Year of GenAI 2 Threat Snapshot 3 Vulnerability Intelligence 4 Stolen Access Credentials 6 Tips 7 12 Ransomware 5 Key Findings 1 Constant re-use and evolution- The ransomware landscape continues to evolve, despite the fact that some ransomware groups seemingly stopped their operations due to ransomware source code constantly being leaked, and as a result of other, competing ransomware groups initiating new activity based on pre-existing malware. Top 10 Active Ransomware Groups in 2023 (presented in descending order of activity level): Top 10 Active Ransomware Groups in 2023: Ransomware Group Description LockBit Active since 2019. Ransomware as a service (RaaS), enables affiliates to use existing tools to execute ransomware attacks. Top ransomware family since 2022 Cl0p Active since 2019. Prolific RaaS group operated by Russian-speaking threat actors targeting high-profile organizations from various industries & sectors worldwide. Its rise was driven by its MOVEit campaign (exploiting CVE-2023-34362, a SQL injection vulnerability in the MOVEit Transfer web application), the most impactful extortion campaign we have seen Alphv | BlackCat Active since 11.2021. A Russian-speaking RaaS group, uses double extortion BlackBasta Active since 02.2022. Launched leaks website on Dark Web in Apr. 2022. Deployed as a 2nd-stage payload on systems first infected with Qakbot (or Qbot) banking trojan- dropper malware. Upon execution, exfiltrates files of interest Play Active since 06.2022. Targets companies & organizations from various sectors, mainly in Europe & North America. Uses double extortion, exfiltrating data prior to ransomware deployment. Vice Society Active since 06.2021. Targets both Windows & Linux systems, has targeted various sectors & industries (e.g. healthcare, education, transportation, manufacturing) BianLian Active since 06.2022. Started as a ransomware group. Appears to gain initial access to victims’ systems via compromised RDP credentials likely acquired from initial access brokers. In Mar. 2023, reportedly shifted from encrypting victims’ networks to solely relying on data-leak extortion to extract payments 8base Active since 03.2022. Was relatively unknown until recently. Since May 2023 has significantly increased double extortion ransomware attacks. Target various industries (e.g. IT, business services, finance, manufacturing, healthcare, automotive) Akira Active since 03.2023. Has targeted numerous organizations from various industries (e.g. education, finance, real estate, manufacturing, consulting). Uses double extortion Rhysida Active since 05.2023. Uses double extortion Ransomware 5 2019 LockBit Cl0p 06.2021 Vice Society Alphv | BlackCat 11.2021 Akira 03.2023 BlackBasta 02.2022 Rhysida 05.2023 8base 03.2022 Play BianLian 06.2022