9ace3627ef31", "created_at": "2026-04-06T01:30:58.595021Z", "updated_at": "2026-04-10T03:25:35.724624Z", "deleted_at": null, "sha1_hash": "bf8388a6527c9f5337100b34c1933ac8f55e80b5", "title": "Incident Response trends Q2 2023: Data theft extortion rises, while healthcare is still most-targeted vertical", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 143062, "plain_text": "Incident Response trends Q2 2023: Data theft extortion rises, while\r\nhealthcare is still most-targeted vertical\r\nBy Nicole Hoffman\r\nPublished: 2023-07-26 · Archived: 2026-04-06 00:29:50 UTC\r\nIncident Response trends Q2 2023: Data theft extortion rises, while healthcare is\r\nstill most-targeted vertical\r\nWednesday, July 26, 2023 08:00\r\nCisco Talos Incident Response (Talos IR) responded to a growing number of data theft extortion incidents that did\r\nnot involve encrypting files or deploying ransomware, a 25 percent increase since last quarter and the most-observed threat in the second quarter of 2023.\r\nIn this type of attack, threat actors steal victim data and threaten to leak or sell it unless the victim pays varying\r\nsums of money, eliminating the need to deploy ransomware or encrypt data. This differs from the double-extortion\r\nransomware method, whereby adversaries exfiltrate and encrypt files and demand payment for victims to receive a\r\ndecryption key.\r\nRansomware was the second most-observed threat this quarter, accounting for 17 percent of engagements, a slight\r\nincrease from last quarter’s 10 percent. This quarter featured the LockBit and Royal ransomware families, which\r\nTalos IR has observed in previous quarters. Talos IR also observed several ransomware families for the first time,\r\nincluding 8Base and MoneyMessage.\r\nCompromised credentials or valid accounts were the top observed means of gaining initial access this quarter,\r\naccounting for nearly 40 percent of total engagements. It was challenging to identify how the credentials were\r\ncompromised considering they were obtained from devices outside the company’s visibility, such as saved\r\ncredentials on an employee’s personal device.\r\nContinuing the trend from last quarter, healthcare was the most targeted vertical this quarter, making up 22 percent\r\nof the total number of incident response engagements, closely followed by financial services.\r\nhttps://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/\r\nPage 1 of 6\n\nData theft extortion on the rise, featuring Clop, Karakurt and RansomHouse\r\nData theft extortion was the top observed threat this quarter, accounting for 30 percent of threats Talos IR\r\nresponded to, a 25 percent increase in data theft extortion incidents compared to last quarter. The rise in data theft\r\nextortion incidents compared to previous quarters is consistent with public reporting on a growing number of\r\nransomware groups stealing data and extorting victims without encrypting files and deploying ransomware.\r\nData theft extortion is not a new phenomenon, but the number of incidents this quarter suggests that financially\r\nmotivated threat actors are increasingly seeing this as a viable means of receiving a final payout. Carrying out\r\nransomware attacks is likely becoming more challenging due to global law enforcement and industry disruption\r\nefforts, as well as the implementation of defenses such as increased behavioral detection capabilities and endpoint\r\ndetection and response (EDR) solutions.\r\nThis quarter featured activity from the RansomHouse and Karakurt extortion groups for the first time in Talos IR\r\nengagements. Active since 2021, Karakurt typically gains access to environments via valid accounts, phishing, or\r\nexploiting vulnerabilities. In one observed Karakurt data theft extortion engagement, the attackers hijacked a\r\nremote desktop protocol (RDP) account, enumerated domain trusts using the network administration command-line tool nltest, executed PowerShell scripts to recover passwords, and modified domain policies.