W W W.C T M 3 6 0.

C O M
Copyright © 2024

TABLE OF
CONTENTS

OBJECTIVE 3

METHODOLOGY 3

EXECUTIVE SUMMARY 4

KEY TAKEAWAYS 2023 5

CYBER THREAT PREDICTIONS FOR 2024 6

GENERIC MALWARE TYPES MAPPED TO KILL CHAIN 7

TOP NOTABLE MALWARE TYPES 8

RANSOMWARE CLAIMS DOMINATING THE CYBER THREAT LANDSCAPE1 9

CVES EXPLOITED BY RANSOMWARE GROUPS IN 2023 11

RANSOMWARE CLAIMS: COUNTRY SPOTLIGHT 12

RANSOMWARE CLAIMS: REGION SPOTLIGHT 13

EXPLORING THE WORLD OF PROMINENT APT GROUPS 13

EMERGING AND DISMANTLED RANSOMWARE GROUPS 14

MAJOR SECURITY BREACHES IN 2023 15

COMMONLY USED MITRE TECHNIQUES BY ATTACKERS IN 2023 17

TOP TECHNIQUES IN MALWARE TYPES 18

CROSS PLATFORM SHELLS & SCRIPTING TECHNIQUES 19

ACTIONABLE MITIGATIONS 20

REFERENCES 21
Copyright © 2024

Independent from CTM360’s data, the statistics

presented in this report are derived from an
analysis of 908 threat reports published by
Alienvault across the year 2023.

We chose Alienvault as it consistently publishes

reports in the Traffic Light Protocol (TLP) Clear
format. These reports are independent,
aggregated and typically not skewed by any one
vendor’s data, which may be influenced by
geographies / industries of deployment.

The data analyzed for ransomware claims was

obtained from the claimed pages of ransomware
groups.

CTM360 has provided insights in this report on the

top trending malware, ransomware, and APT
groups, including their preferred CVEs, sample
claimed victims, as well as the notable techniques
that threat actors have leveraged over the year.

NOTE: This report is intended for organizations and may not

address the needs of individual users.

3
Copyright © 2024

One major takeaway from analyzing

threat actor claims was the repeatability
and similarities in the playbooks of
different Ransomware groups.

The most commonly used MITRE ATT&CK

techniques in 2023 were Phishing (T1566),
Command & Scripting Interpreter (T1059),
and Obfuscated files or information
(T1027), which were the most frequently
employed techniques by attackers.

Command & Scripting Interpreter was a

common technique in four types of
malware, while PowerShell emerged as the
most exploited sub-technique within the
Command and Scripting Interpreter
technique.

Advanced Persistent Threat (APT) groups,

such as Lazarus group, Kimsuky, and
Blind Eagle (APT-C-36), were the top
reported APT groups, comprising 53.8%
of the Top 10 APT groups distribution in
2023.

CTM360 also features a cyber threat

prediction for the year 2024, providing
insights into the anticipated trends that are
expected to prevail in the coming year.

This data-driven approach aims to

empower organizations with valuable
insights, aiding in the formulation of robust
defensive strategies and enhancing overall
cyber resilience.

4
Copyright © 2024

KEY TAKEAWAYS 2023

Top targeted countries based

on ransomware claims:
Top malware identified:
• United States: 49.3%
• Cobalt Strike: 26.7% • UK: 6.5%
• Redline: 14.1% • Canada: 4.2%
• Qakbot: 9.6%
(Page 12)
(Page 8)

Top notable malware types:

Top reported APT groups: • Remote Access Trojans (RATs): 45.1%

• Information stealers: 29.5%
• Lazarus: 28.8% • Dropper/Downloader: 20.2%
• Kimsuky: 15.4% • Tools/Data exfiltration: 5.2%
• Blind Eagle (APT-C-36): 9.6%
(Page 8)

(Page 13)

Top 3 most used techniques:

• T1566-Phishing: 16.1%
• T1059-Command & Scripting Interpreter: 15.5%
• T1027-Obfuscated files or information: 13.5%

(Page 17)

Top ransomware claims:

• LockBit: 24.1%
• Clop: 10.8%
• BlackCat (AlphV): 9.7%
(Page 10)

