The XDR security provider ReliaQuest recently released a report on ransomware trends in the last quarter of 2023, revealing a surge in ransomware activity driven by the hyper-active LockBit group. According to the report, ransomware activity increased by 80% between October and December 2023 compared to the same period in 2022. During this time, a total of 1262 victims from various industries were listed on data leak sites, including manufacturing, construction, professional, scientific, and technical services.
The report highlighted LockBit as the most active threat group, claiming 275 victims on data leak sites in the last quarter of 2023. This number far exceeded the victims claimed by the second most active group, Play, and others such as ALPHV/BlackCat, NoEscape, and 8Base. This dominance by LockBit was consistent with previous trends, as the group had been the most active throughout 2023. LockBitSupp, the public representative of LockBit, had been observed trying to recruit members from other ransomware groups whose activities had been disrupted by law enforcement operations, such as NoEscape and ALPHV.
The report also noted an increase in activity by the NoEscape and Play ransomware groups during the last quarter of 2023, with November experiencing a significant uptick in ransomware victim claims, reaching 484 for that month alone. ReliaQuest attributed this spike to the increased exploitation of the Citrix Bleed vulnerability primarily by LockBit affiliates. Additionally, November brought new aggressive extortion tactics by the ransomware group ALPHV, involving the US Securities and Exchange Commission (SEC) to pressure their targets.
However, the MOVEit campaign seemed to have cooled down, with the Clop group naming 95.3% fewer victims in Q4 2023 than in the previous quarter. Despite this, ReliaQuest expects the rise in ransomware claims to continue into 2024, and the firm shared predictions regarding the tactics of some of the most active ransomware groups. These predictions included expectations of LockBit continuing to exploit vulnerabilities in NetScaler, Clop making a comeback in 2024, and NoEscape eventually resuming its activity under another name.
ReliaQuest’s report shed light on the growing threat of ransomware and the tactics employed by various ransomware groups to target organizations across different industries. As the ransomware landscape continues to evolve, organizations will need to remain vigilant and implement robust cybersecurity measures to protect against increasingly sophisticated attacks.