\r\nRansomHouse has been active since late 2021 and is known for gaining access to corporate environments by\r\nexploiting vulnerabilities. In a RansomHouse engagement, the adversaries used non-interactive sessions to bypass\r\nmulti-factor authentication (MFA), carried out a DCSync attack to collect credentials from a domain controller,\r\nand abused remote services such as secure shell (SSH) and RDP to move laterally. A DCSync attack occurs when\r\nattackers use various commands in Microsoft Directory Replication Service (DRS) Remote Protocol to\r\nmasquerade as a domain controller to acquire user credentials from another domain controller. An attacker first\r\nneeds to compromise a user account with domain replication privileges, which are typically domain admins.\r\nSome ransomware groups, such as BianLian and Clop, are reportedly shifting away from using encryption,\r\nfavoring data theft extortion in recent attacks, according to public reporting. Although Talos IR did not respond to\r\nany BianLian incidents this quarter, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a\r\njoint advisory on May 16 with the FBI and the Australian Cyber Security Centre (ACSC) confirming that as of\r\nJanuary, the BianLian group stopped conducting ransomware operations in favor of performing exfiltration-based\r\ndata theft extortion. BianLian group’s shift from deploying ransomware may also be due to the release of a free\r\nhttps://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/\r\nPage 2 of 6\n\ndecrypter for BianLian ransomware in January 2023, possibly prompting them to pursue alternate methods. It is\r\npossible BianLian determined they could be successful without the use of data encryption in their operations.\r\nActive since February 2019, the Clop group started as a ransomware-as-a-service (RaaS) operation with an\r\naffiliate program that relied on the double extortion technique involving stealing and encrypting data. With the rise\r\nin data theft extortion incidents this quarter, it is possible the trend will continue, with other groups who primarily\r\ndeploy ransomware shifting to data theft extortion as a primary means of receiving a payout.  \r\nIn a Clop data theft extortion engagement this quarter, the adversaries gained initial access by exploiting a zero-day remote code execution (RCE) vulnerability in the Forta GoAnywhere managed file transfer (MFT)\r\napplication, tracked as CVE-2023-0669. Notably, the affiliate did not deploy ransomware and only conducted data\r\ntheft extortion upon exfiltrating victim information. The Clop ransomware group has a history of mass\r\nexploitation of zero-day vulnerabilities in campaigns targeting file transfer applications, affecting hundreds of\r\ncompanies globally. This includes several zero-day vulnerabilities in the Kiteworks, formerly Accellion, file\r\ntransfer application (FTA), tracked as CVE-2021-27101, CVE-2021-27102, CVE-2021-207103, and CVE-2021-\r\n27104, and a SQL injection vulnerability in the Progress Software’s MFT application known as MOVEit Transfer,\r\ntracked as CVE-2023-34362. U.S. law enforcement has taken notice and increased pressure on the group, offering\r\na $10 million dollar reward for information on the identification or location of Clop members.\r\nIt is highly unusual for a ransomware group to consistently exploit zero-day vulnerabilities, given the resources\r\nrequired to develop such exploits, possibly suggesting that the Clop ransomware group possesses a level of\r\nsophistication and funding matched only by advanced persistent threats (APTs). Given the group’s incorporation\r\nof zero-days in MFT applications in recent attacks, and the group’s perceived success in affecting hundreds of\r\norganizations, Clop is likely to target MFT applications in the future.\r\nRansomware\r\nRansomware accounted for 17 percent of the total number of engagements responded to in Q2 2023 (April - June),\r\na slight increase compared to 10 percent last quarter. 8Base and MoneyMessage ransomware operations were\r\nobserved for the first time this quarter, in addition to the previously seen ransomware operations LockBit and\r\nRoyal.\r\nFirst discovered in March 2022, 8Base is a ransomware group/operation that uses a customized version of Phobos\r\nransomware and steals data prior to encryption. Although the group has been around for over a year, it started\r\ngaining increasing popularity in June 2023 after a significant spike in activity.