The Ransomware Threat Landscape Is Diversifying

Uploaded on 2024-05-17 in FREE TO VIEW, NEWS-Cybersecurity News, TECHNOLOGY--Resilience

The frequency of Ransomware and Digital Extortion (R&DE) attacks is on an upward trajectory, with the number of observed incidents during Q1 2024 only slightly less than that of Q4 2023, according to research by ZeroFox

This is despite the first quarter of the year historically seeing reduced activity with ZeroFox observing more attacks during Q4 2023 than in any other quarter on record.

Given high levels of activity during the first part of April, there is a likely chance that Q2 2024 will surpass Q1. Indeed, victims who refused to capitulate to ransom demands fell to an all-time low in Q1 2024, suggesting is is likely that the total number of attacks was much higher than that observed

An increasingly diverse threat landscape is contributing to the high number of incidents, with a large, growing number of threat group responsible for attacks. This is driven in part by a number of smaller and newer threat groups becoming significantly more active.

  • Throughout 2023, the top five most active collectives (LockBit, ALPHV, Cl0p, Play, and 8Base) together accumulated a total of at least 2,100 attacks, approximately 52 percent of total R&DE activity.
  • So far in 2024, the five most active collectives have been responsible for a continually decreasing proportion of total R&DE activity.

Throughout January and February, the most prominent threat groups were LockBit, 8Base, ALPHV, Hunters International, and Akira, which accounted for approximately 47 percent of total activity. This reduced to 41 percent in March and 35 percent so far in April, due primarily to the reduction of LockBit and ALPHV activity.

While still conducting comparatively low numbers of attacks, several threat groups have increased their activities this year.

  • The number of attacks conducted by BlackSuit have increased each month during 2024, from three in January (accounting for approximately 1 percent of global R&DE) to 13 so far in April (accounting for approximately 7 percent of global R&DE).
  • A new group known as RansomHub has already conducted at least 35 attacks, displaying a tempo that is atypical for a newer collective. It is almost certain that RansomHub obtained affiliates from ALPHV following its disruption.

This is supported by the addition of technology organisation Change Healthcare to the RansomHub victim leak site on April 8, 2024; Change Healthcare had initially been extorted by ALPHV in February 2024.

  • Black Basta conducted at least 41 attacks in March 2024, the highest observed in any previous month and significantly higher than its average of 16 monthly since they were first observed in approximately May 2022.
  • Medusa Locker conducted at least 60 attacks during February, March, and April 2024, exhibiting an upward trajectory and its most active months on record.
  • Hunters International conducted at least 30 attacks in February 2024, accounting for 9 percent of global R&DE activity, and it is likely that this will be surpassed in April 2024. Hunters International has also exhibited a significant higher level of activity since it was first observed in Q3 2023.

Several smaller R&DE collectives, such as DarkVault, DragonForce, MyData, and Red, have also exhibited notably high attack tempos for relatively new outfits. Like RansomHub, it is very likely that such groups are benefitting from the acquisition of experienced affiliates from LockBit and ALPHV.

Newer threat groups are likely to continue exhibiting upward attack trajectories as their efficacy increases, their services and reputation become established in Dark Web forums, and they are able to attract new affiliates.

The most prominent threat groups of 2023 are identified as  ALPHV and the now seriously impaired LockBit

These two groups have been conducting a smaller proportion of total R&DE activity each month following their disruption by law enforcement. In the weeks following LockBit’s disruption, the group continued to upload significant numbers of victims to its leak site. It is almost certain that the majority of these were associated with extortion operations that were ongoing at the time of the international law enforcement operation which took control  of the group’s digital infrastructure.

LockBit’s share of monthly ransom activity peaked in February 2023, at over 50 percent of observed attacks. This reduced to 22 percent in February 2024 and stands at just 3 percent so far in April 2024. ZeroFox considers that there is  good chance that LockBit’s actinity will increase as the collective attempts to rebuild its digital infrastructure and attract new affiliates. LockBit’s continuing activity is being enabled through its [.]onion “LockBit 3.0” leaksite, which continues to list both new victims and those from the period before its disruption.

ZeroFox observed very little change in the industries of targeted organizations during Q1 2024. Compared to 2023, small increases were noted in the manufacturing, retail, construction, healthcare, and professional services industries. Manufacturing will very likely remain the most targeted industry over the coming months, though variations will likely be observed as newer and smaller threat collectives establish and adapt their techniques.

