{ "id": "409386c9-381f-4bbe-a47b-95b810b470fe", "created_at": "2026-04-06T00:14:58.332391Z", "updated_at": "2026-04-10T13:12:06.872445Z", "deleted_at": null, "sha1_hash": "c195d256821ef89030023fd36b950174d98637df", "title": "Sekoia.io mid-2023 Ransomware Threat Landscape", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 886401, "plain_text": "Sekoia.io mid-2023 Ransomware Threat Landscape\r\nBy Livia Tibirna\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2023-09-14 · Archived: 2026-04-02 11:31:06 UTC\r\nTable of contents\r\nOverall trends related to the ransomware threat evolution\r\nA significant increase in the ransomware threat volume and intensity\r\nA heterogeneous victimology\r\nAn evolving attackers ecosystem\r\nRansomware operators activities and motivations\r\nRansomware groups’ increasing professionalisation\r\nRansomware operations expanding their attack surface\r\nRansomware groups’ development of custom tooling\r\nOld is the new trend in town\r\nNotable emerging ransomware\r\nCactus\r\n8base\r\nAkira\r\nRansomware-as-a-Service\r\nNotable Tactics, Techniques, and Procedures (TTPs)\r\nMass vulnerability exploitation for ransomware deployment and/or data theft\r\nMalvertising for initial access\r\nEncryption-based and data theft-based extortion\r\nConclusion\r\nThis blog post aims at presenting an overview of the ransomware-related threat evolution in the first half of 2023.\r\nThe observations and the analysis shared in this blog post focus on ransomware operations mostly impacting\r\ncorporate networks in lucrative campaigns.\r\nA significant increase in the ransomware threat volume and intensity\r\nThe ransomware threat landscape in the first half of 2023 was notable for its significant growth in the number of\r\nactive ransomware operations, the number of claimed attacks and the illicit transactions volume.\r\nThis is highly likely the result of multiple converging factors. First, open sources report on a record-setting\r\nnumber of ransomware attacks in S1 2023. Indeed, ReliaQuest reported a number of 1,378 victims claimed on\r\nransomware data-leak websites in the second quarter of 2023, which represents a 64.4% increase from the record-breaking number of victims named in Q1 2023 (838 organisations), compared to 645 victims reported in Q2 2022.\r\nSimilar trends were observed by Orange Cyberdefense, Talos, Intrinsec and Dragos. This is highly likely driven by\r\nhttps://blog.sekoia.io/sekoia-io-mid-2023-ransomware-threat-landscape\r\nPage 1 of 14\n\nthe mass adoption of the double extortion technique by a large number of emerging ransomware groups, likely\r\nleading to a greater number of ransomware groups publicly disclosing their victims’ names.\r\nFigure 1. Evolution of publicly disclosed ransomware attacks since early 2021 (Sources: Sekoia.io,\r\nReliaquest)\r\nSecond, while Chainalysis observed a significant decrease of 65% concerning the volumes of crypto transactions\r\nfor the benefit of known illicit entities in S1 2023 compared to 2022, the ransomware threat is the only form of\r\ncryptocurrency-related cybercrime to record a significant growth of extortion revenues in 2023. Chainalysis\r\nassess this is due to both the increasing incidence of Big Game Hunting (BGH) campaigns with very high initial\r\nransom demands and the proliferation of successful small attacks.\r\nThird, Sekoia.io assess the reported ransomware threat increase is due to the widespread deployment of\r\nransomware in massive campaigns of vulnerability exploitation for initial access, detailed in a dedicated section\r\nof this report.