Ransomware tactics evolve, become scrappier

As we enter 2024, ransomware remains the most significant cyberthreat facing businesses, according to Malwarebytes.

Malwarebytes reveals that the United States accounted for almost half of all ransomware attacks in 2023.

“Small and medium-sized organizations face a deluge of cyber threats daily including ransomware, malware and phishing attacks. This new data spotlights the pervasive cat-and-mouse game between cybercriminals and the security and IT teams on the front lines,” said Mark Stockley, Cybersecurity Evangelist, Malwarebytes ThreatDown Labs.

“The threat landscape is constantly evolving especially with the explosion of AI and new adversaries with fresh strategies and tactics, but if organizations follow our guidance and become equipped to handle these top threats, they are off to a good start in 2024,” added Stockley.

Ransomware attacks rise in 2023

Alongside the rise of ransomware attacks in 2023 (68%), the average ransom demand also climbed significantly. The LockBit gang was responsible for the largest known demand, $80 million, following an attack on Royal Mail.

Ransomware groups also evolved their tactics, getting scrappier and more sophisticated to target a higher volume of targets at the same time. For example, the CL0P ransomware gang broke established norms with a series of short, automated campaigns, hitting hundreds of unsuspecting targets simultaneously with attacks based on zero-day exploits.

The repeated use of zero-days also signaled a new level of sophistication making CL0P the second most active “big game” ransomware group of 2023, outpacing rivals that were active in every month of the year compared to just a few weeks of activity from CL0P. Lockbit also remained the most widely used ransomware-as-a-service, which accounted for more than twice as many attacks as its nearest competitor in 2023.

Malware spreads through convincing brand impersonations

Malicious advertising — or malvertising — also made a comeback in 2023 and threatened both businesses and consumers alike. Countless campaigns appeared impersonating brands such as Amazon, Zoom and WebEx to deliver both Windows and Mac malware through highly convincing ads and websites that trick users into downloading malware on their devices.

Malwarebytes ThreatDown Labs found Amazon, Rufus, Weebly, NotePad++ and Trading View to be the top five most impersonated brands. In addition, Dropbox, Discord, 4sync, Gitlab and Google emerged as the top five most abused hosts. Malwarebytes ThreatDown Labs also found Aurora Stealer, Vidar, Redline Stealer, BatLoader and IcedID to be the top five most frequently discovered malware.

In addition to ransomware and malvertising trends, Malwarebytes ThreatDown Labs found attacks on Android, Mac and Windows devices also evolved.

Mawarebytes ThreatDown Labs detected Android banking trojans 88,500 times in 2023. In these attacks, Banking trojans are disguised as regular apps like QR code scanners, fitness trackers, or even copies of popular applications like Instagram to copy banking passwords and steal money directly from accounts.

Malware accounted for 11% of detections on Macs last year. Despite declining PC sales, demand for Macs has grown. Today Macs represent a 31% share of US desktop operating systems, while a quarter of businesses run Macs somewhere on their networks making Apple’s macOS an increasingly significant target for malicious actors.

Abuse of Windows Management Instrumentation (WMI) was the top technique (27%) for Living Off the Land (LOTL) cyberattacks. In these attacks, criminals carry out malicious activities using legitimate IT administration tools like WMI or Powershell.