Professional Documents
Culture Documents
C O M
Copyright © 2024
TABLE OF
CONTENTS
OBJECTIVE 3
METHODOLOGY 3
EXECUTIVE SUMMARY 4
ACTIONABLE MITIGATIONS 20
REFERENCES 21
Copyright © 2024
3
Copyright © 2024
4
Copyright © 2024
(Page 13)
• T1566-Phishing: 16.1%
• T1059-Command & Scripting Interpreter: 15.5%
• T1027-Obfuscated files or information: 13.5%
(Page 17)
• LockBit: 24.1%
• Clop: 10.8%
• BlackCat (AlphV): 9.7%
(Page 10)
5
Copyright © 2024
Ransomware Attacks
Surge in Hacktivist Activity
Ransomware attempts will continue to
escalate in 2024, with successful ransomware
incidents expected to increase globally. This CTM360 predicts a significant increase in
will result in a larger number of claimed hacktivist group's activity on forums and
victims across the public and private sector. social media platforms in 2024. These
Given trend analysis of 2023, successful groups are likely to target nations and their
attempts will cover a range of industries critical national infrastructures (CNI) and
including but not limited to government, organizations, offering DDoS, Data leaks,
conglomerates / MNCs as well as SMBs. exploits and ransomware as a service. This
trend poses a significant concern as it often
leads to disruptions and potential damage
to the infrastructure.
State-sponsored Cyberattacks
State-sponsored Cyberattacks
6
Copyright © 2024
Downloader/Droppers Info-Stealers
1
RECONNAISSANCE WEAPONIZATION DELIVERY EXPLOITATION INSTALLATION COMMAND & ACTIONS ON
CONTROL OBJECTIVES
PREPARE STEALTH EXPLOIT OPERATE,
ATTACKER ATTACKER IN ACHIEVE THIER
ATTACK DISTRIBUTION VULNERABILITIES DECIMATE
RESEARCH CONTROL OBJECTIVE
OR SPREAD
7
Copyright © 2024
Rilide
Hazyload
Greenbot
Wedge Cut Cobalt
GUloader Strike
Tools / Data
exfiltration
Emotet (5.2%)
Remcos
Dropper /
Truebot
Downloader
(20.2%)
Remote Access
Batloader Trojan (RAT)
(45.1%)
PlugX
Redline Infostealer
(29.5%)
AsyncRAT
IcedID
Lumma
Stealer
StealC
30
26.7%
Cobalt Strike
(RAT)
25
14.1%
20
5.9%
)
ler
G u ow n
a
D
fo ne
te
Lo l o a
15
-S
(In edli
ad d
e r e r)
R
(D
10
ro
pp
9.6%
er
Bot ler)
/
5
5.9% Plug Q a ko - S t e a
(R A X (I n f
T)
Re
AT cR
(Info-Stealer)
m
(R syn
co
A
s(
6.7%
RA
VIDAR
T)
8.1%
8.1%
8
Copyright © 2024
49.3 Million
Success
3,700+
organizations
claimed
9
Copyright © 2024
Lockbit
49.7%
Clop
50%
Royal
40.3%
Play
36.8%
40% 32.2%
BlackCat
8Base
30%
22.6%
22.9%
21.6%
No Escape
21.9%
20%
16.3%
15.8%
20%
14.4%
14.1%
12.2%
12.1%
11.4%
11.3%
9.2%
7.3%
8%
10%
0
Q1 Q2 Q3 Q4
NoEscape Royal
3.20% 3.00%
Medusa
3.20%
BianLian Lockbit
3.20% 24.10%
Akira
3.40%
Distribution of
8Base Top 10
4.60% Ransomware
Claims
Play
7.20% Clop
10.80%
BlackCat (AlphV)
9.70%
10
Copyright © 2024
11
Copyright © 2024
4.2%
6.5%
4.0%
3.5%
2.0% 3.1%
49.3%
1.9%
2.2%
United Kingdom
Germany
Australia
Canada
Others
France
Spain
India
USA
Italy
49.3% 6.5% 4.2% 4.0% 3.5% 3.1% 2.2% 2.0% 1.9% 23.3%
12
Copyright © 2024
Kimsuky 15.4%
As
ia P
aci
fic
8. 3
%
Reaper (APT 37) 9.6%
Middle East
2.9%
Oceania 2.2%
Gamaredon 5.8%
RomCom 5.8%
MuddyWater 5.8%
Americas 58.8%
OilRig 5.8%
Cozy Bear (APT 29) 5.8%
13
Copyright © 2024
Hive ransomware
group shut down by law
enforcement
January
2023
2023
Akira Ransomware
Appeared
European police
dismantled the Doppel
Paymer ransomware March
gang
Money Message
Ransomware Group
Appeared
NoEscape
Ransomware Gang May
Appeared
Lost Trust
September Ransomware
Group Appeared
Ragnar Locker
ransomware gang taken
down by international
police swoop
Hunter international
ransomware October
group appeared
Trigona ransomware
claimed to be Ransomed.VC gang
dismantled by November claims to shut down
Ukrainian hacktivists after six affiliates
allegedly arrested