\r\nLast, this growth is highly likely due to the emergence of a growing number of new or rebranded ransomware\r\noperations. In May 2023, Kroll already reported a 56% increase in the number of unique ransomware variants\r\nobserved, compared to the previous quarter. We assess this is indicative of a highly lucrative market and is in\r\nline with the naturally upward trend of cybercrime threats at large. Moreover, Chainalysis assess this is\r\ncomplementary to the reversal of the 2022 downward ransomware trend notably related to the Russo-Ukrainian war started on 24 February 2022. In a 2022 report, Chainalysis reported on the majority of ransomware\r\nrevenues being related to threat actors or intrusion sets based in or affiliated with Russia. Thus, the war would\r\n“disrupt ransomware operators’ ability to conduct attacks or perhaps even their mandate for such attacks”. An\r\nanalysis of the relaunched and emerging ransomware operations in 2023 is developed in dedicated sections of this\r\nreport.\r\nMeanwhile, Avast reported a decrease in the absolute number of massively distributed ransomware attacks.\r\nAvast assess this is related to ransomware operators of massively distributed malware such as WannaCry and\r\nSTOP ransomware switching to targeted attacks.\r\nhttps://blog.sekoia.io/sekoia-io-mid-2023-ransomware-threat-landscape\r\nPage 2 of 14\n\nA heterogeneous victimology\r\nBased on Sekoia.io observations and open source reporting, Northern America (predominantly the United States)\r\nwas the most targeted region in the first half of 2023. It is followed by the Western European region (mostly\r\nthe United Kingdom, Germany, France, Italy), Brazil and Australia.\r\nWhile most double extortion and BGH ransomware operations avoid conducting campaigns in the Commonwealth\r\nof Independent States (CIS) region, a growing number of ransomware campaigns conducted against Russia-based\r\ncompanies was reported. One such example is the MalasLocker double extortion ransomware which emerged in\r\nApril 2023 asking from victims to donate to a charity instead of paying a ransom, and whose Russian-based\r\nvictims account for 10,5%.\r\nThe professional, scientific, technical services and manufacturing sectors were reported to be the most\r\nimpacted in double extortion ransomware attacks. In Q2 2023, Reliaquest highlights the attackers’ shift from the\r\nmanufacturing sector (most targeted previously) to organisations that provide professional services to other\r\ncompanies. This concurs with the Kroll reporting in Q1 2023 on a 57% increase in the overall targeting of the\r\nprofessional services sector from the end of 2022, mostly propelled by ransomware attacks.\r\nAn evolving attackers ecosystem\r\nRansomware operators activities and motivations\r\nMost active double extortion ransomware in S1 2023 were reported to be LockBit, MalasLocker, BlackCat\r\nand 8base. Of them, MalasLocker and 8base are newcomers in the ransomware landscape, first reported in early\r\n2023. Sekoia.io observed the BlackCat group being in highly active development in the first half of 2023,\r\nmostly adopting novel TTPs such as the malvertising technique for initial access and the “Bring your own\r\nvulnerable driver” (BYOVD) technique.\r\nBesides the double extortion ransomware operations, the most distributed ransomware in mass campaigns\r\nwere reported to be WannaCry (18% in Q1 2023 as per Avast) and STOP ransomware (15%).\r\nSekoia.io assess most of these intrusion sets are financially motivated and conduct opportunistic attacks. Yet,\r\nMicrosoft reported on the intrusion set operating the Cuba ransomware continuing to be opportunistic and\r\nlucrative-oriented in its ransomware activities, but also being driven by espionage-related motivations in\r\nphishing campaigns impacting defense and government entities in Europe and North America notably since late\r\n2022.\r\nRansomware groups’ increasing professionalisation\r\nSince early 2023 and throughout the first half of the year, Sekoia.io observed an active development of monitored\r\nransomware operations’ arsenal. Indeed, our RaaS announcements monitoring routine led us to uncover the\r\nrelease of custom cryptocurrency mixing services (MedusaLocker, NoEscape), DDoS and spam services (Qilin,\r\nNoEscape), call centre services (NoEscape, Trigona, Qilin), all integrated into the RaaS kits. We assess this\r\nhighlights the increasing maturity of the concerned intrusion sets.