The infostealer malware market operates mainly in a Malware-as-a-Service (MaaS) model, involving several key players. At the heart of this ecosystem are MaaS providers, who focus on developing and maintaining both the malware and its operational infrastructure. Infostealer operators, who either rent or purchase the malware, deploy them in cyber-attack campaigns against victim platforms. Underground marketplaces are crucial for trading the data harvested from these campaigns.

In the past year, this ecosystem has seen only minimal changes, with malware such as AgentTesla, FormBook, and LokiBot remaining prevalent. The accessibility of these infostealers is evident in their pricing on underground forums, where they are offered for monthly subscriptions ranging from $60 to $1,000 USD. This tiered pricing structure accommodates a wide spectrum of threat actors, from novices to seasoned hackers. In addition, there are the Initial Access Brokers, who utilize the purchased data to breach networks, often leading to extensive exploitation by ransomware.

AgentTesla, first identified in 2014, is a MaaS with keylogging capabilities and is one of the infostealers commonly detected by CP<R>. Its current version has been enhanced to steal credentials from multiple applications, including web browsers, VPN software, FTP services, and email clients. Beyond credential theft, AgentTesla has functionalities for collecting system information, disabling anti-malware processes, and capturing clipboard contents. AgentTesla is adept at extracting credentials from system registries and configuration files, and it transmits this stolen data to its command and control (C&C) server. Notably, this malware is marketed on underground forums through low-cost subscription models, making it accessible to cybercriminals with limited technical expertise.

Illegal cryptomining saw a decrease in 2023 due to Bitcoin rates not rebounding to their 2021 peak and the continued increase in mining difficulty. Only 9% of global corporate entities were affected by cryptominers in 2023, compared to 16% in 2022. With the increase in GPU (Graphics Processing Unit) prices, some threat actors are now specifically targeting graphic designers and engineering platforms for their enhanced GPU capabilities as miners. Monero remains profitable for mining, and its common open-source mining tool, XMRig, was used in 65% of cryptomining attacks in 2023. Cryptominers are integrating additional malicious functionalities, transforming some of them, like LemonDuck, into multifaceted threats that span beyond their core function of mining cryptocurrency. In some instances, as with the StripedFly malware, cryptomining activities might just be a cover for more complex espionage operations.

Cloud infrastructure continues to be a target for cryptomining exploitation. In October, researchers reported a years-long operation that exploited poorly secured IAM keys to access cloud environments for deploying Monero miners. Often, the same access that allows threat actors to install a cryptominer is later used for additional exploitation and breaches. This makes the presence of cryptominers a potential precursor to broader security issues.

Mobile devices are prime targets for cyberattacks, largely due to their central role in our daily lives and the wealth of valuable data that they contain. These devices not only store personal and financial information but may also serve as potent surveillance tools, given their capabilities to track location, record audio, and capture images.

The AhMyth Android Remote Access Trojan (RAT) is an open-source malware freely available on GitHub that is often used as basis for attack campaigns. Not surprisingly, it occupies a significant position on the Check Point top mobile malware charts. A variant of the malware, AhRat, was found in a weaponized app called ‘iRecorder – Screen Recorder’ available in the Google Play Store with over 50,000 downloads.

A “clean” version of the application has been available for Android users since 2021, and the malicious characteristics were only added later. In addition to iRecorder’s self-explanatory screen-grabbing feature, its malicious update includes sound recording and data exfiltration capabilities, including retrieval of saved web pages, images, audio, video, document, and

archive formats. The spyware functionalities may suggest a cyber-espionage campaign, which is not uncommon in the mobile malware world. For example, there is the Kamran Android malware which is specifically designed to target Urdu-speaking victims in Pakistan, or the Chinese-aligned APT operated BadBazaar Android spyware.

As always, these types of malware are also often exploited for financial gain by cyber criminals. For example, the newly emerged Chameleon Android banking Trojan targets Australian and European users’ mobile banking and cryptocurrency applications. A similar campaign was observed in India, where malicious apps impersonating banks and government services were distributed via social media platforms. Ransomware was also given a new spin within the Android ecosystem: SpyLoan applications were spread through Google Play Store to over 12 million users in Asia, Africa and South America. The malware collected victims’ personal and financial data from their mobile devices, which it used to harass and blackmail them to extort funds.

This section features information derived from almost 200 ransomware “shame sites” operated by double-extortion ransomware groups, 68 of which posted the names and information of victims from 2023. Cybercriminals use these sites to amplify pressure on victims who do not pay the ransom immediately. The data from these shame sites carries its own biases but still provides valuable insights into the ransomware ecosystem, which is currently the number one risk to businesses. The data presented below was collected for the period between January and December 2023.

Top Double-Extortion Ransomware Actors

In 2023, a total of 68 active ransomware groups reported they had breached the systems of and publicly extorted over 5,000 victims. This marks a substantial increase over past years. The ransomware events only intensified as 2023 went on. H2 recorded more than 2,800 victims compared to 2,200 in the first half of the year. Lockbit emerged as the most active during this period, responsible for 21% of the reported incidents with over 1,050 cases. Typically, threat actors grant victims a one-to-two-week grace period to meet the ransom demands. Victims who pay the ransom are not publicly exposed, which suggests that the actual number of victims could be significantly higher.

ALPHV, also known as BlackCat, targeted over 440 victims in 2023 and was the focus of a law enforcement operation. In December, a US-led operation resulted in the takedown of the group’s websites and the release of a decryption tool. According to CISA, since the beginning of its operations, the group compromised more than 1,000 victims and received ransom payments totaling nearly $300 million. The group has since resumed its criminal operation and its presence on the Dark Web.

CL0P’s activity is underrepresented in this count. In early June, CL0P exploited a zero-day vulnerability that allowed it to gain access to the MOVEit file-transfer software, leading to the compromise of over 2,600 organizations. Most of the victims’ identities were not disclosed on its shame site and therefore not included in the above count. CL0P also utilized alternative methods to further extort its victims. CL0P’s use of zero-day exploits this year also included an attack on GoAnywhere, which is detailed in another section of this report.

In terms of geographical distribution, 45% of the affected companies are situated in the United States, followed by the United Kingdom at 7%, and Canada, Germany, and Italy each at 4%. The presence of Russian victims on this list in 2023 can be attributed primarily to two actors: MalasLocker and Werewolves. Cyberattacks on entities from the former Soviet Union remain relatively infrequent. MalasLocker, active in the first part of 2023, adopted an unconventional approach by replacing traditional ransomware demands with requests for charitable donations.

When analyzing the industry sectors affected by ransomware attacks, data from the Check Point Threat Cloud highlights the education, government, and healthcare sectors as the primary targets. However, the ransomware victim landscape offers a different view. Manufacturing and retail sectors exhibit the highest number of victims, while government and education entities are positioned lower in the target hierarchy. In December 2023 alone, prominent companies like Coca-Cola Singapore (DragonForce), Nissan Motor Australia (Akira), Kraft Heinz (Snatch), Xerox (Inc ransom) were all claimed as victims by double-extortion ransomware groups.

The aforementioned discrepancy likely arises from differences in the willingness of these sectors to comply with ransom demands, with educational and governmental organizations being less inclined to make payments. These sectors are primarily targeted for the exploitation of their data, including personal and technical information, rather than for extortion-based attacks.