Ransomware and Cyber-extortion Trends in Q4 2023 ReliaQuest Threat Research Team
February 2024 by ReliaQuest
In the fourth quarter of 2023 (Q4 2023), a stunning 80% more organizations were hit by ransomware attacks than in Q4 2022. It’s an alarming statistic…an emergency flare signaling the growing threat cybercriminals pose to businesses of all sizes.
November marked a significant contribution to the ransomware activity surge, at least partly because the Citrix Bleed vulnerability was heavily exploited. On top of that, November brought new aggressive extortion tactics by the ransomware group “ALPHV,” involving the US Securities and Exchange Commission (SEC) to pressure their targets.
Every problem leaves a lesson, which is why we’re about to dig deep into these developments. The light at the end of the tunnel is a clearer view of the evolving ransomware landscape, and attacker strategies.
The Growing Ransomware Threat: What, Where, and Why?
In Q4 2023, ransomware was delivered primarily through public-facing application vulnerabilities and phishing attacks. The dramatic growth in ransomware attacks can be attributed to several factors. First, attackers had easy access to ransomware-as-a-service (RaaS) tools. They were also, almost certainly, driven by the attractive risk-reward ratio: Few attackers were caught and held accountable for cyber attacks.
November 2023 stood out as particularly busy, with the second-highest number of compromised entities all year. The reason is probably down to all the threat groups that jumped to exploit the Citrix Bleed vulnerability to deliver ransomware. Historically, threat groups have been zealous about newly uncovered, high-severity vulnerabilities. Citrix Bleed was especially appealing because attackers easily bypassed multifactor authentication (MFA) to hijack user sessions. That’s why it’s crucial to prioritize security patches and manage vulnerabilities effectively. During Q4, many threat actors took advantage of critical vulnerabilities to distribute ransomware.
The Q4 2023 sectoral pattern of targeting remained largely consistent with the previous quarter: Manufacturing; professional, scientific, and technical services; and construction bore the brunt of the impact. Knowing which sectors are being targeted—and in which locations—can help drive proactive security measures to best prepare for a potential attack.
The regional preference was for the United States, plus the United Kingdom and Canada. Those three countries experienced the majority of documented ransomware attacks, which stands to reason: They’re appealing because of their thriving economies, English-speaking populations, and ability to pay large sums to reinstate compromised systems. They’ve become prime targets for cybercrime groups, whose members recognize the potential to seize substantial ransom payments.
The number of ransomware groups only continues to expand, and the availability of RaaS continues to attract operators with varying skill levels. So we can expect the increase in ransomware attacks that began in 2023 to persist throughout 2024. Implementing proactive security measures will be essential for organizations of all sizes.
Extortion Evolution: New Tactics, Same Objective
Cyber-threat actors constantly find innovative ways to bypass the latest defensive systems. (Check out our recap of cyber-threat techniques in Q4.) They’re exploiting vulnerabilities that have not been addressed and/or targeting unsuspecting users. In the final stretch of 2023, we saw not only more attacks from certain groups, but also new tactics and techniques.
For security defenders, it’s a dynamic cat-and-mouse game, and their cybersecurity approach must stay one step ahead of threat actors’ attack strategies. Organizations and individuals should continuously update their defenses, stay vigilant, and place ongoing education and awareness at the forefront, to counter the evolving and increasingly aggressive cyber threats. We’ve come up with some specific mitigation recommendations, based on Q4 threats that seem determined to not fade away.
ALPHV Ups the Ante with SEC Disclosures
The ransomware group ALPHV (aka “BlackCat”) adding an extra layer of aggression to their Q4 extortion tactics: The notorious group used SEC reporting measures against their targets after an attack, for an extra layer of extra intimidation and pressure to meet their demands. The hyper-aggression is in response to a growing resistance to paying ransom demands. Involving the SEC (or other regulatory bodies) intensifies consequences and public scrutiny for compromised entities.
ALPHV’s new tactic emphasizes the need for heightened cybersecurity measures, and preparedness for other new or evolving tactics. Security teams would also benefit from performing ongoing reviews and updates of policies, to better respond to aggressive ransomware tactics.
Also, because ALPHV is known to gain initial access to organizations through social engineering and moving laterally in a network via remote desktop protocol (RDP), we recommend:
Securing remote-access tools by implementing application controls
Educating staff about social engineering and phishing attacks
Installing and updating antivirus software