Ransomware has emerged as one of the most formidable challenges, with 2023 marking a year of unprecedented activity. As we look ahead, it’s crucial to arm ourselves with knowledge about the top ransomware to watch in 2024.
This article delves into the trends and threats that have shaped the cyber-sphere and what we can anticipate in the coming year.
The State of Ransomware in 2023
Last year was a record-setting era for ransomware attacks. According to the Cyberint’s Ransomware Recap 2023, there was a 55.5% increase in victims compared to the previous year, totaling an alarming 4,368 cases. The surge in attacks was not isolated to any one region or sector; it was a global phenomenon, with the United States facing the brunt of the assaults, accounting for 64% of all cases. Industries like business services were particularly hard-hit, facing 1,265 attacks throughout the year.
LockBit3.0, ALPHV, and Cl0p stood out as the top ransomware families, causing widespread disruption and concern. Noteworthy campaigns such as the MOVEit campaign by Cl0p highlighted the increasing sophistication of threat actors and their ability to exploit supply chain infrastructures.
Understanding Ransomware: A Primer
Ransomware is a type of malicious software designed to block access to a computer system or data until a sum of money is paid. Over the years, ransomware has evolved from simple lockout mechanisms to complex, multi-faceted threats that not only encrypt data but also steal it, threatening to release the information unless additional demands are met.
Top Ransomware Families in 2023
As we reflect on the past year, it is essential to examine the ransomware families that dominated the landscape:
LockBit3.0 led the charge with 1,047 victims, which was 24% of the total attacks. The notorious Boeing attack and the Royal Mail Attack were among the high-profile incidents attributed to this group. It’s a stark reminder of the group’s capabilities and the importance of robust cybersecurity measures.
ALPHV, also known as BlackCat, was responsible for 445 victims, making up 10% of the total attacks. This group was particularly noteworthy for its use of sophisticated ransomware-as-a-service (RaaS) operations and its targeting of high-value organizations.
Cl0p caused disruption with 384 victims, which was 8.7% of the total attacks. The group gained attention for its involvement in high-profile campaigns like the MOVEit campaign, which was a significant supply chain attack that had ripple effects across multiple industries.
Emerging Ransomware Threats to Watch in 2024
The ransomware landscape is not static; new threats emerge regularly. Here are several newcomers set to make waves in 2024:
3AM ransomware was observed in a limited number of attacks, but it has already made its mark. The group was thrust into the spotlight when a LockBit affiliate switched to 3AM after being blocked. Written in Rust, 3AM showcases a distinct attack sequence, including the halting of services and deletion of VSS copies. According to Symantec’s Threat Hunter Team, the affiliate conducted reconnaissance with commands like
net share, and employed tools such as Cobalt Strike, PsExec, and Wput.
Rhysida emerged with a different approach, launching a victim support chat portal on their TOR site and claiming to be a “cybersecurity team.” This group drew attention by disclosing stolen documents from the Chilean Army and targeting entities like the British Library and Insomniac Games. Rhysida’s targeting spans various industries, and as noted by SentinelOne, it’s in the early development stages and lacks some features common in other ransomware.
With a retro aesthetic on their Data Leak Site (DLS), Akira is another group to watch. Discovered in March 2023, Akira has already impacted 81 victims. It has a possible connection to the infamous Conti group and offers ransomware-as-a-service for Windows and Linux systems. Akira’s double extortion tactic involves exfiltrating and encrypting data, with initial access often through compromised credentials, particularly in organizations lacking MFA for VPNs.
The ransomware industry is expected to continue its growth trajectory, and new groups are becoming increasingly prominent. These 3 groups, among others, were heavy contributors to the boom in ransomware attacks in 2023.
Additional Ransomware Groups Causing Disruption
MalasLocker is a unique entry in the ransomware realm, targeting Zimbra servers and demanding donations to charities instead of direct ransoms. Emerging at the end of March 2023, this group has already distinguished itself by its unconventional approach. The attackers encrypt data and upload suspicious JSP files, possibly exploiting vulnerabilities in the Zimbra email hosting platform. While the group’s legitimacy and true intentions remain unclear, their hacktivist-like posture and demands for charitable donations mark a departure from traditional ransomware operations.
Another group that demands attention is BlackSuit. Emerging in mid-2023, BlackSuit exhibits technical similarities to the Royal ransomware and has been targeting sectors such as healthcare and education. It operates on both Windows and Linux systems, leveraging phishing emails and third-party frameworks to deliver its payload. BlackSuit’s approach includes a rapid encryption technique and attempts to inhibit system recovery by removing Volume Shadow Copies. For those looking to detect and mitigate this ransomware, solutions like the SentinelOne Singularity XDR Platform can be effective.
Notable Ransomware Campaigns from 2023
Reflecting on the past year’s ransomware campaigns provides us with valuable insights into the methods and targets of these threat actors:
- The MOVEit campaign by Cl0p had a significant impact on supply chain networks, demonstrating the far-reaching effects of a single campaign.
- The Royal ransomware attack on the City of Dallas caused extensive disruptions, highlighting the potential for ransomware to affect municipal operations and services.
- Western Digital suffered a breach from BlackCat ransomware, which underscores the vulnerability of even tech-savvy companies.
- The LockBit attack on Royal Mail led to data leaks, revealing the critical nature of securing communication channels against cyber threats.
Preparing for Ransomware Threats in 2024
With the threat landscape expanding, it’s crucial to adopt best practices in ransomware prevention and response. Regular patching and updating of systems are fundamental to security, as well as implementing strong passwords and Multi-factor Authentication (MFA). Employee training and a robust backup and recovery plan are also essential to ensure resilience against attacks.
Ransomware Predictions for 2024
Experts anticipate that the ransomware industry will continue to flourish, with new groups becoming more prominent and established groups evolving in sophistication. The threat landscape is likely to become more intimidating, with attackers employing new tactics and techniques to bypass security measures.
The year 2023 set a new high for ransomware activity, with both established and emerging threats contributing to a complex and challenging cybersecurity environment. As we progress into 2024, it’s clear that vigilance and preparedness are more critical than ever. By staying informed about the top ransomware to watch and implementing robust security measures, individuals and organizations can better position themselves to defend against these evolving cyber threats.
In the face of this daunting reality, it’s not just about bracing for impact—it’s about building a proactive defense that can adapt to the shifting contours of the cyber threat landscape. The top ransomware to watch in 2024 will undoubtedly test our resilience, but with the right tools, strategies, and awareness, we can navigate these digital perils and emerge stronger.