\r\nhttps://blog.sekoia.io/sekoia-io-mid-2023-ransomware-threat-landscape\r\nPage 3 of 14\n\nFigure 2. A threat actor that Sekoia.io assess being a MedusaLocker representative advertises the\r\nMedusaMixer 2.0 kit on the XSS cybercrime forum\r\nRansomware operations expanding their attack surface\r\nOver the last few months, open sources reported a significant number of ransomware groups adding to their\r\nattack surface Linux and VMWare ESXi servers in addition to the traditional Windows operating system.\r\nIndeed, the first Linux variant of Clop ransomware, active since 2019, was reported being leveraged in a 24\r\nDecember 2022 campaign. Of note, SentinelLabs released a free decryptor for this variant in February 2023. In\r\nFebruary 2023, the IceFire ransomware also added Linux variants to its arsenal, one year after its Linux\r\nWindows version was first seen, as well as RTM Locker and the newly released Akira ransomware. This is in\r\naddition to the release of ESXiArgs, a new ransomware specifically aimed at targeting VMware ESXi servers,\r\nwhich conducted a massive encryption campaign in early 2023. This is in line with an ongoing trend established in\r\n2022, when emerging Linux malware recorded a 50% increase and hit record numbers compared to 2021. In\r\naddition, the emergence of numerous new ESXi-based ransomware such as Cylance and Rorschach is reported to\r\nbe related to the adoption of the leaked Babuk ransomware code.\r\nSekoia.io assess with high confidence this aims at extending ransomware’s possible attack surface to\r\nconsequently expand the scope of potential victims. We assess advanced ransomware groups will increasingly add\r\nto their arsenal new variants aimed at targeting Linux operating systems. It is highly likely this trend will also be\r\nfurther increasingly adopted by smaller and relatively less skilled ransomware groups or individual actors, that\r\nwill notably continue to reuse the leaked Babuk ransomware code. Furthermore, SentinelOne assess ransomware\r\noperators will increasingly attempt to exploit application vulnerabilities for initial access, as typical vectors\r\nsuch as phishing or drive-by download are less effective in campaigns towards Linux systems.\r\nRansomware groups’ development of custom tooling\r\nAccording to Sekoia.io observations, ransomware actors show constant interest in adding custom tools and\r\nmalware to their arsenal. One such category is the exfiltration-related tools and malware stealing sensitive\r\ninformation from compromised networks, in addition to the data encryption. Additionally, Sekoia.io observed\r\nnewly launched RaaS programs such as Cyclops integrating a custom infostealer to the attack kit rented to\r\naffiliates.\r\nhttps://blog.sekoia.io/sekoia-io-mid-2023-ransomware-threat-landscape\r\nPage 4 of 14\n\nBesides the ransomware operations commonly using commodity infostealers, in recent months, several instances\r\nof use of custom built data exfiltration tools in ransomware campaigns were reported in open sources. First, the\r\nVice Society ransomware group was reported deploying a custom, fully automated, PowerShell data exfiltration\r\nscript. Of note, the technique of using custom-developed PowerShell scripts was already associated with Vice\r\nSociety in the past. Second, the Play ransomware group recently developed [2] two proprietary data theft tools\r\n(Grixba and VSS Copying Tool). Other such examples are Blacktail ransomware group, first seen in February\r\n2023, using [1] a custom exfiltration tool for delivering the Buhti ransomware.\r\nOf note, Sekoia.io observed in the first half of 2023 a ransomware affiliate using Exmatter (the BlackMatter’s\r\ncustom data exfiltration tool). The name of victims matched victims claimed on Lockbit’s Data Leak Site several\r\ndays later. We assess this is indicative either of ransomware groups’ custom toolkit being shared or rented to other\r\nthreat actors, or of affiliates distributing ransomware in the name of several groups.