The region of victims also exhibited little variation between 2023 and Q1 2024. Slight increases in the targeting of North America-based organisations are very likely the result of natural fluctuations and not indicative of increased emphasis. North America will almost certainly remain the region most targeted by R&DE attacks over the coming months. 

ZeroFox Intelligence Recommendations

  • Adopt a Zero-Trust cybersecurity posture based upon a principle of least privilege.
  • Implement network segmentation to separate resources.
  • Implement secure password policies with phishing-resistant multi-factor authentication (MFA), complex passwords, and unique credentials.
  • Leverage cyber threat intelligence to inform detection of R&DE threats and their associated modus operandi.
  • Ensure critical, proprietary, or sensitive data is always backed up to secure, off-site or cloud servers at least once per year - and ideally more frequently than that.
  • Develop a comprehensive incident response strategy.
  • Configure email servers to block emails with malicious indicators and deploy authentication protocols to prevent spoofed emails.
  • Deploy a holistic patch management system and ensure all business IT assets are updated with the latest software as quickly as possible.
  • Proactively monitor for compromised accounts being brokered in DDW forums.
  • Configure ongoing monitoring for Compromised Account Credentials.

Despite the concerted efforts by law enforcement agencies in the US and Europe to crack down on ransom and extortion, the cyber security landscape continues to darken as cyber criminals evolve and innovate new exploits.

For access to the full report from ZeroFox Click Here

You Might Also Read: 

The Ransomware Arms Race:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« The Global Corporate Digital Security Landscape
New AWS Webinar: Harnessing The Power Of SIEM »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Efecte

Efecte

Efecte is a Nordic SaaS company specialized in IT Service Management, Self-Service, Identity Management and Access Governance solutions.

J2 Software

J2 Software

J2 Software is a leading African Information Security and ICT business providing information security, governance, risk and compliance solutions.

Plurilock Security Solutions

Plurilock Security Solutions

Plurilock is a real-time cybersecurity solution that uses artificial intelligence to identify, prevent, and eliminate insider threats.

Cask Government Services

Cask Government Services

Cask Government Services focuses on program management, cybersecurity, logistics, business analysis and engineering services for Federal, State and Local Government.

Salviol Global Analytics

Salviol Global Analytics

Salviol Global Analytics is a leading provider of Fraud, Risk and Operational Performance Solutions to a number of vertical markets including Insurance, Banking, Utilities, Telco’s and Government.

iFluids Engineering

iFluids Engineering

iFluids Engineering is a leading engineering consulting and risk management firm providing a full range of services including Cyber Security for Industrial Control Systems.

Polish Centre for Accreditation (PCA)

Polish Centre for Accreditation (PCA)

PCA is the national accreditation body for Poland. The directory of members provides details of organisations offering certification services for ISO 27001.

Tecnalia Research & Innovation

Tecnalia Research & Innovation

Tecnalia is the largest center of applied research and technological development in Spain, a benchmark in Europe and a member of the Basque Research and Technology Alliance.

SecureStack

SecureStack

SecureStack helps software developers find security & scalability gaps in their web applications and offers ways to fix those gaps without forcing those developers to become security experts.

C3i Hub

C3i Hub

C3i Hub aims to address the issue of cyber security of cyber physical systems in its entirety, from analysing security vulnerabilities to developing tools and technologies.

Center for Information Technology Policy (CITP) - Princeton University

Center for Information Technology Policy (CITP) - Princeton University

The Center for Information Technology Policy at Princeton University is a nexus of expertise in technology, engineering, public policy, and the social sciences.

Helix Security Services

Helix Security Services

Helix Security provides IT & information security consultancy to government and businesses across New Zealand.

Unit 42

Unit 42

Unit 42 brings together world-renowned threat researchers, incident responders and security consultants to create an intelligence-driven, response-ready organization.

runZero

runZero

runZero delivers the most complete security visibility possible, providing you the ultimate foundation for successfully managing exposures and compliance.

Auria

Auria

Auria advances complex space, missile, and cyber operations with visionary solutions and software.

QRC Assurance & Solutions

QRC Assurance & Solutions

QRC is a PCI QSA, QPA, ISO accredited, CPA and CERT-IN empanelled organization with vast experience in conducting certification, regulatory audits, pen testing services, training and more.