In the fourth quarter of 2023 (Q4 2023), a stunning 80% more organizations were hit by ransomware attacks than in Q4 2022. It’s an alarming statistic…an emergency flare signaling the growing threat cybercriminals pose to businesses of all sizes.  

 November marked a significant contribution to the ransomware activity surge, at least partly because the Citrix Bleed vulnerability was heavily exploited. On top of that, November brought new aggressive extortion tactics by the ransomware group “ALPHV,” involving the US Securities and Exchange Commission (SEC) to pressure their targets.  

Every problem leaves a lesson, which is why we’re about to dig deep into these developments. The light at the end of the tunnel is a clearer view of the evolving ransomware landscape, and attacker strategies. 

The Growing Ransomware Threat: What, Where, and Why? 

In Q4 2023, ransomware was delivered primarily through public-facing application vulnerabilities and phishing attacks. The dramatic growth in ransomware attacks can be attributed to several factors. First, attackers had easy access to ransomware-as-a-service (RaaS) tools. They were also, almost certainly, driven by the attractive risk-reward ratio: Few attackers were caught and held accountable for cyber attacks. 


Figure 1: Number of compromised entities listed on data-leak sites by month in 2023

November 2023 stood out as particularly busy, with the second-highest number of compromised entities all year. The reason is probably down to all the threat groups that jumped to exploit the Citrix Bleed vulnerability to deliver ransomware. Historically, threat groups have been zealous about newly uncovered, high-severity vulnerabilities. Citrix Bleed was especially appealing because attackers easily bypassed multifactor authentication (MFA) to hijack user sessions. That’s why it’s crucial to prioritize security patches and manage vulnerabilities effectively. During Q4, many threat actors took advantage of critical vulnerabilities to distribute ransomware.

The Q4 2023 sectoral pattern of targeting remained largely consistent with the previous quarter: Manufacturing; professional, scientific, and technical services; and construction bore the brunt of the impact. Knowing which sectors are being targeted—and in which locations—can help drive proactive security measures to best prepare for a potential attack.

The regional preference was for the United States, plus the United Kingdom and Canada. Those three countries experienced the majority of documented ransomware attacks, which stands to reason: They’re appealing because of their thriving economies, English-speaking populations, and ability to pay large sums to reinstate compromised systems. They’ve become prime targets for cybercrime groups, whose members recognize the potential to seize substantial ransom payments.


Figure 2: Number of compromised entities listed on data-leak sites by threat group in Q4 2023

The number of ransomware groups only continues to expand, and the availability of RaaS continues to attract operators with varying skill levels. So we can expect the increase in ransomware attacks that began in 2023 to persist throughout 2024. Implementing proactive security measures will be essential for organizations of all sizes.

Extortion Evolution: New Tactics, Same Objective

Cyber-threat actors constantly find innovative ways to bypass the latest defensive systems. (Check out our recap of cyber-threat techniques in Q4.) They’re exploiting vulnerabilities that have not been addressed and/or targeting unsuspecting users. In the final stretch of 2023, we saw not only more attacks from certain groups, but also new tactics and techniques.

For security defenders, it’s a dynamic cat-and-mouse game, and their cybersecurity approach must stay one step ahead of threat actors’ attack strategies. Organizations and individuals should continuously update their defenses, stay vigilant, and place ongoing education and awareness at the forefront, to counter the evolving and increasingly aggressive cyber threats. We’ve come up with some specific mitigation recommendations, based on Q4 threats that seem determined to not fade away:

ALPHV Ups the Ante with SEC Disclosures

The ransomware group ALPHV (aka “BlackCat”) adding an extra layer of aggression to their Q4 extortion tactics: The notorious group used SEC reporting measures against their targets after an attack, for an extra layer of extra intimidation and pressure to meet their demands. The hyper-aggression is in response to a growing resistance to paying ransom demands. Involving the SEC (or other regulatory bodies) intensifies consequences and public scrutiny for compromised entities.

ALPHV’s new tactic emphasizes the need for heightened cybersecurity measures, and preparedness for other new or evolving tactics. Security teams would also benefit from performing ongoing reviews and updates of policies, to better respond to aggressive ransomware tactics.