\r\nThe active use of custom exfiltration tools is highly likely due to the massive adoption of the double extortion\r\ntechnique by the ransomware groups the last couple of years that continues in 2023, and shows the ransomware\r\nactors’ persistent interest in leveraging exfiltrated data to maximise monetisation. Also, it is highly likely related\r\nto the need of bypassing existing detection solutions and speeding up the data theft process before encryption.\r\nWe assess the development of custom-built exfiltration tools are indicative of the increasing maturity of\r\nransomware groups.\r\nOld is the new trend in town\r\nIn line with a trend already observed in late 2022, ransomware actors continued to reuse leaked source code of\r\nknown ransomware to launch customised encryption and/or extortion operations. For instance, advanced\r\nransomware operations launched in the first half of 2023 such as RA Group and Buhti were reported leveraging\r\nBabuk ransomware source code which leaked in June 2021.\r\nAdditionally, since early 2023, Sekoia.io observed an increasing number of ransomware emerging as variants of\r\nLockBit, Babuk or Conti, conducting encryption-only attacks and demanding relatively low ransoms. We assess\r\nwith medium confidence these ransomware operators are rather relatively unadvanced independent actors that\r\norganised groups. While not new, this trend is highly likely indicative of the continuous democratisation of\r\ncybercrime and of the threat actors’ persistent interest in ransomware-related activities.\r\nNotable emerging ransomware\r\nSekoia.io assess with high confidence the increase in successful ransomware attacks mentioned above, both in\r\nBGH and in relatively small campaigns, is partly due to the relaunch or emergence of multiple new\r\nransomware operations since early 2023.\r\nWhile it is certain that new threat actors continue to join the ransomware ecosystem, a great number of emerging\r\nransomware groups were reported to regroup affiliates of previously existing groups since the beginning of\r\n2023. Indeed, NoEscape ransomware operation was reported to be a rebrand of Avaddon – a ransomware group\r\nthat shut down in 2021. Also, 8base ransomware operation was reported to be linked either to former Dharma and\r\nPhobos affiliates or to the RansomHouse group.\r\nhttps://blog.sekoia.io/sekoia-io-mid-2023-ransomware-threat-landscape\r\nPage 5 of 14\n\nThis is almost certainly evidence of a quite closed ransomware ecosystem, notably that of the relatively\r\nadvanced intrusion sets targeting corporate assets. This concurs with the Chainalysis’ assessment about a great\r\npart of known ransomware strains technically active throughout 2022 being carried out by the same affiliates.\r\nCactus\r\nCactus is an emerging ransomware distributed worldwide since at least March 2023. According to Coveware,\r\nCactus entered the Top 6 most distributed ransomware in Q1 2023, which suggests it was actively distributed\r\nsince its earliest weeks of activity.\r\nAccording to our observations, the ransomware is leveraged mostly in Big Game Hunting (BGH) attacks, since\r\npublicly known victims are large companies reporting annual revenues from $11.4M to $3.4B. Companies\r\nimpacted by Cactus ransomware campaigns reported major impacts such as network outage, sensitive data\r\nexposure, disrupted operations (delayed and canceled deliveries) and possible stock market losses.\r\nThe ransomware operators leverage the double extortion technique to put greater pressure on victims to pay the\r\nransom, threatening to release the stolen data on the ransomware’s dedicated Data Leak Site (DLS) named\r\n“Cactus Blog”. As of 21 July 2023, Sekoia.io identified 18 victims listed on the “Cactus Blog” DLS. This possibly\r\nindicates the number of victims that did not meet the attackers’ ransom demand.\r\nSekoia.io assess Cactus ransomware is an advanced and growing threat, due to its unique encryption routine\r\nand to its novel technique to avoid detection which consists in requiring a key to decrypt the binary for\r\nexecution. In addition, the adoption of the BGH and double extortion techniques by Cactus operators are highly\r\nlikely indicative of a well structured lucrative intrusion set.