Executive Summary
In this first report of 2024, PolySwarm analysts chose the malware families to watch in 2024. A small selection of samples of each family are provided as well.
Key Takeaways
- In this first report of 2024, PolySwarm analysts chose the malware families to watch in 2024.
- A small selection of samples of each family are provided as well.
- Rising malware families we chose include Hunters International, BlackSuit, 8Base, and Play.
- Prolific malware families we expect to exhibit increased activity in 2024 include ALPHV, Rhysida, and LockBit.
Rising Families
Hunters International
Hunters International is a ransomware-as-a-service that emerged in Q3 2023. It is thought to be a rebrand of Hive due to the fact that the source code shares around 60% similarity with Hive’s codebase. However, the group has denied any affiliation with Hive.
Unlike some ransomware groups, they do not appear to be hesitant to attack entities in the healthcare vertical. In December, they allegedly victimized Blackstone Valley Community Health Care. This year, the group has already claimed Bradford Health as a victim. While Hunters International exhibited limited activity in 2023, our analysts expect them to expand their operations in 2024.
Hunters International Samples
C4d39db132b92514085fe269db90511484b7abe4620286f6b0a30aa475f64c3e
You can use the following CLI command to search for all HuntersInternational samples in our portal:
$ polyswarm link list -f HuntersInternational
BlackSuit
BlackSuit is thought to be a rebrand of Royal ransomware. BlackSuit targets both Windows and Linux systems. Like Royal, BlackSuit uses OpenSSL’s AES for encryption and leverages similar intermittent encryption techniques for fast and efficient encryption of victim files. After encrypting files on a victim machine, BlackSuit appends the .blacksuit extension to encrypted files and drops its ransom note. The ransom note lists the ransomware’s TOR chat site and a unique ID for each affected victim. BlackSuit threat actors use a leaks site and a double extortion model, demanding ransom for unlocking files and for not leaking stolen information.
Our analysts expect BlackSuit to continue Royal’s trajectory of widespread targeting, including targeting of critical infrastructure entities. One of BlackSuit’s first victims of 2024 was South Carolina’s Kershaw County School District.
BlackSuit Samples
B57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c
4d7f6c6a051ecb1f8410243cd6941b339570165ebcfd3cc7db48d2a924874e99
90ae0c693f6ffd6dc5bb2d5a5ef078629c3d77f874b2d2ebd9e109d8ca049f2c
1c849adcccad4643303297fb66bfe81c5536be39a87601d67664af1d14e02b9e
You can use the following CLI command to search for all BlackSuit samples in our portal:
$ polyswarm link list -f BlackSuit
8Base
8Base, active since at least 2022, has recently shown an increase in activity. 8Base is known for data extortion. They claim to only target companies who have neglected to adequately secure their data.
The group encrypts victim files and uses a name-and-shame scheme in an attempt to coerce the victim to pay the ransom. The group seems to target opportunistically, with a high percentage of targets located in the US and Brazil. While 8Base’s origin is unknown, industry researchers noted they are unlikely to be a startup operation due to the sophistication and speed of their operations and organization. Industry researchers also noted similarities between 8Base and other groups including RansomHouse and Phobos.
8Base was very active in mid 2023 and continued to be active to a lesser degree in late 2023. In October 2023, an advisory was issued warning that 8Base was observed targeting an entity in the healthcare vertical. The group also claimed a high number of victims in December 2023. Our analysts have picked them as a family to watch in 2024 due to their unique approach to extortion.
8Base Samples
518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c
E142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0
You can use the following CLI command to search for all 8Base samples in our portal:
$ polyswarm link list -f 8Base
Play
Play ransomware group, also known as PlayCrypt, has been active since mid 2022. The group is known to use double extortion tactics. Their targets have primarily been in North America, South America, and Europe. Targets have included entities in the government, financial, legal, software, shipping, law enforcement, and logistics verticals.
In early 2023, Play was observed using new custom data gathering tools, making data exfiltration for extortion more effective. By October 2023, the FBI noted Play had amassed at least 300 victims. In November 2023, industry researchers noted that Play was being sold as a service. In December, it was one of the most active ransomware families. Play has already claimed several victims in 2024, including Madison Capital, WPM, and The Time Group. Due to the group’s momentum in late 2023 and the availability of Play as a service, our analysts expect it to be one of the more active ransomware families in early 2024.
