Keypoints
- LockBit, BlackCat, and Clop accounted for the largest share of successful ransomware attacks in the first half of 2023, with LockBit leading at ~26% of victims.
- Actors exploited vulnerabilities in widely used file-transfer and print-management products (MOVEit, PaperCut, GoAnywhere) to gain access and deploy ransomware.
- Clop and other groups used backdoors (e.g., Lizar) and mass-exploitation campaigns to distribute ransomware and steal large volumes of data.
- BlackCat introduced the Sphynx variant and used a signed kernel driver as an evasion technique to improve detection avoidance and speed.
- Attackers exfiltrated sensitive data (e.g., healthcare records, corporate IP) and threatened public disclosure as part of extortion tactics, sometimes demanding multimillion-dollar ransoms.
- Supply-chain and third-party compromises were leveraged to reach high-value targets (e.g., a supplier to TSMC), amplifying impact across organizations.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Used to gain initial access by exploiting vulnerabilities in services such as PaperCut, MOVEit, and GoAnywhere (‘…exploitation of two vulnerabilities in the PaperCut software…’ / ‘exploited MOVEit Transfer and MOVEit Cloud vulnerabilities (CVE-2023-34362 and CVE-2023-35036)’ / ‘deployed a mass ransomware attack … using Fortra’s GoAnywhere file transfer software by exploiting a vulnerability.’)
- [T1195] Supply Chain Compromise – Actors reached high-value victims via third-party suppliers, e.g., compromising an IT hardware supplier of a major chipmaker (‘…targeted one of the IT hardware suppliers of the largest contract chipmaker in the world, Taiwan Semiconductor Manufacturing Company (TSMC)…’)
- [T1105] Ingress Tool Transfer – Adversaries used backdoors and secondary tooling to stage and deliver ransomware, e.g., FIN7 using the Lizar backdoor to distribute Clop (‘…FIN7 (aka Sangria Tempest) used the Lizar backdoor to distribute Clop on victims’ machines.’)
- [T1218] Signed Binary Proxy Execution – Operators used signed kernel drivers to evade detection and execute malicious actions (‘…report on BlackCat using a new signed kernel driver for evasion…’)
- [T1041] Exfiltration Over C2 – Data theft and exfiltration were performed prior to extortion, including large-scale patient data theft (‘…siphoned off “personal and protected health information of up to 1 million patients.”’)
- [T1486] Data Encrypted for Impact – Ransomware encryption and extortion were used to disrupt operations and coerce payment (e.g., ransom demands and threats to publish stolen data, ‘…demanded a US$70 million ransom from TSMC; otherwise, they threatened to publish stolen data.’)
Indicators of Compromise
- [Malware / Threat Actors] Most active RaaS families and tools – LockBit, BlackCat, Clop, Lizar backdoor, and Sphynx variant
- [Vulnerabilities / CVEs] Public-facing application exploits used – CVE-2023-27350 (PaperCut), CVE-2023-34362 and CVE-2023-35036 (MOVEit)
- [Victim Organizations] Examples of high-profile victims or targets mentioned – TSMC, Royal Mail (and other victims such as Reddit, NextGen Healthcare)
- [TTPs / Artifacts] Evasion and deployment artifacts referenced – signed kernel driver (used by BlackCat for evasion) and leak-site postings (extortion/leak evidence)
LockBit, BlackCat, and Clop leveraged exploitation of internet-facing software and third-party suppliers as primary technical procedures: attackers identified and weaponized vulnerabilities in print and file-transfer solutions (PaperCut CVE-2023-27350, MOVEit CVE-2023-34362 / CVE-2023-35036, Fortra GoAnywhere) to obtain initial access and execute ransomware payloads. Once inside, adversaries transferred tooling and payloads (e.g., via backdoors like Lizar) to deploy ransomware families and stage data for exfiltration and extortion.
Post-compromise activities included large-scale data exfiltration of sensitive records (healthcare and corporate data), public leak postings on extortion/leak sites, and multimillion-dollar ransom demands; actors also used evasion techniques such as a signed kernel driver and introduced improved variants (BlackCat Sphynx) to increase speed and detection avoidance. Supply-chain attacks against third-party suppliers were explicitly used to extend reach into high-value targets (example: access to TSMC via a supplier), amplifying impact beyond direct compromises.
Defensive focus should therefore prioritize rapid patching of exposed services, monitoring for inbound tool transfers and backdoor activity, detection rules for signed-but-suspicious kernel driver loads, and vigilant monitoring of leak sites and exfiltration channels to detect earlier stages of these procedures.