\r\n8base\r\nThe 8base ransomware group was unveiled in May 2023 and rapidly became one of the most active groups within\r\nthe cybercrime landscape. Indeed, a significant spike in 8base activity was reported in May and June 2023, when\r\nit became the 4th most active group by number of victims. 8base primarily targets small and medium-sized\r\ncompanies worldwide in double extortion campaigns. Based on claimed victimology, 8base operators highly likley\r\nconduct opportunistic attacks.\r\nWhile the ransomware representatives claim they were operating since 2022, the double extortion operation\r\nknown under the name 8base was launched in the first half of 2023. Indeed, 8base-related resources (Twitter\r\naccount, Telegram channel and DLS) became active in mid-May 2023.\r\nSekoia.io assess the spike in the ransomware’s activity starting from May 2023 is due to the simultaneous release\r\nof numerous victims attacked over a longer period of time.\r\nWe assess with medium confidence the continued high level of 8base ransomware activity in the months following\r\nits disclosure is due to the advancement of its operators, reportedly former members of other known\r\nransomware groups. For instance, open sources link 8base to the RansomHouse intrusion set. In addition, it was\r\nreported that a number of 8base operators are former affiliates of both Dharma and/or Phobos ransomware.\r\nCoveware assess technically advanced Dharma and/or Phobos ransomware affiliates rebranded and switched to\r\nhttps://blog.sekoia.io/sekoia-io-mid-2023-ransomware-threat-landscape\r\nPage 6 of 14\n\nother operations due to the decreasing payment rate of their usual targets: small enterprises. This concurs with the\r\nWMare reporting on 8base as a variant of Phobos v2.9.1 ransomware.\r\nSekoia.io assess the 8base group will maintain its high level of activity in the short and medium term. It will\r\nhighly likely pose an increasing threat to small and medium-sized companies due to the mass distribution of\r\neither its customised variant of Phobos ransomware or other available ransomware-as-a-service (RaaS).\r\nFigure 3. Cactus ransomware known victimology as of 21 July 2023\r\nAkira\r\nAs of late June 2023, Akira is one of the most active ransomware groups since its emergence in April 2023.\r\nThe Akira operators use the same-name ransomware to perform multi-level extortion during their attacks towards\r\nsmall and medium-sized companies. Indeed, they allegedly tailor the ransom amount depending on what the\r\nvictim intends to retrieve, i.e.:\r\nransomware decryptor and full “decryption assistance”;\r\nevidence of victim’s data removal;\r\na “report on vulnerabilities” spotted by the attackers;\r\nguarantees that attackers will not publish or sell exfiltrated data;\r\nguarantees that attackers will not attack the victim in the future.\r\nFrom Sekoia.io observations, the group initially asks for ransoms from $250,000 to $1,000,000 and then\r\nnegotiates down the amount. Sekoia.io assess this is evidence of the ever growing attackers’ interest in\r\ncollecting the victim’s internal data when conducting ransomware attacks, as it provides additional means for\r\nmaximising the impact of an intrusion and diversifying threat actors’ revenues.\r\nhttps://blog.sekoia.io/sekoia-io-mid-2023-ransomware-threat-landscape\r\nPage 7 of 14\n\nThe group’s activity is particularly busy since 21 April 2023, when Akira representatives started to publicly\r\ncommunicate about its victims on a Tor-based website and to multiply the number of claimed attacks\r\nworldwide.\r\nFigure 4. Akira ransomware’s dedicated DLS\r\nRansomware-as-a-Service\r\nIn Q1 2023, Sekoia.io observed tens of RaaS recruitment publications on cybercrime forums such as RAMP,\r\nExploit, XSS and Breached. Ransomware operators leverage these forums mostly to recruit affiliates to distribute\r\ntheir custom ransomware, but also to recruit partners with specific skills, such as domain privilege escalation,\r\nlikely to fill a skill gap within the group or for a short-term mission. They usually provide affiliates with an\r\nadvanced post-compromise kit in exchange for a ransom payment commission.