The ransomware industry surged in 2023, with the number of global victims increasing by a staggering 55.5% to a staggering 4,368 cases.
 |
| Figure 1: Status of victims in each quarter compared with the same period last year |
The roller-coaster ride from explosive growth in 2021 to a brief decline in 2022 was just a preview of what will happen in 2023, when 2023 returns with the same enthusiasm as 2021, boosting existing groups and ushering in a powerful wave of Newcomers.
 |
| Figure 2: Number of ransomware victims 2020-2023 |
LockBit 3.0 caused 1,047 victims through Boeing attacks, Royal Mail attacks, etc., and continued to maintain the first position. Alphv and Cl0p have been much less successful, with 445 and 384 victims respectively in 2023.
 |
| Figure 3: The 3 most active ransomware groups in 2023 |
These three groups are important drivers of the surge in ransomware attacks in 2023, but they are not the only ones responsible. Many attacks come from emerging ransomware groups such as 8Base, Rhysida, 3AM, Malaslocker, BianLian, Play, Akira, etc.
A newcomer to the ransomware industry
At Cyberint, the research team continuously studies the latest ransomware groups and analyzes their potential impact. This blog will look at 3 new players in the industry, examine their impact in 2023 and delve into their TTPs.
To learn about other new players, download the 2023 Ransomware Report here.
3am ransomware
A newly discovered ransomware variant called 3AM has emerged, but its use has so far been restricted. By 2023, they had only managed to impact more than 20 organizations (mainly in the United States). However, they became infamous when the ransomware affiliate attempted to deploy LockBit on a target network, which switched to 3am when LockBit was blocked.
New ransomware families appear frequently, and most disappear quickly or do not gain significant traction at all. However, the fact that 3AM is used as a fallback by a LockBit affiliate suggests that attackers may be interested in it and may reappear in the future.
Interestingly, 3AM is coded in Rust and appears to be a brand new malware family. It follows a specific sequence: it attempts to stop multiple services on the infected computer before starting the file encryption process. After completing encryption, it attempts to delete the volume shadow (VSS) copy. Any potential links between its authors and known cybercrime organizations remain unclear.
 |
| Figure 4: Data leaked at 3am |
The threat actor’s suspicious activity begins with using the gpresult command to retrieve the policy settings on the computer that are enforced for a specific user. They then executed various components of Cobalt Strike and worked to use PsExec to escalate privileges on the computer.
Subsequently, the attacker conducted reconnaissance through commands such as whoami, netstat, quser, and net share. They also tried using quser and net view commands to identify other servers for lateral movement. Additionally, they created a new user account for persistence and used the Wput tool to transfer the victim’s files to their FTP server.
At first glance, using the 2004 Yugeon Web Clicks script may appear confusing. This raises questions about why emerging ransomware groups would choose this outdated technology. However, there are several potential reasons for this choice, including:
- hazy: Older scripts and techniques may not be universally recognized by modern security tools, reducing the likelihood of detection.
- Simple: Older scripts may provide simple functionality without the complexity of modern scripts, making deployment and management easier.
- over confidence: The group may be very confident in their abilities and may not see the need to invest in more advanced technology, especially for their website.
It’s worth noting that this choice exposes the team to certain risks. Employing outdated technology with known vulnerabilities could leave their operations vulnerable to potential disruption by external attacks, countermeasures, or other threat actors.
The 3AM ransomware group’s choice to use outdated PHP scripts demonstrates the unpredictability of cybercriminals. Although they use advanced ransomware strains to target organizations, their choice of backend technology can be influenced by a combination of strategic considerations, convenience, and overconfidence. It emphasizes the importance of organizations remaining vigilant and adopting a holistic approach to security, recognizing that threats can come from both state-of-the-art and outdated technologies.
Known TTP
| tool | Strategy |
| resource development | T1650 – Obtaining access rights |
| collect | T1560 – Archive collected data |
| Influence | T1565.001 – Store data operation |
| collect | T1532 – Archive collected data |
| collect | T1005 – Data from local system |
Rhysida ransomware
The Rhysida ransomware group came into the spotlight in May/June 2023 when it launched a victim support chat portal, accessible through its TOR (.onion) website. They claim to be a “cybersecurity team” that targets victims’ systems and highlights vulnerabilities with their best interests in mind.
In June, Rhysida drew attention after publicly disclosing Chilean Arm documents stolen from its data breach website. The group has since gained notoriety for its attacks on medical institutions, including Prospect Medical Holdings, leading to close tracking by government agencies and cybersecurity companies. They targeted several high-profile entities, including the British Library and Insomniac Games, a video game developer owned by Sony. They caused a major technical disruption at the British Library and sold stolen PII online. They have demonstrated broad influence across different industries.