5
Copyright © 2024
CYBER THREAT PREDICTIONS
FOR 2024
Based on our analysis of attack patterns and emerging threat trends in 2023,
CTM360 anticipates an increase in the following types of attacks in 2024.
Ransomware Attacks
Ransomware attempts will continue to
escalate in 2024, with successful ransomware
incidents expected to increase globally. This
will result in a larger number of claimed
victims across the public and private sector.
Given trend analysis of 2023, successful
attempts will cover a range of industries
including but not limited to government,
conglomerates / MNCs as well as SMBs.
Supply Chain Attacks
Threat actors will persist in targeting
third-party vendors and suppliers as a means
to conduct their attacks. The challenges
posed by third-party risk, particularly across
the supply chain, are expected to continue
and potentially intensify. It has been
observed that third party breaches
contribute to information leaks, operational
disruptions and reputational losses; a trend
that is expected to continue in 2024.
State-sponsored Cyberattacks
State-sponsored Cyberattacks
State-sponsored cyber threats have and will
continue to increase in both frequency and
sophistication. Nation-states may engage in
cyber espionage, intellectual property theft,
disinformation campaigns, and disruptive
attacks, specifically targeting governments,
organizations, and critical infrastructure.
These attacks can have far-reaching
geopolitical implications and may be utilized
to gain strategic advantages.
Surge in Hacktivist Activity
CTM360 predicts a significant increase in
hacktivist group's activity on forums and
social media platforms in 2024. These
groups are likely to target nations and their
critical national infrastructures (CNI) and
organizations, offering DDoS, Data leaks,
exploits and ransomware as a service. This
trend poses a significant concern as it often
leads to disruptions and potential damage
to the infrastructure.
Socially Engineered Attacks
CTM360 predicts a rise in social engineering
tactics, such as phishing, vishing, smishing
and impersonations. Cybercriminals continue
to evolve, seeking to compromise employees
and citizens. Common tactics include
misinformation, deceptive ads, impersonations
of public figures, pressure tactics, attractive
investment schemes, etc. AI-generated
content also has considerable potential for
constructing attacks quickly.
CVE announcements / exploits
will create time-bound pressures
In 2024, we can expect further
announcements in impactful vulnerabilities
specific to products and applications; these
are often seen as low-hanging fruit for
hackers and are often repeatable. A
risk-based, on-time management strategy is
deemed to be an essential aspect to ensure
on-going cyber resilience.
6
Copyright © 2024

Downloader/Droppers Info-Stealers

In the delivery stage, different

types of malware, such as
droppers or downloaders, are sent
via malicious emails or infected
websites. These malware,
depending on their type, either
drop a payload or establish
connections with the remote
servers to carry out their harmful
actions in the next stage.
In the Installation stage,
Info-Stealer Trojans are used
to obtain data illicitly. These
trojans are specifically
designed to steal information
or other valuable data from
the system.

1
RECONNAISSANCE WEAPONIZATION DELIVERY EXPLOITATION INSTALLATION COMMAND & ACTIONS ON
CONTROL OBJECTIVES
PREPARE STEALTH EXPLOIT OPERATE,
ATTACKER ATTACKER IN ACHIEVE THIER
ATTACK DISTRIBUTION VULNERABILITIES DECIMATE
RESEARCH CONTROL OBJECTIVE
OR SPREAD

Remote Access Trojan (RAT) Data Exfiltration/Tools

In the Exploitation stage, Once the

delivery agents (dropper/
downloader) are deployed/executed,
the attacker gains access to the
system via Remote Access Trojan
(RAT). By leveraging the capabilities
of RAT, the attacker can remotely
execute commands, extract
sensitive data, and manipulate files.
Ultimately, Data Exfiltration/Tools
are used in Command & Control,
where the attacker either
removes or encrypts files by
leveraging the system’s native
tool, resulting in the data being
inaccessible to the victim.

7
Copyright © 2024

TOP NOTABLE MALWARE TYPES

Rilide
Hazyload
Greenbot
Wedge Cut Cobalt
GUloader Strike
Tools / Data
exfiltration
Emotet (5.2%)

Remcos
Dropper /
Truebot
Downloader
(20.2%)
Remote Access
Batloader Trojan (RAT)
(45.1%)
PlugX

Redline Infostealer
(29.5%)
AsyncRAT
IcedID
Lumma
Stealer
StealC

30
26.7%
Cobalt Strike
(RAT)
25

14.1%
20
5.9%
)
ler
G u ow n

a
D

fo ne
te
Lo l o a

15
-S
(In edli
ad d
e r e r)

R
(D

10
ro
pp

9.6%
er

Bot ler)
/

5
5.9% Plug Q a ko - S t e a
(R A X (I n f
T)

5.9% Agent Tesla Iced

(RAT) (Info ID
-Ste
aler
) 8.9%
) AT

Re
AT cR

(Info-Stealer)

m
(R syn

co
A

s(

6.7%
RA
VIDAR

T)

8.1%
8.1%

8
Copyright © 2024

49.3 Million
Success

3,700+
organizations
claimed

9
 Copyright © 2024

Lockbit
49.7%

Clop
50%
Royal

40.3%
Play
36.8%

40% 32.2%
BlackCat

8Base
30%
22.6%
22.9%

21.6%

No Escape
21.9%

20%
16.3%
15.8%

20%
14.4%

14.1%
12.2%

12.1%
11.4%

11.3%
9.2%
7.3%
8%

10%

0
Q1 Q2 Q3 Q4

NoEscape Royal
3.20% 3.00%

Medusa
3.20%
BianLian Lockbit
3.20% 24.10%
Akira
3.40%
Distribution of
8Base Top 10
4.60% Ransomware
Claims
Play
7.20% Clop
10.80%

BlackCat (AlphV)
9.70%

10
Copyright © 2024

Ransomware Groups CVEs Severity Description

SysAid Server (on-premises version)

Clop CVE-2023-47246 9.8 (Critical) contains a path traversal vulnerability that
(SysAid) leads to code execution.