\r\nHere are some of the most prominent RaaS programs launched on RAMP and XSS cybercrime forums between\r\nJanuary and June 2023:\r\nhttps://blog.sekoia.io/sekoia-io-mid-2023-ransomware-threat-landscape\r\nPage 8 of 14\n\nFigure 5. Newly launched RaaS in S1 2023. While MedusaLocker, Trigona and Qilin ransomware\r\nwere first seen in 2019 and 2022 respectively, their RaaS programs were publicly launched in 2023\r\nThe majority of known and actively distributed ransomware that we observed launching RaaS programs on\r\ncybercrime forums in 2023 (mostly recruiting on RAMP, XSS and Exploit forums) are highly likely operated\r\nby advanced intrusion sets. Indeed, Sekoia.io observed the majority of them conducting operations against\r\nmidsize and large companies, leveraging the double extortion technique and proving continuous evolution of\r\ntheir arsenal and TTPs.\r\nhttps://blog.sekoia.io/sekoia-io-mid-2023-ransomware-threat-landscape\r\nPage 9 of 14\n\nSekoia.io assess with high confidence the launchment of a public or a private affiliate program on top-tier\r\ncybercrime forums is indicative of a ransomware group’s advancement and suggests possible growth in the\r\nnumber of future attacks. This is highly likely due to the scaling up of campaigns by sharing resources (malware,\r\ntools, infrastructure, compromised networks, attack manuals) within a RaaS program.\r\nAdditional criteria that could be an indication of a highly active and expanding RaaS operation advertised on\r\ncybercrime forums are large forum deposits, elective membership criteria, solid infrastructure advertised by\r\nRaaS administrators, such as extortion kits and highly configurable administration panels, as well as specific\r\nindications about the expected victims’ geography, field of activity and revenue level.\r\nIt is worth mentioning that the actual number of RaaS sold on forums since early 2023 and monitored by Sekoia.io\r\nexceeds by a large margin the list above, as a great number of threat actors advertise their affiliate programs\r\nanonymously.\r\nSuch examples are the threat actors rtgtgth and Satana101, active on cybercrime forums in 2023. Sekoia.io assess\r\nwith medium confidence these threat actors conduct recruitment campaigns of partners providing initial access or\r\nleveraging them to distribute ransomware, either for a private RaaS program or a private ransomware group of\r\noperators, without identifying themselves as a known ransomware operation representative.\r\nNotable Tactics, Techniques, and Procedures (TTPs)\r\nMass vulnerability exploitation for ransomware deployment and/or data theft\r\nRansomware groups were reported to increasingly exploit known or 0day vulnerabilities in 2023. The\r\nvulnerabilities were mainly observed being exploited for initial access or access to backup/transfer servers.\r\nIndeed, we observed several ransomware and extortion groups massively exploiting vulnerabilities with\r\nautomated exploits such as ESXiArgs (reported to exploit CVE-2021-21974) and TA505.\r\nRelated to the MOVEiT vulnerability, according to Kroll security researchers, the TA505 threat actors started\r\nworking on the creation of a fully automated exploit for more than two years prior to the massive exploitation\r\ncampaign.\r\nhttps://blog.sekoia.io/sekoia-io-mid-2023-ransomware-threat-landscape\r\nPage 10 of 14\n\nFigure 6. Vulnerabilities exploited for ransomware deployment and data theft between January and\r\nJune 2023, as reported in open sources\r\nWith the opportunity to launch a fully automated exploit, the threat actor switched from the double extortion to the\r\ndata theft-only extortion technique. Sekoia.io assess this is partly related to the intention to avoid encryption\r\nproblems at scale. Indeed, most ransomware use symmetric encryption to encrypt files and use an asymmetric key\r\nto encrypt the symmetric key and send it to an attacker-controlled server.