Also, because ALPHV is known to gain initial access to organizations through social engineering and moving laterally in a network via remote desktop protocol (RDP), we recommend:

  • Securing remote-access tools by implementing application controls
  • Educating staff about social engineering and phishing attacks
  • Installing and updating antivirus software

Figure 3: Screenshot of ALPHV’s post reporting an organization to the SEC

Play’s Proactive Demands

In Q4, we saw a significant increase in the number compromised entities listed by the ransomware group “Play” (aka Playcrypt). The group tends to gain initial access by exploiting known public-facing vulnerabilities, such as in FortiOS, practices double-extortion, and observes a discreet-but-proactive approach in attacks: Instead of providing direct payment instructions in ransom notes, they instruct victims to contact them via email.

Requesting payment in cryptocurrency, Play members specify wallet addresses where the ransom should be sent. If a target doesn’t play ball, the group escalates the situation by threatening to publicly disclose the exfiltrated data on their designated leak site.

Play likes to exploit flaws in public-facing applications to gain initial access, and exploits highly privileged administrator accounts; with that in mind, we recommend:

  • Keeping all operating systems, software, and firmware up to date
  • Practicing the principle of least privilege
  • Ensuring systems are covered by up-to-date policies

LockBit Beefs Up Member Base

Following the fall of “NoEscape” and ALPHV’s temporary outage, the “LockBit” group saw a chance to recruit members from those notorious ransomware operations. LockBitSupp, the group’s public representative, offered affiliates the use of LockBit’s data-leak site and negotiation panel. It’s unclear whether the recruitment scheme worked, but at least one organization whose compromise was linked to ALPHV ended up being named on LockBit’s leak site.

One thing that is clear: LockBit—the most active group throughout 2023—is firmly determined to not only maintain but enhance operations. By expanding membership, LockBit would increase operational capacity, which means the group has no intention of slowing down or pausing activities. Individuals and organizations should remain vigilant and fortify their cybersecurity defenses in light of the innovation and determination LockBit is showing.

LockBit and affiliates have been seen moving laterally through the systems of familiar tools, such as Windows PowerShell and server message block (SMB), so we recommend:

  • Disabling command-line and scripting activities and permissions
  • Restricting service accounts from remotely accessing other endpoints
  • Reviewing and disabling internet-facing services that are no longer in use

Ransomware in 2024: What’s in the Pipeline? 

The 2023 boost in the number of ransomware victims is a trend that looks set to continue. Here’s what we’re also anticipating:

LockBit’s NetScaler Affinity

LockBit has been exploiting vulnerabilities in NetScaler, a widely used networking technology, to target high-value organizations (banks, governments, law firms, etc). That focus suggests LockBit aims to maximize its impact and associated potential for large ransom payments; such organizations often possess sensitive (read: valuable) data. Given the profitability and success of these attacks, LockBit will probably continue its NetScaler exploitation and industry focus. To mitigate the risk, organizations should patch and update their NetScaler applications.

Clop’s Comeback Potential

In case you’re a complete stranger to cyber threat intelligence, “Clop” is a group is known for its large-scale ransomware attacks, managed file transfer (MFT) vulnerability exploits, and zero-day exploitation. To say the group has been prolific is an understatement. But following a spate attacks of its MOVEit campaign in mid-September 2023, Clop’s activity tapered off; the group named 95.3% fewer victims in Q4 2023 than in the previous quarter.

This tapering after an activity surge has been seen with Clop before, following a 2020–21 campaign that abused several zero-days. In other words, Clop could very well make a comeback. To guard against similar campaigns, organizations should minimize exposure on MFT sites by limiting content storage duration to about 5 or 10 business days—after all, these services are primarily intended for file transfers rather than long-term storage.

NoEscape’s Silent Threat (for Now)

Within just seven months, the NoEscape group listed 145 compromised organizations on its data-leak site. In Q4 2023, the group named 24.6% more compromised entities than in the previous quarter. But, all stats aside,  NoEscape hasn’t reported any newly compromised entities since December 4, 2023.

Affiliates of NoEscape allege that the group conducted an exit scam that allegedly led to ransom payments worth millions of dollars. The group took down their data-leak site and has lost the trust of affiliates. But again, it’s reasonable to anticipate another iteration of the group at some point, based on the fact that NoEscape emerged as a rebrand of “Avaddon,” and given its success with multi-extortion tactics.

NoEscape affiliates are known to deliver the ransomware through various means, but the most prominent is malicious file downloads and infected email attachments. Organizations should regularly update antivirus software and conduct security awareness training for employees.


Interested in learning more about the cyber-threat landscape in 2024? Our Cyber-threat Predictions blog offers a comprehensive analysis of various topics, including the risks associated with the abuse of artificial intelligence, the potential impacts of geopolitical tension, evolving trends in initial access and ransomware, and best practices for preparing against a wide range of cyber threats.