Ransomware The ransomware threat continues to grow and remains one of the biggest threats to organizations and enterprises, causing significant damage. One of the biggest drivers fueling ransomware attacks is the Ransomware-as-a-Service (RaaS) distribution model. In this model, threat actors provide an existing ransomware platform, consisting of a ransomware variant plus infrastructure. Other individuals or groups, known as affiliates, use the platform to conduct ransomware attacks for profit. Generally, the ransomware affiliate gains access to targeted systems and networks, encrypts their files, and demands a ransom from the victim. Notably, ransomware attacks of RaaS groups often differ in their tactics, techniques and procedures (TTPs) as they are performed by different affiliates. Many ransomware groups use the ‘double extortion’ tactic, which involves stealing victims’ files before encrypting their systems and threatening to leak them if the ransom is not paid. In addition, most ransomware groups have Dark Web data leak and extortion sites, where they announce their victims. These sites serve as an additional tactic to pressure victims to pay the ransom, and if it is not paid, the stolen data is leaked via that site. During 2023, an increase of nearly 40% in ransomware attacks was logged worldwide, in comparison to the previous year. 1 Vulnerability exploitation– During 2023, prominent RaaS groups continued to exploit vulnerabilities to carry out their attacks, including those mentioned in the previous section. In some incidents, both LockBit and Cl0p exploited the same vulnerabilities, such as CVE- 2023-0699 in GoAnywhere MFT. Moreover, Cl0p busted its operation due to the exploitation of CVE-2023-34362 and CVE-2023-35036 aka MOVEit. Furthermore, LockBit was observed exploiting CVE-2023-4966 aka Citrix Bleed. Emerging ransomware groups are making a significant impact- Analysis of ransomware activities during 2023 reveals two new ransomware groups, Akira and Rhysida, which are among the top 10 active ransomware groups, despite having emerged very recently. The high volume of activity of these two groups puts them in league with the infamous Lockbit and Cl0p ransomware groups, which first became active in 2019. In 2023, several ransomware groups ceased their operations altogether or had significant changes, such as rebranding. We assume that 2024 will witness additional ransomware attacks by Akira and Rhysida, if they are not stopped by authorities. 1. Source: Zscaler ThreatLabz 2023 Ransomware Report Year of GenAI 2 Threat Snapshot 3 Vulnerability Intelligence 4 Stolen Access Credentials 6 Tips 7 Ransomware 5 Key Findings 1