Positive Technologies: ransomware operators lash out at educational institutions

Positive Technologies analyzed the Q1 2023 cybersecurity threatscape. The study shows an increase in the number of unique incidents and a surge in ransomware activities, especially against scientific and educational institutions. Experts note a huge number of employment-related phishing campaigns, the emergence of QR phishing, and an increase in the number of malicious ads.

According to Positive Technologies, in Q1 2023 the number of incidents increased by 7% compared to the previous quarter and by 10% compared to Q1 2022. Successful cyberattacks on organizations most often resulted in leakage of confidential information (51%) and disruption of core activity (44%). The share of malware attacks increased by 7 p.p. and 10 p.p. in attacks against organizations and against individuals, respectively, compared to the previous quarter. Companies and critical infrastructure objects experienced major disruptions in operation; there were large-scale data breaches, and new fraud schemes appeared.

Positive Technologies experts speak of significant increase in ransomware activity in Q1 2023: the share of ransomware in malware attacks against organizations was 53%, up 9 p.p. from the previous quarter, and the number of incidents increased by 77% compared to Q1 2022. The situation is especially grave in the science and education sector, which accounted for a large share of ransomware attacks (19%): attackers targeted schools and higher education institutions around the world.

Social engineering remains one of the most popular methods of attacks on organizations (50%) and individuals (91%). Social engineering attacks on organizations are mainly performed via email (86%). As for social engineering attacks on individuals, attackers prefer to use various web resources and services (59%).

Fedor Chunizhekov, Information Security Analyst at Positive Technologies, comments: "In Q1 we noticed an increase in the number of fraudulent job postings and phishing emails promising new benefit packages. In such campaigns, attackers send emails with stealers—malicious attachments that steal credentials—or links to phishing pages, for example, fake Microsoft 365 or Amazon Web Services login forms. Employment fraud began to gain traction in 2020, when the COVID-19 pandemic outbreak started, leading to people getting fired or suspended at scale and the companies shifting to remote work. Amid the heated geopolitical situation, rising prices and inflation around the world, malicious actors lured victims with phony bonuses and benefits in phishing emails and on forged websites."

Positive Technologies experts also noted that in addition to emails with malicious links and attachments, attackers use QR codes to bypass antispam filters and other protections, as QR codes are images with no suspicious links or distinctive metadata. This characteristic of QR codes may lead to an increase in the number of phishing campaigns that utilize them, believes Fedor Chunizhekov.

Positive Technologies data also show cases of significant financial losses in Q1. A ransomware attack on MKS Instruments seriously disrupted its supply chain operations, and the recovery process was difficult. The attack resulted in a $200M hit to the company revenue. Information security incidents can also affect a company’s stock price: following a ransomware attack, DISH Network’s market value slumped almost 7%.

Another characteristic of Q1 noted by Positive Technologies analysts is the increased cybercrime-fighting efforts of law enforcement and intelligence agencies. Previously, the officials tried to constrain cybercriminals mainly in the legal field, but now law enforcement agencies are going all out to stop them. Some examples are the European police searching and arresting administrators and users of the Exclu messenger popular among criminals, and the FBI seizing the servers of the Hive ransomware gang.

The full version of this study is available on the Positive Technologies website.