During the last quarter of 2023 [2] [4], there was a significant increase in ransomware activity, with LockBit [2] [4], ALPHV (BlackCat) [1], and Cl0p being the major ransomware groups involved. This surge in campaigns resulted in over 1,200 victims across various industries being listed on data leak sites. In this report, we will provide a detailed description of the activities of these ransomware groups and their impact on organizations.

Description

According to XDR security provider ReliaQuest [2] [4], LockBit remained the most active threat group during this period, claiming 275 victims [4]. Play followed closely with 110 victims. LockBitSupp [1] [2] [3] [4], the public representative of LockBit, even attempted to recruit members from disrupted groups such as NoEscape and ALPHV. Notably, LockBit’s leak site named at least one organization linked to ALPHV. The NoEscape and Play ransomware groups also saw an increase in their activity [2], with a spike in victim claims observed in November. However, the Clop group’s activity decreased significantly [2], although there are predictions of a potential resurgence in 2024. Additionally, it is expected that NoEscape will resume its activity under a different name.

The emergence of new ransomware groups, including 8Basem, Akira [1], and Rhysida [1], contributed to the overall increase in the number of ransomware victims in 2023. This growth can be attributed to the ransomware-as-a-service (RaaS) model, which leads to overlapping membership and techniques among different groups [1]. The ransomware landscape is expanding and becoming more diverse [1], with smaller specialized groups rapidly emerging [1]. It is speculated that law enforcement operations targeting prominent collectives may have prompted the rise of these smaller, more dynamic groups [1].

Furthermore, ransomware attacks are increasingly focused on data theft and the swift extraction of ransoms [1]. To stay informed about the latest tactics employed by ransomware groups, security teams should monitor the dark web [1]. Recently, LockBit ransomware leaked stolen information from the University of Sherbrooke [3], which was obtained during a ransomware attack in December 2023 [3]. The attack did not disrupt the university’s operations [3], but a spokesperson confirmed that the compromised data originated from a single research laboratory [3]. The ransomware group provided screenshots as evidence of their claims on the dark web [3].

Conclusion

The surge in ransomware activity during the last quarter of 2023 has had significant impacts on organizations across various industries. With the increasing number of victims and the emergence of new ransomware groups, it is crucial for security teams to stay vigilant and monitor the dark web for the latest tactics employed by these groups. Mitigating the risk of ransomware attacks requires a proactive approach, including implementing robust security measures and regularly updating defenses. Looking ahead, there are predictions of a potential resurgence in ransomware activity in 2024, highlighting the need for continued efforts to combat this evolving threat.

References

[1] https://www.itpro.com/security/ransomware/the-big-three-ransomware-groups-are-losing-their-grip-on-the-industry-as-gangs-begin-to-fracture-study-shows
[2] https://ciso2ciso.com/lockbit-reigns-supreme-in-soaring-ransomware-landscape-source-www-infosecurity-magazine-com/
[3] https://securityboulevard.com/2024/02/the-state-of-ransomware-2024/
[4] https://www.infosecurity-magazine.com/news/lockbit-reigns-supreme-soaring/