Read more: Boosty | TG

The Quarterly Threat Report by Air IT highlighted that

ransomware attacks, phishing, and insider threats continued to
pose significant risks, with a surge in data volume and global
connectivity widening vulnerabilities. The report from ISACA's
State of Cyber Security for 2023 indicated that 48% of
organizations experienced a rise in cyber attacks in Q4 2023.
TechTarget's report on ransomware trends heading into 2024
suggested that supply chain attacks and the exploitation of cloud
and VPN infrastructure would continue to be key trends. The
report also mentioned that since 2020, more than 130 different
ransomware strains have been detected, with the GandCrab
family being the most prevalent.
The environmental services industry faced an unprecedented
surge in DDoS attacks, with a 61,839% increase in attack traffic
year-over-year, as reported by Cloudflare. This surge was
associated with the COP 28 event and highlighted the growing
intersection between environmental issues and cyber threats.
Trend Micro's report on ransomware in the first half of 2023
showed that LockBit, BlackCat, and Clop were the top RaaS
groups, with a significant increase in the number of victim
organizations compared to the last half of 2022.
Check Point Research described 2023 as the year of mega
Abstract – The analysis of the ransomware trends for the 4th quarter ransomware attacks, with a shift in tactics from encryption to
of 2023 aims to understand the multifaceted threat landscape leveraging stolen data for extortion. The education/research
associated with ransomware. sector was the most impacted by ransomware attacks in 2023.

