The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

PolySwarm's 2024 Malware to Watch

Jan 8, 2024 1:04:35 PM / by The Hivemind


Executive Summary

In this first report of 2024, PolySwarm analysts chose the malware families to watch in 2024. A small selection of samples of each family are provided as well.

Key Takeaways

  • In this first report of 2024, PolySwarm analysts chose the malware families to watch in 2024. 
  • A small selection of samples of each family are provided as well. 
  • Rising malware families we chose include Hunters International, BlackSuit, 8Base, and Play.
  • Prolific malware families we expect to exhibit increased activity in 2024 include ALPHV, Rhysida, and LockBit.

Rising Families

Hunters International

Hunters International is a ransomware-as-a-service that emerged in Q3 2023. It is thought to be a rebrand of Hive due to the fact that the source code shares around 60% similarity with Hive’s codebase. However, the group has denied any affiliation with Hive.

Unlike some ransomware groups, they do not appear to be hesitant to attack entities in the healthcare vertical. In December, they allegedly victimized Blackstone Valley Community Health Care. This year, the group has already claimed Bradford Health as a victim. While Hunters International exhibited limited activity in 2023, our analysts expect them to expand their operations in 2024.

Hunters International Samples



You can use the following CLI command to search for all HuntersInternational samples in our portal:

$ polyswarm link list -f HuntersInternational



BlackSuit is thought to be a rebrand of Royal ransomware. BlackSuit targets both Windows and Linux systems. Like Royal, BlackSuit uses OpenSSL’s AES for encryption and leverages similar intermittent encryption techniques for fast and efficient encryption of victim files. After encrypting files on a victim machine, BlackSuit appends the .blacksuit extension to encrypted files and drops its ransom note. The ransom note lists the ransomware’s TOR chat site and a unique ID for each affected victim. BlackSuit threat actors use a leaks site and a double extortion model, demanding ransom for unlocking files and for not leaking stolen information.

Our analysts expect BlackSuit to continue Royal’s trajectory of widespread targeting, including targeting of critical infrastructure entities. One of BlackSuit’s first victims of 2024 was South Carolina’s Kershaw County School District.

BlackSuit Samples






You can use the following CLI command to search for all BlackSuit samples in our portal:

$ polyswarm link list -f BlackSuit



8Base, active since at least 2022, has recently shown an increase in activity. 8Base is known for data extortion. They claim to only target companies who have neglected to adequately secure their data.

The group encrypts victim files and uses a name-and-shame scheme in an attempt to coerce the victim to pay the ransom. The group seems to target opportunistically, with a high percentage of targets located in the US and Brazil. While 8Base’s origin is unknown, industry researchers noted they are unlikely to be a startup operation due to the sophistication and speed of their operations and organization. Industry researchers also noted similarities between 8Base and other groups including RansomHouse and Phobos.

8Base was very active in mid 2023 and continued to be active to a lesser degree in late 2023. In October 2023, an advisory was issued warning that 8Base was observed targeting an entity in the healthcare vertical. The group also claimed a high number of victims in December 2023. Our analysts have picked them as a family to watch in 2024 due to their unique approach to extortion.

8Base Samples




You can use the following CLI command to search for all 8Base samples in our portal:

$ polyswarm link list -f 8Base



Play ransomware group, also known as PlayCrypt, has been active since mid 2022. The group is known to use double extortion tactics.  Their targets have primarily been in North America, South America, and Europe. Targets have included entities in the government, financial, legal, software, shipping, law enforcement, and logistics verticals.

In early 2023, Play was observed using new custom data gathering tools, making data exfiltration for extortion more effective. By October 2023, the FBI noted Play had amassed at least 300 victims.  In November 2023, industry researchers noted that Play was being sold as a service. In December, it was one of the most active ransomware families. Play has already claimed several victims in 2024, including Madison Capital, WPM, and The Time Group. Due to the group’s momentum in late 2023 and the availability of Play as a service, our analysts expect it to be one of the more active ransomware families in early 2024. 

Play Samples






You can use the following CLI command to search for all Play samples in our portal:

$ polyswarm link list -f Play


Increased Activity Expected

The following malware families were chosen due to their historical activity, including heavy activity in 2023. We have already covered these families in more detail in our 2023 Recap - Malware Hall of Fame report.



ALPHV stood out from the other malware PolySwarm encountered in 2023 due to its growing popularity and tendency to be used to compromise high-value targets. While law enforcement apparently seized ALPHV’s darknet site in December, the group reportedly unseized it shortly thereafter. Additionally, ALPHV removed all rules from its affiliate program, no longer forbidding affiliates to target critical infrastructure entities. Our analysts predict there will be more ALPHV activity on the horizon and that an increasing number of critical infrastructure entities may be targeted by ALPHV attacks.

ALPHV Samples







You can use the following CLI command to search for all ALPHV samples in our portal:

$ polyswarm link list -f ALPHV



Rhysida, stood out in 2023 due to its targeting of multiple healthcare facilities. Although it was a newcomer on the malware scene, it proved to be formidable and gained momentum in late 2023.

The British Library, one of Rhysida’s 2023 victims, is reportedly still trying to recover from the ransomware attack. The attack on Insomniac Games, another late 2023 victim of Rhysida, also raised a point of concern in how the group has shifted tactics. Kirsten Bay, CEO of Cysurance, noted the attack demonstrates how threat actors have adapted to an organization’s ability to manage traditional ransomware attacks. Rhysida and others have begun to focus more on reconnaissance and exploitation, leveraging stolen data as a means for extortion. Ransomware groups have used double or even triple extortion tactics for quite some time. However, in some cases what used to be the “secondary” extortion tactic associated with data leaks is actually becoming the primary way a threat actor extorts a victim. In the case of the attack on Insomniac Games, Rhysida proceeded to leak more than a terabyte of data when ransom demands were not met.

Rhysida’s rampage has continued into early 2024, with Aspiration Training becoming one of their first victims of the year. Based on the group’s momentum in late 2023, our analysts expect them to be very active in 2024.


Rhysida Samples







You can use the following CLI command to search for all Rhysida samples in our portal:

$ polyswarm link list -f Rhysida



LockBit is a ransomware as a service that has been active since at least 2019. It was one of our top malware families to watch for 2023 and has made the list yet again in 2024. In 2023, LockBit expanded its operations and added a MacOS variant to its arsenal. LockBit claimed multiple high value targets in 2023, including Boeing and multiple US government entities.

In November 2023, CISA issued an advisory warning of LockBit’s exploitation of CVE 2023-4966 (Citrix Bleed) and possible ramifications for critical infrastructure entities. LockBit claimed over 50 victims in December 2023 and has already claimed its first victim of 2024, Groupe IDEA. Our analysts expect LockBit to continue to be one of the most prolific ransomware families in 2024. 

LockBit Samples







You can use the following CLI command to search for all LockBit samples in our portal:

$ polyswarm link list -f LockBit


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports.


Topics: Threat Bulletin, Malware, LockBit, ALPHV, Predictions, BlackSuit, Rhysida, 2024, Hunters International, Play, 8base

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts