Introduction
In the rapidly evolving landscape of cyber threats [3], ransomware continues to pose a significant challenge. The third quarter of 2024 witnessed notable shifts in ransomware activities, with RansomHub emerging as a leading operation, while other groups experienced varying degrees of success.
Description
RansomHub has solidified its position as the top ransomware operation, with 247 successful attacks attributed to its activities in Q3 2024, marking a significant increase of 155% from the previous quarter [1]. This surge follows its activation in February 2024 and is largely due to its effective recruitment of experienced affiliates [1], who are drawn by more attractive terms than those offered by competitors. Notably, RansomHub has published 100 gigabytes of exfiltrated data from the Florida Department of Health [2], asserting that the agency did not pay a ransom following the attack.
In the evolving landscape of cyber threats [3], ransomware remains a critical issue, with 49 active groups impacting over 1,000 publicly reported victims [3]. Overall, ransomware attacks decreased slightly to 1,255 in Q3 from 1,325 in Q2 [1], but the trend suggests a potential increase in activity [1], as the ransomware-as-a-service (RaaS) ecosystem continues to thrive [3], with no decline expected in 2024 or 2025 [3].
LockBit [1] [4], once a dominant player, experienced a dramatic decline in its activity [1], with successful attacks dropping 88% to 188 in Q3 [1], likely due to an international law enforcement operation targeting the group earlier in the year [1]. In contrast [1], Qilin saw a 44% increase in its victim count [1], reaching 140 in Q3 [1]. Other notable active groups during this quarter included Play and Meow [4]. The emergence of a “middle class” within the RaaS ecosystem has led to a more diverse distribution of ransomware victims among various groups [3], contributing to the overall profitability of cybercriminal ventures.
RansomHub has also adopted new tactics, techniques [2], and procedures (TTPs) [2], utilizing tools such as Kaspersky’s TDSSKiller, a legitimate rootkit removal tool [2], and LaZagne [2], a credential-harvesting utility [2], to disable endpoint detection and response (EDR) systems [2].
Discrepancies exist between the number of publicly claimed attacks and those investigated by threat researchers [1]. For instance [1], LockBit claimed 15% of attacks while only accounting for 7% of those investigated [1], whereas RansomHub claimed 15% but represented 33% of investigated incidents [1]. This disparity may be due to victims who pay ransoms without their information being posted on leak sites [1].
Conclusion
The current trends in ransomware activities underscore the persistent threat posed by cybercriminals and the evolving tactics they employ. Organizations must remain vigilant, adopting robust cybersecurity measures and fostering collaboration with law enforcement to mitigate these threats. As the RaaS ecosystem continues to expand, it is crucial to anticipate further developments and prepare for potential increases in ransomware incidents in the coming years.
References
[1] https://www.infosecurity-magazine.com/news/ransomhub-overtakes-lockbit/
[2] https://www.halcyon.ai/blog/power-rankings-ransomware-malicious-quartile-q3-2024
[3] https://www.businesswire.com/news/home/20241017644730/en/Ransomware-Remains-a-Leading-Cyber-Threat-Despite-RaaS-Group-Shakeups-GuidePoint-Security-Finds
[4] https://www.prweb.com/releases/cybermaxx-q3-2024-ransomware-research-report-shows-2-deviation-in-the-volume-of-attacks-and-an-8-5-increase-in-active-groups-compared-to-q2–302278931.html