\r\nIn an 8Base ransomware engagement, the legitimate remote desktop application AnyDesk was installed in the\r\nPerformance Logs (Perflogs) directory, potentially as a way to evade detection. The Perflogs folder is a system-generated folder that stores information about the performance of the device. The attackers were also observed\r\ndumping credentials from the Local Security Authority Subsystem Service (LSASS) memory, creating new\r\nprocesses with an existing user token to bypass access controls, escalating privileges using the runas command,\r\nand using the Windows command shell to execute PowerShell scripts.\r\nMoneyMessage is a fairly new ransomware operation that was first discovered in March 2023. Similar to 8Base,\r\nthe MoneyMessage ransomware group operates under the double-extortion model. MoneyMessage is a\r\nhttps://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/\r\nPage 3 of 6\n\nransomware family written in the C++ programming language and uses the Elliptic Curve Diffie-Hellman\r\n(ECDH) key exchange and ChaCha stream cipher algorithm for encryption, both of which are commonly used by\r\nransomware families.\r\nTalos IR responded to a MoneyMessage ransomware attack where the MoneyMessage encryptor was dropped in\r\nthe Netlogon directory allowing for the deployment of the ransomware to multiple hosts. Prior to executing\r\nransomware, the attackers also uninstalled various security tools, such as EDR solutions, via PowerShell scripts to\r\nimpair defenses.\r\nInitial vectors\r\nIn the majority of the engagements Talos IR responded to this quarter, adversaries gained initial access by abusing\r\ncompromised credentials to access valid accounts. The use of valid accounts was observed in nearly 40 percent of\r\nthe total engagements, a 22 percent increase from Q1 2023.  \r\nIt is difficult to say how adversaries obtained the compromised credentials used to access valid accounts. There\r\nare a number of ways credentials can become compromised, such as third-party data breaches, information-stealing malware such as Redline, and phishing campaigns. This is especially true if employees reuse credentials\r\nacross multiple accounts, highlighting the importance of using strong password policies and enabling MFA across\r\ncritical servers.\r\nSecurity weaknesses\r\nA lack of MFA or improper MFA implementation across critical services played a part in over 40 percent of the\r\nengagements Talos IR responded to this quarter. Talos IR frequently observes attacks that could have been\r\nprevented if MFA was enabled on critical services, such as VPNs. In nearly 40 percent of engagements, attackers\r\nwere able to abuse compromised credentials to access valid accounts, 90 percent of which did not have MFA\r\nenabled. In some engagements, adversaries were able to bypass MFA with MFA exhaustion/fatigue attacks.\r\nMFA exhaustion attacks occur when an attacker attempts to repeatedly authenticate to a user account with valid\r\ncredentials to overwhelm victims with MFA push notifications, hoping they will eventually accept, allowing the\r\nattacker to successfully authenticate into the account. Identification and user education are key parts of countering\r\nMFA bypass techniques. Organizations should ensure employees are aware of who to contact in these situations to\r\ndetermine if the event was a technical issue or malicious in nature.\r\nTalos IR recommends disabling VPN access for all accounts that do not have MFA enabled. Additionally, Talos IR\r\nrecommends expanding MFA for all user accounts (e.g., employees, contractors, business partners, etc.). Talos IR\r\nhttps://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/\r\nPage 4 of 6\n\nhas repeatedly seen attackers targeting vendor and contractor accounts (VCAs), which typically have expanded\r\nprivileges and access. VCAs are often overlooked during account audits due to trust placed in the third party,\r\nmaking them an easy target for attackers. Talos IR recommends disabling VCAs when they are not needed,\r\nimplementing least privilege access, and validating that logging and security monitoring are enabled for VCA\r\naccounts.\r\nTalos IR also recommends organizations perform a password audit across all user and service accounts to ensure\r\ncomplexity and strength are aligned with the industry best practices per account type (e.g., privilege, service, user,\r\netc.) to prevent password enumeration techniques, such as password spraying.