Citrix Bleed (CVE-2023-4966) is a critical

CVE-2023-4966 vulnerability affecting Citrix NetScaler
Lockbit 3.0, Medusa 9.4 (Critical)
(NetScaler) Application Delivery Controller (ADC) and
NetScaler Gateway appliances

CVE-2023-34362 Multiple SQL injection vulnerabilities have

9.8 (Critical)
been identified in the MOVEit Transfer web
Clop, Lockbit 3.0 CVE-2023-35036 9.1 (Critical) application that could allow an un-authenti-
CVE-2023-35708 9.8 (Critical) cated attacker to gain unauthorized access to
(MOVEit) the MOVEit Transfer database

PaperCut MF/NG contains an improper

Clop, Lockbit 3.0 CVE-2023-27350 9.8 (Critical) access control vulnerability within the
Bl00dy, Bianlian CVE-2023-27351 8.2 (High) SetupCompleted class that allows
(PaperCut) authentication bypass and code execution
in the context of system.

Veeam Backup & Replication Cloud Connect

component contains a missing authentica-
tion for critical function vulnerability that
BlackCat, Clop, CVE-2023-27532
7.5 (High) allows an unauthenticated user operating
Lockbit 3.0 (Veeam) within the backup infrastructure network
perimeter to obtain encrypted credentials
stored in the configuration database.

Fortra GoAnywhere MFT vulnerability,

Clop, BlackCat CVE-2023-0669 identified as CVE-2023-0669, allows an
7.2 (High) attacker to execute arbitrary code remotely,
(ALPHV), Lockbit 3.0 (GoAnywhere MFT)
potentially gaining unauthorized access and
control over the affected system

Unauthorized access vulnerability in Cisco

CVE-2023-20269 Adaptive Security Appliance (ASA) and
Akira, Lockbit 3.0 5.0 (Medium)
Firepower Threat Defense (FTD), affecting
(Cisco ASA/Firepower) the remote access VPN feature.

11
Copyright © 2024

4.2%

6.5%
4.0%

3.5%

2.0% 3.1%

49.3%

1.9%

2.2%
United Kingdom

Germany

Australia
Canada

Others
France

Spain

India
USA

Italy

49.3% 6.5% 4.2% 4.0% 3.5% 3.1% 2.2% 2.0% 1.9% 23.3%

12
 Copyright © 2024

Lazarus Group 28.8%

Kimsuky 15.4%

Blind Eagle (APT-C-36) 9.6%

Europe 27.2%

As
ia P
aci
fic
8. 3
%
Reaper (APT 37) 9.6%
Middle East
2.9%
Oceania 2.2%

Fancy Bear (APT 28) 7.7%%

Gamaredon 5.8%
RomCom 5.8%
MuddyWater 5.8%
Americas 58.8%

OilRig 5.8%
Cozy Bear (APT 29) 5.8%

13
Copyright © 2024

Hive ransomware
group shut down by law
enforcement
January
2023
2023
Akira Ransomware
Appeared
European police
dismantled the Doppel
Paymer ransomware March
gang
Money Message
Ransomware Group
Appeared

NoEscape
Ransomware Gang May
Appeared

Lost Trust
September Ransomware
Group Appeared

Ragnar Locker
ransomware gang taken
down by international
police swoop

Hunter international
ransomware October
group appeared

Trigona ransomware
claimed to be Ransomed.VC gang
dismantled by November claims to shut down
Ukrainian hacktivists after six affiliates
allegedly arrested

Most Active Ransomware Emerging Ransomware Dismantled Ransomware

Groups in 2023 Groups in 2023 Groups in 2023

Lockbit Money Message Hive

Clop Akira Doppel Paymer

BlackCat (AlphV) NoEscape Trigona

Play Lost Trust Ragnar Locker

8Base Hunters International Ransomed.VC

14
Copyright © 2024

January March
2023 2023

March
2023

March
2023

April
2023

May
2023
15
Copyright © 2024

August
2023

September
2023

September
2023

October
2023

November
2023

November
2023

16
 Copyright © 2024

Phishing
(16.1%)
System Information
Discovery
(6.8%) Web
Service
User Execution
(7.6%) (6.4%)