14
Copyright © 2024
January March
2023 2023
March
2023
March
2023
April
2023
May
2023
15
Copyright © 2024
August
2023
September
2023
September
2023
October
2023
November
2023
November
2023
16
Copyright © 2024
Phishing
(16.1%)
System Information
Discovery
(6.8%) Web
Service
User Execution
(7.6%) (6.4%)
Process Injection
Command &
(7.7%) Scripting Interpreter
(15.5%)
Deobfuscate/Decode
Files or Information
(8.6%)
Obfuscated
Masquerading Files or Information
(8.7%) Boot or Logon (13.5%)
Autostart Execution
(9.0%)
17
Copyright © 2024
T1059 Command & T1059 Command & T1059 Command & T1055 Process
Scripting Interpreter Scripting Interpreter Scripting Interpreter Injection
18
Copyright © 2024
50
42.1%
40
Recommendation:
By employing hardening
techniques, organizations can
30
effectively mitigate shell-related
attacks. Alternatively,
22.8% organizations may leverage MDR,
XDR, and EDR technology to
detect and respond proactively to
PowerShell-related attacks,
20
offering a defense against this
commonly exploited vector.
10.5%
8.8%
10 7.0%
5.3%
3.5%
0
(T1059.005)
(T1059.007)
(T1059.004)
Windows Command
(T1059.002)
(T1059.006)
PowerShell
(T1059.001)
Visual Basic
Unix Shell
AppleScript
Python
Shell (T1059.003)
JavaScript
19
Copyright © 2024
Acts as a
kill-switch
WWW
20
Copyright © 2024
• https://www.statista.com/statistics/494947/ransomware-attempts-per-year-worldwide/
• https://tech.co/news/data-breaches-updated-list
• https://idverse.com/top-5-data-breaches-of-2023-so-far/
• https://www.scmagazine.com/resource/report-ransomware-payouts-and-recovery-costs-went-way-up-in-2023
• https://aag-it.com/the-latest-ransomware-statistics/
• https://www.npr.org/2023/01/26/1151696092/fbi-says-it-hacked-the-hackers-to-shut-down-major-ransomware-group
• https://securityaffairs.com/143110/cyber-crime/europol-doppelpaymer-ransomware-gang.html
• https://www.europol.europa.eu/media-press/newsroom/news/ragnar-locker-ransomware-gang-taken-down-internat
ional-police-swoop
• https://www.bankinfosecurity.com/ukrainian-hacktivists-claim-trigona-ransomware-takedown-a-23343
• https://www.bleepingcomputer.com/news/security/new-money-message-ransomware-demands-million-dollar-rans
oms/
• https://www.hhs.gov/sites/default/files/noescape-ransomware-analyst-note-tlpclear.pdf
• https://otx.alienvault.com/pulse/651ff02d7896fd42255e1640
• yventures.com/ransomware-will-strike-every-2-seconds-by-2031/
• https://www.at-bay.com/articles/blackcat-ransomware-group-exploits-goanywhere-vulnerability/
• https://www.techtarget.com/searchsecurity/news/366559674/LockBit-observed-exploiting-critical-Citrix-Bleed-flaw
• https://nvd.nist.gov/vuln/detail/CVE-2023-47246
• https://www.govtech.com/security/what-is-citrix-bleed-the-next-ransomware-patch-you-need
• https://healthitsecurity.com/news/clop-lockbit-leveraging-3-known-vulnerabilities-in-healthcare-ransomware-attack
s-hhs-warns
• https://medium.com/s2wblog/story-of-h1-2023-in-depth-examination-of-notable-ransomware-groups-and-key-issue
s-english-ver-f4900d297af8
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ravpn-auth-8LyfCkeC
• https://blog.iinfosec.com/network-security-news/2023-06-19
• https://www.theregister.com/2023/10/25/rebuilt_hive_ransomware_gang_stings/
• https://tech.co/news/t-mobile-massive-security-breach
• https://www.securityweek.com/millions-of-att-customers-notified-of-data-breach-at-third-party-vendor/
• https://www.darkreading.com/endpoint-security/okta-employee-data-exposed-third-party-vendor
• https://www.theregister.com/2023/11/10/ransomedvc_shut_down/
• https://securityaffairs.com/150157/cyber-crime/cisco-asa-ransomware-attacks.html
21
W W W.C T M 3 6 0.C O M