\r\nTop-observed MITRE ATT\u0026CK techniques\r\nThe table below represents the MITRE ATT\u0026CK techniques observed in this quarter’s IR engagements, which\r\nincludes relevant examples and the amount Talos IR saw in engagements. Given that some techniques can fall\r\nunder multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. Please note\r\nthis is not an exhaustive list.\r\nKey findings from the MITRE ATT\u0026CK framework include:\r\nThe use of valid accounts was the top observed initial access technique, accounting for nearly 40 percent of\r\nthe total number of engagements.\r\nObserved in over 50 percent of engagements this quarter, PowerShell is a dynamic command line utility\r\nthat continues to be a popular utility of choice for adversaries likely for a number of reasons including\r\nstealth, convenience and vast IT administration capabilities.\r\nIn 26 percent of engagements this quarter, Talos IR observed attackers abusing remote services, such as\r\nRDP and SSH, to facilitate lateral movement.\r\nThe top persistence mechanism observed this quarter was the abuse of Windows Task Scheduler to create\r\nscheduled tasks, allowing adversaries to execute programs or commands at scheduled times or at system\r\nstartup.\r\nTactic Technique Example\r\nInitial Access\r\n(TA0001)\r\nT1078 Valid Accounts\r\nAdversary leveraged stolen or compromised\r\ncredentials. \r\nExecution (TA0002)\r\nT1059.001 Command and\r\nScripting Interpreter:\r\nPowerShell\r\nExecutes PowerShell code to retrieve information\r\nabout the client’s Active Directory environment.\r\nhttps://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/\r\nPage 5 of 6\n\nPersistence\r\n(TA0003)\r\nT1053.005 Scheduled Task/Job:\r\nScheduled Task\r\nScheduled tasks were created on a compromised\r\nserver to execute malware during startup.\r\nDefense Evasion\r\n(TA0005)\r\nT1562.001 Impair Defenses:\r\nDisable or Modify Tools\r\nUninstall security tools to evade detection.\r\nCredential Access\r\n(TA0006)\r\nT1003.006 OS Credential\r\nDumping: DCSync\r\nUse DCSync attack to gather credentials for\r\nprivilege escalation routines.\r\nLateral Movement\r\n(TA0008) \r\nT1563.002 Remote Services\r\nSession: RDP Hijacking\r\nAdversary compromised an existing user’s\r\nRemote Desktop Protocol session.\r\nImpact (TA0040)\r\nT1486 Data Encrypted for\r\nImpact\r\nDeploy ransomware and encrypt critical systems.\r\nSoftware/Tool S0359 Nltest Enumerate remote domain controllers with Nltest.\r\nSource: https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/\r\nhttps://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/" ], "report_names": [ "talos-ir-q2-2023-quarterly-recap" ], "threat_actors": [ { "id": "6ad410c7-e291-4327-a54b-281c23f0d4fa", "created_at": "2022-10-25T16:07:24.501468Z", "updated_at": "2026-04-10T02:00:05.013427Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Mushy Scorpius" ], "source_name": "ETDA:Karakurt", "tools": [ "7-Zip", "Agentemis", "AnyDesk", "Cobalt Strike", "CobaltStrike", "FileZilla", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "WinZip", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2af9bea3-b43e-4a6d-8dc6-46dad6e3ff24", "created_at": "2022-10-25T16:47:55.853415Z", "updated_at": "2026-04-10T02:00:03.856263Z", "deleted_at": null, "main_name": "GOLD TOMAHAWK", "aliases": [ "Karakurt", "Karakurt Lair", "Karakurt Team" ], "source_name": "Secureworks:GOLD TOMAHAWK", "tools": [ "7-Zip", "AnyDesk", "Mega", "QuickPacket", "Rclone", "SendGB" ], "source_id": "Secureworks", "reports": null }, { "id": "921cea27-4410-42e4-8c11-7d40ba313225", "created_at": "2023-01-06T13:46:39.375789Z", "updated_at": "2026-04-10T02:00:03.307063Z", "deleted_at": null, "main_name": "RansomHouse", "aliases": [], "source_name": "MISPGALAXY:RansomHouse", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "079e3d6e-24ef-42b0-b555-75c288f9efd8", "created_at": "2023-03-04T02:01:54.105946Z", "updated_at": "2026-04-10T02:00:03.359009Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Karakurt Lair" ], "source_name": "MISPGALAXY:Karakurt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775439058, "ts_updated_at": 1775791535, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bf8388a6527c9f5337100b34c1933ac8f55e80b5.pdf", "text": "https://archive.orkl.eu/bf8388a6527c9f5337100b34c1933ac8f55e80b5.txt", "img": "https://archive.orkl.eu/bf8388a6527c9f5337100b34c1933ac8f55e80b5.jpg" } }