Process Injection
Command &
(7.7%) Scripting Interpreter
(15.5%)

Deobfuscate/Decode
Files or Information
(8.6%)

Obfuscated
Masquerading Files or Information
(8.7%) Boot or Logon (13.5%)
Autostart Execution
(9.0%)

17
Copyright © 2024

Downloader/Droppers Remote Access Info-Stealers Data Exfiltration

Trojan (RAT) /Tools

T1566 Phishing T1566 Phishing T1566 Phishing T1134 Access Token

Manipulation

T1027 Obfuscated T1027 Obfuscated T1027 Obfuscated T1027 Obfuscated

Files or Information Files or Information Files or Information Files or Information

T1059 Command & T1059 Command & T1059 Command & T1055 Process
Scripting Interpreter Scripting Interpreter Scripting Interpreter Injection

18
Copyright © 2024

50

42.1%
40

Recommendation:

By employing hardening
techniques, organizations can
30
effectively mitigate shell-related
attacks. Alternatively,
22.8% organizations may leverage MDR,
XDR, and EDR technology to
detect and respond proactively to
PowerShell-related attacks,
20
offering a defense against this
commonly exploited vector.

10.5%
8.8%
10 7.0%
5.3%
3.5%
0
(T1059.005)

(T1059.007)

(T1059.004)
Windows Command

(T1059.002)
(T1059.006)
PowerShell
(T1059.001)

Visual Basic

Unix Shell

AppleScript
Python
Shell (T1059.003)

JavaScript

19
Copyright © 2024

Mitigation: Proactively detect and take down

phishing websites, and block lookalike domains on
the email gateway. Strengthen email security with
DMARC, SPF, and DKIM protocols. Conduct simulated
phishing exercises and maintain an updated incident
response plan to reduce phishing attacks effectively.

For prescriptive hardening guidelines, please visit our

platform ThreatCover.

Acts as a
kill-switch
WWW

20
Copyright © 2024

• https://www.statista.com/statistics/494947/ransomware-attempts-per-year-worldwide/
• https://tech.co/news/data-breaches-updated-list
• https://idverse.com/top-5-data-breaches-of-2023-so-far/
• https://www.scmagazine.com/resource/report-ransomware-payouts-and-recovery-costs-went-way-up-in-2023
• https://aag-it.com/the-latest-ransomware-statistics/
• https://www.npr.org/2023/01/26/1151696092/fbi-says-it-hacked-the-hackers-to-shut-down-major-ransomware-group
• https://securityaffairs.com/143110/cyber-crime/europol-doppelpaymer-ransomware-gang.html
• https://www.europol.europa.eu/media-press/newsroom/news/ragnar-locker-ransomware-gang-taken-down-internat
ional-police-swoop
• https://www.bankinfosecurity.com/ukrainian-hacktivists-claim-trigona-ransomware-takedown-a-23343
• https://www.bleepingcomputer.com/news/security/new-money-message-ransomware-demands-million-dollar-rans
oms/
• https://www.hhs.gov/sites/default/files/noescape-ransomware-analyst-note-tlpclear.pdf
• https://otx.alienvault.com/pulse/651ff02d7896fd42255e1640
• yventures.com/ransomware-will-strike-every-2-seconds-by-2031/
• https://www.at-bay.com/articles/blackcat-ransomware-group-exploits-goanywhere-vulnerability/
• https://www.techtarget.com/searchsecurity/news/366559674/LockBit-observed-exploiting-critical-Citrix-Bleed-flaw
• https://nvd.nist.gov/vuln/detail/CVE-2023-47246
• https://www.govtech.com/security/what-is-citrix-bleed-the-next-ransomware-patch-you-need
• https://healthitsecurity.com/news/clop-lockbit-leveraging-3-known-vulnerabilities-in-healthcare-ransomware-attack
s-hhs-warns
• https://medium.com/s2wblog/story-of-h1-2023-in-depth-examination-of-notable-ransomware-groups-and-key-issue
s-english-ver-f4900d297af8
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ravpn-auth-8LyfCkeC
• https://blog.iinfosec.com/network-security-news/2023-06-19
• https://www.theregister.com/2023/10/25/rebuilt_hive_ransomware_gang_stings/
• https://tech.co/news/t-mobile-massive-security-breach
• https://www.securityweek.com/millions-of-att-customers-notified-of-data-breach-at-third-party-vendor/
• https://www.darkreading.com/endpoint-security/okta-employee-data-exposed-third-party-vendor
• https://www.theregister.com/2023/11/10/ransomedvc_shut_down/
• https://securityaffairs.com/150157/cyber-crime/cisco-asa-ransomware-attacks.html

21
W W W.C T M 3 6 0.C O M