Keypoints
- Ransomware leak-site posts rose ~49% in 2023 (3,998 posts), largely due to exploitation of critical vulnerabilities and zero‑day flaws.
- High-impact vulnerabilities exploited included MOVEit SQL injection (CVE-2023-34362 series), GoAnywhere CVE-2023-0669, and Citrix Bleed CVE-2023-4966.
- CL0P, LockBit, and ALPHV (BlackCat) were among the most active groups; CL0P notably used torrent distribution for stolen data after large-scale MOVEit exploitation.
- Less-skilled actors reused old exploits (e.g., ESXiArgs exploiting CVE-2021-21974) to compromise large numbers of servers, demonstrating the continuing risk of unpatched systems.
- Operational practices included data exfiltration to leak sites (often on Tor), use of torrents to distribute exfiltrated archives, and double‑extortion (exfiltrate then encrypt).
- International law enforcement and hacktivists disrupted several groups (Hive, Ragnar Locker, Trigona, ALPHV), seizing infrastructure or wiping servers via exploited vulnerabilities.
- Mitigations emphasized: patching exposed services quickly, monitoring internet‑facing systems, detecting exfiltration and torrent/Tor activity, and using endpoint behavioral protections to stop encryption.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Used to gain initial access via zero-day and SQL injection vulnerabilities (e.g., MOVEit and GoAnywhere). (‘zero-day exploits targeting critical vulnerabilities such as CVE-2023-0669 for GoAnywhere MFT or CVE-2023-34362…’)
- [T1486] Data Encrypted for Impact – Ransomware actors encrypted victim data as part of multi‑extortion operations. (‘Stealing a victim’s files before encrypting them’)
- [T1567] Exfiltration Over Web Service – Stolen data was posted to dedicated leak sites and Tor-hosted pages to pressure victims. (‘establish a leak site to coerce a victim and release stolen data’)
- [T1041] Exfiltration Over C2 Channel (peer-to-peer/torrent distribution) – CL0P shifted to using torrents to distribute stolen data at scale. (‘CL0P was leveraging torrents to distribute stolen data’)
- [T1068] Exploitation for Privilege Escalation – A zero‑day in Confluence was used to access and wipe Trigona infrastructure. (‘used a zero-day exploit to access Trigona’s infrastructure’)
Indicators of Compromise
- [Vulnerabilities] exploited to gain access or escalate – CVE-2023-34362 (MOVEit SQL injection), CVE-2023-0669 (GoAnywhere MFT), and others (CVE-2023-4966, CVE-2021-21974, CVE-2023-22515).
- [Ransomware/Threat Actor Names] referenced as active or disrupted actors – CL0P, LockBit (LockBit 3.0), ALPHV (BlackCat), and other groups like Akira and 8Base (and ~20+ additional group names cited).
- [URLs / Leak Sites] examples and context – Unit 42 report source https://unit42.paloaltonetworks.com/unit-42-ransomware-leak-site-data-analysis/, multiple unnamed Tor leak sites and torrents used to host/distribute stolen data.
Unit 42’s dataset derives from monitoring public ransomware leak sites (including Tor-hosted pages) and is useful for trend analysis but can under- or over-represent actual compromise counts because incidents are omitted when victims pay immediately or groups do not publish all victims. The dataset shows timelines where spikes in leak-site posts correlate with active exploitation of specific CVEs.
Technically, 2023’s surge was driven by exploitation of public-facing applications (T1190): notable examples include MOVEit SQL injection (CVE-2023-34362 series), GoAnywhere (CVE-2023-0669), and Citrix Bleed (CVE-2023-4966). Attackers combined automated mass exploitation and lateral actions to collect sensitive files, then used multiple exfiltration/publishing mechanisms — traditional Tor-hosted leak sites (T1567), peer-to-peer/torrent distribution (T1041) for bulk data dissemination, and encryption for impact (T1486). Less sophisticated actors continued to exploit older unpatched flaws (e.g., ESXi CVE-2021-21974), while defenders and third parties occasionally disrupted infrastructure through seizure or exploitation of admin-facing flaws (e.g., Confluence CVE-2023-22515 used to access Trigona servers).
Defensive actions should prioritize rapid patching of exposed services, continuous discovery of internet-facing assets, and monitoring for abnormal data staging/exfiltration patterns (large outbound archives, unusual peer‑to‑peer traffic, or postings to known leak endpoints). Endpoint and network protections that detect and block encryption behavior, local analysis of suspicious binaries, DNS/URL filtering to block leaking infrastructures, and visibility into virtualization hosts (ESXi) are critical controls to reduce the impact of these exploit-driven ransomware campaigns.
Read more: https://unit42.paloaltonetworks.com/unit-42-ransomware-leak-site-data-analysis/