\r\nhttps://blog.sekoia.io/sekoia-io-mid-2023-ransomware-threat-landscape\r\nPage 11 of 14\n\nKey management for hundreds of victims in a few days can become challenging and encryption problems with\r\nfiles still might happen. Moreover, TA505 seems to be keen on backup/file transfer servers in the first semester of\r\n2023. Encrypting those servers might not be useful if the threat actors don’t encrypt the original files, it would\r\nonly slow the process and might discourage the victims to pay. In a rather contrasting way, the ESXi campaign\r\nencrypted the virtual machine files and had over 9000 bitcoin wallet addresses.\r\nSekoia.io assess ransomware and extortion groups will increasingly attempt to exploit known and 0day\r\nvulnerabilities for initial access, partly due to the massive impact on high-profile victims reported above\r\nmentioned campaigns.\r\nMalvertising for initial access\r\nIn June 2023, a new infection vector was reported being adopted by the BlackCat intrusion set – the malvertising.\r\nYet a common distribution method related to infostealers, several ransomware such as Royal, Magniber and\r\nRevil were also previously reported to be spread via malvertising.\r\nThe goal of malvertising is to promote a lookalike website of a legitimate download page for a specific tool via\r\ngoogle/bing ads. The sponsored ads are displayed on top of search results on a search engine. Threat actors hijack\r\nthis feature to make their fake websites appear before the legitimate ones in the results and increase the number of\r\npotential victims for an affordable cost.\r\nThe use of search engine ads allows the threat actors to target specific countries or regions. The tools they target to\r\ntrick their victims into downloading their infected/fake ones are often administration tools, by doing so they hope\r\nto get access to enterprise networks this way. They can also look for a referrer when receiving a request to their\r\ninfrastructure and filter accordingly: allow it if it comes from a google search or redirect it if it doesn’t, this means\r\nit also becomes harder for security analysts to investigate the threat.\r\nSeveral intrusions using this initial access vector were reported and attributed to BlackCat ransomware affiliates.\r\nIn this campaign, the BlackCat affiliates used the SpyBoy terminator tool to kill security solutions. This tool,\r\nwhich is based on “Bring your own vulnerable driver” (BYOVD), loads a vulnerable driver into the system and\r\nuse the vulnerability in the driver to get kernel access in order to kill security solutions: anti-virus and Endpoint\r\nDetection \u0026 Response (EDR) solutions.\r\nSekoia.io assess with high confidence the malvertising technique will be increasingly adopted by ransomware\r\ngroups in the medium term.\r\nEncryption-based and data theft-based extortion\r\nA great part of newly launched ransomware groups that Sekoia.io monitors leverage the double extortion\r\ntechnique by exfiltrating data before encryption and operating a Data Leak Site. Of note, 30% of ransomware\r\ncampaigns where data was encrypted were followed by data exfiltration, based on a survey conducted by Sophos\r\nin Q1 2023.\r\nHere are some of the most prominent ransomware operations launching their own DLS since early 2023:\r\nhttps://blog.sekoia.io/sekoia-io-mid-2023-ransomware-threat-landscape\r\nPage 12 of 14\n\nFigure 7. Newly launched DLS in S1 2023\r\nOf note, Sekoia.io also monitors emerging ransomware operations, such as ARCrypter, RTM Locker and\r\nDumpLocker, claimling to exfiltrate victim’s data before encryption and threatening to sell it on cybercrime\r\nforums or to third parties instead of leaking it on a dedicated DLS.\r\nWhile a growing number of ransomware groups adopt the double extortion model, another prominent ones such as\r\nBianLian were recently reported to shift to primarily exfiltration-based extortion. Also, Reliaquest observed a\r\nsubstantial increase (20 occurrences in Q2 2023 compared to only 4 in the previous quarter, but still under the\r\nnumber of 43 in Q4 2022) in the number of victims named on data theft extortion sites. Cisco Talos Incident\r\nResponse also reported a growing number of data theft extortion campaigns in Q2 2023 that did not involve\r\nencrypting files or deploying ransomware. This is the most-observed threat by Talos in Q2 2023 and represents\r\na 25% increase compared to Q1 2023.