Introduction
In the third quarter of 2024, the ransomware landscape witnessed a significant increase in activity, marked by a rise in successful attacks and the emergence of new cybercriminal groups. This period highlighted the shifting dynamics within the ransomware ecosystem, with notable changes in the operations of prominent groups and the targeting of specific sectors.
Description
In Q3 2024 [1] [2] [3] [5] [6] [7] [8], the ransomware landscape experienced a notable surge in activity, with a total of 1,257 successful attacks reported, reflecting a slight increase from the previous quarter [1] [6] [8]. This period was characterized by the emergence of 59 distinct cybercriminal groups operating globally, with RansomHub establishing itself as the most active group, accounting for over 290 victims across various sectors throughout the year and claiming 195 victims specifically in this quarter. This represented a remarkable 160% increase from Q2, positioning RansomHub at the forefront of ransomware operations, largely due to its effective recruitment of experienced affiliates for its ransomware-as-a-service (RaaS) model [1] [8].
In contrast [1] [3] [6] [7] [8], LockBit 3.0 faced a significant decline in its operations, with victim numbers dropping sharply from 208 in Q2 to just 91 in Q3. This downturn is likely attributed to intensified law enforcement efforts that dismantled LockBit’s infrastructure and contributed to the recovery of over 1,000 decryption keys, although the group continues to function.
The overall ransomware ecosystem has become increasingly fragmented [2], underscoring the emergence of new groups and shifting dynamics within the landscape. The construction industry emerged as the most targeted sector [4], experiencing a 7.8% increase in attacks [7], totaling 83 incidents [3] [7], while the healthcare sector also saw a rise [3], with a 12.8% increase resulting in 53 reported attacks.
A significant shift in attack tactics was observed, with nearly 28.7% of incidents linked to vulnerabilities in virtual private networks (VPNs) and weak passwords [4]. Outdated software and inadequate protection on VPN accounts were major contributors to these incidents [4], particularly affecting accounts using common usernames like “admin” or “user” that lacked robust multi-factor authentication (MFA).
Conclusion
The evolving ransomware landscape in Q3 2024 underscores the urgent need for businesses to adopt comprehensive security measures. The rise in attacks and the fragmentation of cybercriminal groups highlight the importance of multi-layered security approaches, particularly in sectors like construction and healthcare. Organizations must prioritize updating software, securing VPNs, and implementing strong authentication methods to mitigate vulnerabilities. As cyber threats continue to evolve, proactive measures and collaboration with law enforcement will be crucial in safeguarding against future ransomware activities.
References
[1] https://osintcorp.net/five-ransomware-groups-responsible-for-40-of-cyber-attacks-in-2024/
[2] https://9to5mac.com/2024/11/21/security-bite-ransomware-groups-surge-in-q3-2024-with-shifting-dominance/
[3] https://cybermagazine.com/articles/corvus-insurance-vpn-attacks-drive-surge-in-ransomware
[4] https://www.insurancebusinessmag.com/us/news/cyber/report-reveals-a-major-ransomware-entry-point-for-cyberattacks-514943.aspx
[5] https://www.newsminimalist.com/articles/ransomware-attacks-rise-sharply-in-q3-2024-as-new-groups-emerge-28a1a59b
[6] https://www.securityinfowatch.com/cybersecurity/press-release/55245439/corvus-insurance-corvus-attackers-targeting-vpns-account-for-over-a-quarter-of-ransomware-incidents-in-q3
[7] https://insurtechdigital.com/articles/corvus-insurance-vpn-attacks-drive-surge-in-ransomware
[8] https://www.infosecurity-magazine.com/news/five-ransomware-groups-40-of/