Ransomware groups stepped up their attacks in September according to data recently published by NCC Group. At least 514 ransomware attacks are known to have been conducted in September, which represents a 32% month-over-month increase in attacks.

Every month in 2023 has seen more attacks conducted than the corresponding month in 2022, with September’s attacks conducted in record numbers, even more than the 502 attacks in July and the March 2023 spike in activity, which included the Clop group’s mass exploitation of the zero-day vulnerability in Fortra’s GoAnywhere MFT solution. To add some perspective, September saw a 153% increase in attacks from September 2022. NCC Group had previously predicted that 2023 could end with more than 4,000 known ransomware/data leak-extortion attacks, but the high number of September attacks could see that total surpassed well before the end of the year.

While a small number of threat actors usually account for the vast majority of attacks, that was not the case in September. NCC Group reports a significant increase in the number of active ransomware groups, with several new groups conducting large numbers of attacks. There were 76% more active ransomware groups in September 2023 compared to September 2022, which suggests ransomware attacks continue to be profitable and are unlikely to reduce any time soon.

One of the main threat groups that typically features in the top 3 is Clop, and while the group has been highly active in 2023, it only conducted 3 known attacks in August and there were no known attacks in September. While it is not unusual to see a lull in activity, especially after such a major mass exploitation campaign, it is unlikely to last long. NCC Group expects the group to return with another mass exploitation campaign soon. Two notable new ransomware groups appeared in September that hit the ground running. LostTrust was behind 9% of the month’s attacks, and RansomedVC accounted for 10%.

RansomedVC, like 8base, claims to consist of penetration testers that only attack organizations that demonstrate a lack of attention to security. In addition to attacking organizations, RansomedVC threatens to report any vulnerabilities it exploits to data protection authorities in the EU as violations of the General Data Protection Regulation (GDPR) to pile pressure on victims to pay up.

As was the case in August, Industrials was the most targeted sector, accounting for 33% of all known attacks, followed by consumer cyclicals, and technology, with healthcare in fourth place. There was a significant increase in attacks on healthcare organizations in September, with 18 more attacks than the previous month – an increase of 86%. The most active ransomware groups in September were Lockbit 3.0, LostTrust, BlackCat, RansomedVC, and Cactus. Play, BianLian, Noescape, 8base, and Trigona rounded out the top 10. North America is still the most targeted region, where 50% of the attacks were conducted, followed by Europe (30%) and Asia (9%).

The increase in attacks shows the need for an international effort to target ransomware gangs, disrupt their operations and cut off their financing.  One potential solution is for countries to introduce bans on ransom payments, which the U.S. is pushing for. 40 countries attending the third annual International Counter Ransomware Initiative (CRI) in Washington this week have pledged to do just that, although a ban could spell disaster for companies that are unable to recover their data from backups.

The post September Saw Record Number of Ransomware Attacks appeared first on HIPAA Journal.

The 8Base hacking group has been active since March 2022 and while the group does not appear to actively target the healthcare sector, its indiscriminate attacks have included multiple healthcare organizations, with recent victims including the cosmetic and reconstructive plastic surgery practice of Eduardo G. Barrosso MD in October, and attacks on Kansas Medical Center, Stockdale Podiatry, Oregon Sports Medicine, Dental One Craigiebur, Redwood Lab Services, and ClearMedi Healthcare. The recent attacks on healthcare and public health (HPH) sector organizations have prompted the Health Sector Cybersecurity Coordination Center (HC3) to publish an analyst note about the group.

First and foremost, 8Base is a data extortion group although the group has also conducted ransomware attacks using multiple ransom stains. The primary purpose of the attacks is to steal sensitive data, which the group threatens to publish to extort money from victims. The group stepped up operations in May and June this year and was one of the top three data extortion and ransomware groups in July 2023. The group’s dark web data leak site currently lists more than 225 victims from late May to November 2023.

8base claims on its data leak site that they are honest penetration testers who only attack companies that have neglected the importance of employee and customer privacy. Despite having conducted many attacks, relatively little is known about the group such as whether it operates as a ransomware-as-a-service operation. The rapid scaling up of activity this year has led security researchers to believe that members of the group are experienced, and 8base may be the new name for a well-established, mature threat group. Similarities between the RansomHouse and Phobos groups have been identified. 8base is known to have used Phobos ransomware in some of its attacks.

The primary methods the group uses for access to victims’ networks are phishing, exploit kits, and drive-by downloads. Its victims spam a broad range of sectors and include law firms, accountants, manufacturers, scientific companies, construction firms, and healthcare organizations. While organizations in multiple countries have been attacked, the group appears to mostly focus on attacks in the United States, Brazil, and the United Kingdom.

While not appearing to actively target healthcare organizations, the group does pose a threat to the HPS sector. HC3 has shared MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs) associated with the group, Indicators of Compromise (IOCs), and recommended defense measures and mitigations in its analyst note. “8Base may be new to the cyber threat landscape, but in its short existence, it has proven to be a formidable adversary. Any disruption to an organization’s operations can lead to severe consequences, especially to the HPH sector,” wrote HC3 in its analyst note. “Whether it is affiliated to or an off-shoot of other threat actors, 8Base’s focus on data exfiltration instead of file encryption highlights the need to prioritize cyber security best practices, and prevent unauthorized access to an organization’s systems and networks.”

The post HPH Sector Warned About 8Base Data Extortion Group appeared first on HIPAA Journal.