\r\nConclusion\r\nThe ransomware threat registered a significant growth in the first half of 2023 associated with the increasing\r\nnumber of active ransomware operations, the record-setting number of claimed attacks and the highly dynamic\r\nillicit transactions.\r\nThe escalating ransomware threat is almost certainly the result of various factors, such as mass adoption of the\r\ndouble extortion technique, the increasing incidence of Big Game Hunting campaigns, the proliferation of\r\nsuccessful small attacks, massive campaigns of vulnerability exploitation for initial access, as well as to the\r\nreversal effect of the 2022 downward ransomware trend, notably related to the Russo-Ukrainian war.\r\nRansomware operators show growing interest in collecting the victim’s internal data when conducting\r\nencryption. This is stressed by the growing number of emerging ransomware leveraging the double extortion\r\ntechnique, as well as by the increasing use of commodity and custom extortion tools by ransomware operations.\r\nExternal references :\r\n[1] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/buhti-ransomware\r\n[2] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/play-ransomware-volume-shadow-copy\r\nhttps://blog.sekoia.io/sekoia-io-mid-2023-ransomware-threat-landscape\r\nPage 13 of 14\n\nThank you for reading this blogpost. We welcome any reaction, feedback or critics about this analysis. Please\r\ncontact us on tdr[at]sekoia.io\r\nFeel free to read other TDR analysis here :\r\nCTI Ransomware\r\nShare this post:\r\nSource: https://blog.sekoia.io/sekoia-io-mid-2023-ransomware-threat-landscape\r\nhttps://blog.sekoia.io/sekoia-io-mid-2023-ransomware-threat-landscape\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.sekoia.io/sekoia-io-mid-2023-ransomware-threat-landscape" ], "report_names": [ "sekoia-io-mid-2023-ransomware-threat-landscape" ], "threat_actors": [ { "id": "921cea27-4410-42e4-8c11-7d40ba313225", "created_at": "2023-01-06T13:46:39.375789Z", "updated_at": "2026-04-10T02:00:03.307063Z", "deleted_at": null, "main_name": "RansomHouse", "aliases": [], "source_name": "MISPGALAXY:RansomHouse", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a9670e60-de2b-4c77-97ea-28e73f92902a", "created_at": "2023-11-30T02:00:07.264397Z", "updated_at": "2026-04-10T02:00:03.480707Z", "deleted_at": null, "main_name": "Blacktail", "aliases": [], "source_name": "MISPGALAXY:Blacktail", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-10T02:00:03.563647Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a6814184-2133-4520-b7b3-63e6b7be2f64", "created_at": "2025-08-07T02:03:25.019385Z", "updated_at": "2026-04-10T02:00:03.859468Z", "deleted_at": null, "main_name": "GOLD VICTOR", "aliases": [ "DEV-0832 ", "STAC5279 ", "Vanilla Tempest ", "Vice Society", "Vice Spider " ], "source_name": "Secureworks:GOLD VICTOR", "tools": [ "Advanced IP Scanner", "Advanced Port Scanner", "HelloKitty ransomware", "INC ransomware", "MEGAsync", "Neshta", "PAExec", "PolyVice ransomware", "PortStarter", "PsExec", "QuantumLocker ransomware", "Rhysida ransomware", "Supper", "SystemBC", "Zeppelin ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-10T02:00:05.309426Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "84aa9dbe-e992-4dce-9d80-af3b2de058c0", "created_at": "2024-02-02T02:00:04.041676Z", "updated_at": "2026-04-10T02:00:03.537352Z", "deleted_at": null, "main_name": "Vanilla Tempest", "aliases": [ "DEV-0832", "Vice Society" ], "source_name": "MISPGALAXY:Vanilla Tempest", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434498, "ts_updated_at": 1775826726, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c195d256821ef89030023fd36b950174d98637df.pdf", "text": "https://archive.orkl.eu/c195d256821ef89030023fd36b950174d98637df.txt", "img": "https://archive.orkl.eu/c195d256821ef89030023fd36b950174d98637df.jpg" } }