Play Samples
453257c3494addafb39cb6815862403e827947a1e7737eb8168cd10522465deb
47c7cee3d76106279c4c28ad1de3c833c1ba0a2ec56b0150586c7e8480ccae57
75404543de25513b376f097ceb383e8efb9c9b95da8945fd4aa37c7b2f226212
7a42f96599df8090cf89d6e3ce4316d24c6c00e499c8557a2e09d61c00c11986
You can use the following CLI command to search for all Play samples in our portal:
$ polyswarm link list -f Play
Increased Activity Expected
The following malware families were chosen due to their historical activity, including heavy activity in 2023. We have already covered these families in more detail in our 2023 Recap - Malware Hall of Fame report.
ALPHV
ALPHV stood out from the other malware PolySwarm encountered in 2023 due to its growing popularity and tendency to be used to compromise high-value targets. While law enforcement apparently seized ALPHV’s darknet site in December, the group reportedly unseized it shortly thereafter. Additionally, ALPHV removed all rules from its affiliate program, no longer forbidding affiliates to target critical infrastructure entities. Our analysts predict there will be more ALPHV activity on the horizon and that an increasing number of critical infrastructure entities may be targeted by ALPHV attacks.
ALPHV Samples
e7060538ee4b48b0b975c8928c617f218703dab7aa7814ce97481596f2a78556
9802a1e8fb425ac3a7c0a7fca5a17cfcb7f3f5f0962deb29e3982f0bece95e26
f7a038f9b91c40e9d67f4168997d7d8c12c2d27cd9e36c413dd021796a24e083
3a08e3bfec2db5dbece359ac9662e65361a8625a0122e68b56cd5ef3aedf8ce1
F8c08d00ff6e8c6adb1a93cd133b19302d0b651afd73ccb54e3b6ac6c60d99c6
You can use the following CLI command to search for all ALPHV samples in our portal:
$ polyswarm link list -f ALPHV
Rhysida
Rhysida, stood out in 2023 due to its targeting of multiple healthcare facilities. Although it was a newcomer on the malware scene, it proved to be formidable and gained momentum in late 2023.
The British Library, one of Rhysida’s 2023 victims, is reportedly still trying to recover from the ransomware attack. The attack on Insomniac Games, another late 2023 victim of Rhysida, also raised a point of concern in how the group has shifted tactics. Kirsten Bay, CEO of Cysurance, noted the attack demonstrates how threat actors have adapted to an organization’s ability to manage traditional ransomware attacks. Rhysida and others have begun to focus more on reconnaissance and exploitation, leveraging stolen data as a means for extortion. Ransomware groups have used double or even triple extortion tactics for quite some time. However, in some cases what used to be the “secondary” extortion tactic associated with data leaks is actually becoming the primary way a threat actor extorts a victim. In the case of the attack on Insomniac Games, Rhysida proceeded to leak more than a terabyte of data when ransom demands were not met.
Rhysida’s rampage has continued into early 2024, with Aspiration Training becoming one of their first victims of the year. Based on the group’s momentum in late 2023, our analysts expect them to be very active in 2024.
Rhysida Samples
edfae1a69522f87b12c6dac3225d930e4848832e3c551ee1e7d31736bf4525ef
a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6
6903b00a15eff9b494947896f222bd5b093a63aa1f340815823645fd57bd61de
3bc0340007f3a9831cb35766f2eb42de81d13aeb99b3a8c07dee0bb8b000cb96
4bf8fbb7db583e1aacbf36c5f740d012c8321f221066cc68107031bd8b6bc1ee
You can use the following CLI command to search for all Rhysida samples in our portal:
$ polyswarm link list -f Rhysida
LockBit
LockBit is a ransomware as a service that has been active since at least 2019. It was one of our top malware families to watch for 2023 and has made the list yet again in 2024. In 2023, LockBit expanded its operations and added a MacOS variant to its arsenal. LockBit claimed multiple high value targets in 2023, including Boeing and multiple US government entities.
In November 2023, CISA issued an advisory warning of LockBit’s exploitation of CVE 2023-4966 (Citrix Bleed) and possible ramifications for critical infrastructure entities. LockBit claimed over 50 victims in December 2023 and has already claimed its first victim of 2024, Groupe IDEA. Our analysts expect LockBit to continue to be one of the most prolific ransomware families in 2024.
LockBit Samples
0fe8b77a72447a61e017d1c2bf8d3fb8e80bec55ba46bca81cc5c991b18bdfe9
8d864c11c820e6d85a14c4041798e4c0c6c03ca3d21a3d68a141b2425f82263f
07b158ef3cef2c6c7b2c9660f4551bfbf1c37cd690cfbf66fc149296a5be973c
5eca6566ab72b852448f5c2f47345dad8b039238ea1cb9fc81c496508c6bb6b9
Fdc3880d7911d65a7963a4869a08ef364dae0ea1b78b844f4678f1fa18bd87ef
You can use the following CLI command to search for all LockBit samples in our portal:
$ polyswarm link list -f LockBit
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