Delving into the specifics, we intend to reveal the nuances of II. AFFECTED INDUSTRIES
ransomware operations, including the identification of the dominant In Q4 2023, the industries most affected by ransomware
groups of ransomware, their target sectors and the geographical attacks were the business services sector, education/research
distribution of attacks.
sector, and the retail/wholesale sector.
Furthermore, the analysis will highlight significant trends, such as The business services sector was the most targeted sector.
the surge in ransomware incidents, the evolution of extortion tactics, The United States, being the most targeted country, likely
and the implications of these developments on cybersecurity contributed to the high number of attacks on this sector.
strategies.
The education/research sector was also heavily impacted by
This knowledge will be useful for both technical and strategic ransomware attacks, accounting for 22% of all attacks in 2023,
security professionals, offering information that can guide the according to Check Point Research.
development of reliable protection mechanisms, inform risk
management decisions and, ultimately, increase the resilience of The retail/wholesale sector experienced a significant 22%
organizations to the ever-present threat of ransomware. spike in attacks weekly compared to 2022, as reported by Check
Point Research.
The significance of this analysis extends beyond mere academic
Other industries that were notably affected include the IT,
interest; it equips security practitioners with actionable intelligence,
healthcare, and manufacturing sectors, which were the most
enabling them to anticipate and counteract the sophisticated
strategies employed by ransomware operators.
targeted sectors in terms of ransomware file detections in the
first half of 2023, according to Trend Micro. The report from
I. INTRODUCTION TechTarget also listed several industries as top targets, including
construction and property, central and federal government,
In Q4 2023, the most common types of ransomware attacks media, entertainment and leisure, local and state government,
were primarily carried out by three groups: LockBit 3.0, Clop energy and utilities infrastructure, distribution and transport,
Ransomware, and ALPHV/BlackCat ransomware. financial services, and business, professional and legal services.
LockBit 3.0 remained the most active ransomware group,
III. TAKEAWAYS FROM RANSOMWARE Q4
claiming an average of around 23 victims per week. Other
prominent groups included Clop Ransomware and • Record Number of Victims: The year 2023 marked the
ALPHV/BlackCat ransomware. Notable incidents included most successful year for ransomware groups in history,
LockBit's attack on Royal Mail and the shutdown of Hive with a total of 4,368 victims, which is a 55.5% increase
from the previous year. The fourth quarter alone saw
Ransomware. 1,386 victims
 Read more: Boosty | TG
• Dominant Ransomware Groups: LockBit 3.0 seen as a tactic by cybercriminals to compensate for the
remained the most active ransomware group, claiming declining number of victims willing to pay ransoms.
an average of around 23 victims per week. Clop
Ransomware and ALPHV/BlackCat ransomware were V. RANSOMWARE ENTRY POINTS
also prominent, with 104 and 81 victims respectively
In Q4 2023, the common entry points for ransomware were:
• High-Profile Incidents: Notable incidents included
LockBit's attack on Royal Mail and the shutdown of • Phishing Attacks: Phishing attacks were the primary
Hive Ransomware delivery method for ransomware, with 62% of
successful ransomware attacks using phishing as their
• Industry Impact: The business services sector, entry point in the victim's system. Phishing attacks rose
education/research sector, and the retail/wholesale by 173% in Q3 2023. Attackers used increasingly
sector were among the most affected by ransomware sophisticated social engineering techniques to trick
employees into providing sensitive information
• Geographical Focus: The United States was the most
targeted country, followed by the UK and Canada • Exploitation of Vulnerabilities: Vulnerabilities in
software and systems were another common entry point.
• Trends in Attack Techniques: There was a shift in For instance, the ransomware group CL0P exploited
tactics from encryption to leveraging stolen data for GoAnywhere file transfer software. Two new
extortion, with attackers focusing more on data theft and ransomware strains, CACTUS and 3AM, emerged in Q4
extortion campaigns that did not necessarily involve 2023, with CACTUS exploiting known vulnerabilities
data encryption in VPN appliances
• Ransomware Strains: Since 2020, more than 130 • Credential Theft and Brute Force Attacks: Credential
different ransomware strains have been detected, with theft was used in 44% of successful ransomware attacks,
the GandCrab family being the most prevalent and brute force credentials, such as password guessing,
• Increased Response from Governments and were used in 17% of attacks
Vendors: There has been an increased response from • Supply Chain Attacks: Attackers targeted third-party
government and technology vendors to help stem the vendors to gain access to an organization’s network
tide of ransomware attacks
• Insider Threats: Insider threats continued to pose
• Ransomware as a Service (RaaS): RaaS remains a key significant risks to organizations
driver for the ongoing frequency of attacks, with groups
like LockBit operating under this model • Social Engineering Attacks: these attacks, including
Business Email Compromise (BEC), were also common
• Extortion Tactics: Double and triple extortion attacks
have become more prevalent and potentially more VI. RANSOMWARE ENCRYPTION METHODS
impactful and costly for affected companies
The encryption methods used in these attacks have evolved
• Supply Chain Attacks: Supply chain attacks have over time, with attackers adopting a mix of symmetric and
become an established part of the ransomware threat asymmetric encryption techniques to increase the effectiveness
landscape, extending the impact of attacks beyond of their attacks. In this approach, the ransomware generates two
single victims
sets of keys, and a chain of encryption is used to increase the
IV. RANSOMWARE PAYMENTS attack effectiveness.
In Q4 2023, the most common payment methods used in In addition to these encryption methods, there has been a
ransomware attacks continued to be cryptocurrencies, with notable shift in the execution strategies of ransomware attacks.
Bitcoin being the most prevalent. Bitcoin accounted for Increasingly, cybercriminals are focusing more on data theft,
approximately 98% of ransomware payments due to its followed by extortion campaigns that do not necessarily involve
perceived anonymity and ease of use. However, there were early data encryption.
indications that more privacy-focused digital currencies, such as
Monero, were growing in popularity as the payment method of VII. RANSOMWARE DELIVERY METHODS
choice for cybercriminals. This shift was due to the increasing In Q4 2023, the most common delivery methods used in
ease of detecting the flow and sources of Bitcoin. ransomware attacks were supply chain attacks, double extortion
Despite the prevalence of ransom payments, the proportion techniques, and Ransomware-as-a-Service (RaaS) operations.
of victims who paid ransoms was decreasing. Only 37% of Supply chain attacks became a solid technique for mature
ransomware victims paid a ransom in Q4 2023, a record low. and experienced ransomware groups. In these attacks, instead of
This decrease was attributed to improved security measures and directly attacking a single victim, the attackers target third-party
backup continuity investments, which allowed more vendors to gain access to an organization's network.
organizations to recover from attacks without paying ransoms.
Double extortion was another prevalent method. In this
The average ransom payment in Q4 2023 was significantly technique, attackers not only encrypt the victim's data but also
high, with the average payment being $408,643, a 58% increase threaten to leak stolen data if the ransom is not paid.
from Q3 2022, and the median payment being $185,972, a 342%
increase from Q3 2022. This increase in payment amounts was Ransomware-as-a-Service (RaaS) operations also played a
significant role. In RaaS, developers create ransomware
software and sell access to this tool to criminals who then spread
 Read more: Boosty | TG
it among potential targets. The access is subscription-based, organization can restore its systems without having to
which is why it is called RaaS. pay the ransom
Phishing with malicious attachments and exploiting • Cyber Awareness Training: Training employees to
vulnerabilities, such as zero-day vulnerabilities, were also used recognize and avoid potential ransomware threats, such
as initial access methods to the target system as phishing emails and malicious attachments, can
significantly reduce the risk of successful attacks
VIII. VULNERABILITIES EXPLOITED BY RANSOMWARE • Patch Management: Regularly updating and patching
In Q4 2023, ransomware attackers continued to exploit a software can eliminate known vulnerabilities that
range of vulnerabilities to compromise organizations. One of the ransomware might exploit
most notable vulnerabilities exploited was a two-year-old • Advanced Threat Prevention: Automated threat
vulnerability for which a patch had been available for around the detection and prevention systems can identify and
same time. This highlights the importance of timely patch resolve most ransomware attacks before they cause
management and version control within organizations. significant damage
Additionally, attackers used a flaw in MagicLine4NX • Endpoint Security: Robust endpoint security solutions,
software, affecting versions before 1.0.026, to initiate their including antivirus and anti-malware software, can
detect and block ransomware threats
attacks. The MOVEit vulnerability was also significant,
accounting for a notable percentage of victims in previous • Network Segmentation: Dividing the network into
quarters, and it is likely that such vulnerabilities continued to be separate segments can prevent ransomware from
a target for ransomware groups. spreading across the entire system
The year 2023 also saw a surge in the use of zero-day • Zero Trust Security Model: Implementing a zero-trust
exploits in ransomware attacks, which are vulnerabilities that are model, where access to resources is granted only after a
unknown to the software vendor or have no patch available at user has successfully verified their identity, can reduce
the attack surface against ransomware
the time of the attack. This trend of exploiting zero-day
vulnerabilities underscores the adaptability of cyber threat actors • Multi-factor Authentication (MFA): Implementing
and the need for organizations to enhance their defenses against MFA can add an additional layer of security, making it
such evolving threats. more difficult for attackers to gain access to systems
• Least Privilege Access: Ensuring that users have the
IX. EFFECTIVE WAYS TO PREVENT RANSOMWARE ATTACKS minimum levels of access necessary to perform their
In Q4 2023, the most effective ways to prevent ransomware tasks can limit the potential damage of a ransomware
attacks were multifaceted, involving a combination of technical attack
measures, user education, and proactive strategies: • Application Whitelisting: Allowing only approved
• Robust Data Backup: Regularly backing up data is a applications to run on a system can prevent ransomware
crucial step in mitigating the impact of a ransomware from executing
attack. A secure, robust data backup solution can ensure
that even if data is encrypted by ransomware, the