The notorious Carbanak malware, initially recognized for its role in banking attacks, has reemerged with a fresh approach, now incorporating ransomware tactics. Cybersecurity firm NCC Group reported that Carbanak has adapted by employing diverse techniques and attack vectors to enhance its effectiveness. In November 2023, the malware resurfaced using new distribution channels, leveraging compromised websites to distribute malicious installer files, disguised as legitimate utilities, and mimicking popular business-related software like HubSpot, Veeam, and Xero.
NCC Group’s analysis sheds light on the evolving threat landscape of ransomware attacks, indicating 442 reported incidents in November—an increase from 341 in October 2023. Year-to-date, a total of 4,276 ransomware cases have been reported, a significant rise compared to the combined total of 5,198 incidents in 2021 and 2022. The top-targeted sectors include industrials (33%), consumer cyclicals (18%), and healthcare (11%). Geographically, North America (50%), Europe (30%), and Asia (10%) have witnessed the majority of the attacks.
LockBit, BlackCat, and Play are identified as the most common ransomware families, contributing to 47% of the reported attacks. Notably, the takedown of BlackCat’s infrastructure raises questions about the future impact on the threat landscape. Matt Hull, the global head of threat intelligence at NCC Group, anticipates whether ransomware levels will continue to rise in the coming year. This surge in ransomware attacks aligns with findings from cyber insurance firm Corvus, which identified 484 new ransomware victims posted to leak sites in November.
The ransomware landscape has seen a shift away from QBot due to law enforcement takedowns of its infrastructure. Microsoft disclosed details of a low-volume phishing campaign distributing QBot, highlighting the persistent challenges in fully dismantling these cyber threat groups. Additionally, Kaspersky revealed security measures employed by the Akira ransomware, preventing its communication site from analysis by raising exceptions when attempts are made using a debugger in a web browser.
Ransomware operators are also exploiting security flaws in the Windows Common Log File System (CLFS) driver for privilege escalation. The multifaceted and evolving nature of ransomware threats underscores the importance of robust cybersecurity measures and collaborative efforts to mitigate these risks effectively.