Known TTP
| tool | Strategy |
| Privilege escalation | T1055.003 – Thread execution hijacking |
| Privilege escalation | T1547.001 – Registry Run Key/Startup Folder |
| Privilege escalation | T1055 – Process Injection |
| Privilege escalation | T1548.002 – Bypass User Account Control |
| defense evasion | T1036 – Disguise |
| defense evasion | T1027.005 – Remove indicator from tool |
| defense evasion | T1027 – Obfuscated document or message |
| defense evasion | T1620 – Reflection code loading |
| defense evasion | T1564.004 – NTFS file attributes |
| defense evasion | T1497-Virtualization/Sandbox Avoidance |
| defense evasion | T1564 – Hidden Artifacts |
| Discover | T1083 – File and directory discovery |
| Discover | T1010 – Application window discovery |
| Discover | T1082 – System information discovery |
| Discover | T1057 – Process Discovery |
| Discover | T1518.001 – Security Software Discovery |
| initial visit | T1566-Phishing |
| collect | T1005 – Data from local system |
| collect | T1119 – Automatic collection |
| resource development | T1587 – Developmental Capabilities |
| resource development | T1583-Acquisition of infrastructure |
| implement | T1129 – Shared Module |
| implement | T1059 – Command and Script Interpreter |
| reconnaissance | T1595-Active Scan |
| reconnaissance | T1598-Phishing message |
Akira Group
The Akira organization was discovered in March 2023 and has claimed 81 victims so far. Preliminary research shows close ties between the group and the notorious ransomware group Conti. The leak of Conti source code led to multiple threat actors using Conti’s code to build or adapt their own code, making it challenging to determine which groups are associated with Conti and which groups are simply exploiting the leaked code.
However, Akira does provide some clear clues that there is a connection to Conti, ranging from similarities in approach to ignoring the same file types and directories, and merging similar features. In addition, Akira uses the ChaCha algorithm for file encryption, which is similar to the Conti ransomware. Ultimately, the individual behind the Akira ransomware paid the entire ransom to an address associated with the Conti group.
Akira provides ransomware as a service, affecting Windows and Linux systems. They use official DLS (data leakage sites) to publish information about their victims and updates about their activities. Threat actors are primarily based in the United States, but also target the United Kingdom, Australia, and other countries.
They steal and encrypt data, forcing victims to pay double the ransom to regain access and recover files. In nearly all instances of compromise, Akira leverages compromised credentials to gain an initial foothold in the victim’s environment. Interestingly, most targeted organizations neglect to implement multi-factor authentication (MFA) for their VPNs. While the exact origin of these stolen credentials remains uncertain, it is possible that threat actors obtained access or credentials from the dark web.
Known TTP
| tool | Strategy |
| leakage | T1567 – Penetration via Web Services |
| initial visit | T1566.001 – Spear Phishing Accessory |
| leakage | T1041 – Penetration through C2 channel |
| leakage | T1537 – Transfer data to cloud account |
| collect | T1114.001 – Local Email Collection |
| Influence | T1486 – Data encryption for greater impact |
| initial visit | T1566.002 – Spear Phishing Link |
| implement | T1059.001 – PowerShell |
| implement | T1569.002 – Service Execution |
| Discover | T1016.001 – Network connection discovery |
| initial visit | T1078 – Valid Account |
| Privilege escalation | T1078 – Valid Account |
| defense evasion | T1078 – Valid Account |
| persist in | T1078 – Valid Account |
| Privilege escalation | T1547.009 – Shortcut modification |
| persist in | T1547.009 – Shortcut modification |
| initial visit | T1190 – Utilizing public-facing applications |
| defense evasion | T1027.001 – Binary padding |
| leakage | T1029 – Book a transfer |
| implement | T1059.003 – Windows Command Shell |
| initial visit | T1195 – Supply Chain Compromise |
| defense evasion | T1036.005 – Matches legal name or location |
| Privilege escalation | T1547.001 – Registry Run Key/Startup Folder |
| persist in | T1547.001 – Registry Run Key/Startup Folder |
| leakage | T1020 – Automatic Infiltration |
The ransomware industry is booming, attracting new and bold groups seeking to make a name for themselves by developing high-quality ransomware services and tools. By 2024, Cyberint expects that some of these newer organizations will have increased their capabilities and become dominant players in the industry, along with established organizations such as LockBit 3.0, Cl0p, and AlphV.
Read Cyberint’s 2023 Ransomware Report to learn about the top target industries and countries, breakdown of the top 3 ransomware groups, noteworthy ransomware families, new industry entrants, noteworthy activities in 2023, and 2024 Forecast.
