Ransomware attacks increased by an alarming 68% in 2023
Malwarebytes, a leading global provider of real-time cyber protection, has recently published its 2024 ThreatDown State of Malware report. The report highlights that nearly half of all ransomware attacks in 2023 originated from the United States.
This annual cybersecurity analysis examines the most significant attacks and cybercrime tactics across popular operating systems. It also provides insights on how IT teams, especially those with limited resources, can effectively address these threats.
Mark Stockley, Cybersecurity Evangelist at Malwarebytes ThreatDown Labs, emphasized the challenges faced by small and medium-sized organizations, which are constantly targeted by cyber threats such as ransomware, malware, and phishing attacks. He highlighted the ongoing battle between cybercriminals and security/IT teams, emphasizing the need for organizations to stay vigilant.
The threat landscape is continuously evolving, particularly with the rise of artificial intelligence and the emergence of new adversaries with innovative strategies and tactics. However, by following Malwarebytes’ guidance and equipping themselves to combat these top threats, organizations can start 2024 on a strong footing.
One notable trend identified in the report is the increase in big game ransomware attacks. In 2023, ransomware attacks rose by 68%, accompanied by a significant surge in ransom demands. The LockBit gang, for instance, made headlines with a demand of $80 million following an attack on Royal Mail. Ransomware groups also adopted more sophisticated tactics, targeting a larger number of victims simultaneously. The CL0P ransomware gang, for example, deviated from established norms by launching short, automated campaigns that targeted hundreds of unsuspecting victims simultaneously using zero-day exploits.
The repeated use of zero-day exploits demonstrated a new level of sophistication, propelling CL0P to become the second most active “big game” ransomware group in 2023. This surpassed rival groups that were active throughout the year, as CL0P maintained its activity for several weeks. LockBit maintained its position as the most widely utilized ransomware-as-a-service, surpassing its closest competitor by more than double the number of attacks in 2023.
There was also a resurgence in malicious advertising, or malvertising, during the same year, posing a threat to both businesses and consumers. Numerous campaigns emerged, impersonating well-known brands like Amazon, Zoom, and WebEx. These campaigns utilized highly convincing ads and websites to deceive users into unknowingly downloading malware onto their devices, targeting both Windows and Mac users.
According to Malwarebytes ThreatDown Labs, the top five most impersonated brands were Amazon, Rufus, Weebly, NotePad++, and Trading View. Additionally, the top five most abused hosts were Dropbox, Discord, 4sync, Gitlab, and Google. The most frequently discovered malware included Aurora Stealer, Vidar, Redline Stealer, BatLoader, and IcedID.
Furthermore, Malwarebytes ThreatDown Labs identified evolving threats to Android, Mac, and Windows devices. Key findings revealed that Android banking trojans were detected 88,500 times in 2023. These trojans disguised themselves as legitimate apps such as QR code scanners, fitness trackers, or even popular applications like Instagram, aiming to steal banking passwords and directly access users’ accounts.
In terms of Macs, malware accounted for 11% of detections in 2023. Despite a decline in PC sales, the demand for Macs has increased. Currently, Macs hold a 31% share of US desktop operating systems, and approximately a quarter of businesses incorporate Macs into their networks. As a result, Apple’s macOS has become an increasingly attractive target for malicious actors.
The abuse of Windows Management Instrumentation (WMI) emerged as the most prevalent technique (27%) employed in Living Off the Land (LOTL) cyberattacks. In such malicious activities, perpetrators exploit legitimate IT administration tools such as WMI or Powershell. The full report can be accessed here