This yr has seen the very best variety of energetic ransomware teams on file, with 58 attacking international companies within the second quarter. Menace intelligence platform supplier Cyberint has reported solely a slight dip within the third quarter, with 57 energetic teams.
Moreover, in Q3, the highest 10 ransomware teams have been answerable for solely 58.3% of all detected assaults. This displays each the rise within the variety of energetic teams on the whole and a decline in exercise from the bigger gamers because of profitable regulation enforcement takedowns, comparable to these of ALPHV and Dispossessor.
Adi Bleih, safety researcher at Cyberint, advised TechRepublic in an e mail: “The variety of energetic ransomware teams having reached an all-time excessive implies that companies face an elevated threat of assaults as every of those competing gangs should now vie for targets. The competitors between completely different ransomware teams has fuelled more and more frequent assaults, leaving little or no room for error on the a part of enterprise cybersecurity groups.
“Whereas safety gaps and vulnerabilities might have beforehand gone unnoticed, the proliferation of ransomware teams, with all of them scouring the online for his or her subsequent victims, implies that even minor errors can now shortly result in main safety incidents.”
Probably the most prolific ransomware teams are succumbing to regulation enforcement operations
Certainly, separate analysis from WithSecure discovered that of the 67 ransomware teams tracked in 2023, 31 have been not operational as of Q2 2024. NCC Group additionally famous a year-over-year decline in ransomware assaults in each June and July this yr, which specialists linked to the LockBit disruption.
SEE: LockBit Again On-line as Ransomware Gang Continues to Conflict with Regulation Enforcement
LockBit particularly used to account for almost all of assaults, however with solely 85 assaults within the third quarter, it attacked virtually 60% much less corporations than it did the second, in response to Cyberint’s report. This marks the group’s lowest variety of quarterly assaults in a yr and a half.
An August report from Malwarebytes additionally discovered that the proportion of ransomware assaults that LockBit claimed duty for fell from 26% to twenty% over the previous yr, regardless of finishing up extra particular person assaults.
ALPHV, the second-most prolific ransomware group, additionally created a emptiness after a sloppily executed cyber assault towards Change Healthcare in February. The group didn’t pay an affiliate their proportion of the $22 million ransom, so the affiliate uncovered them, prompting ALPHV to pretend a regulation enforcement takeover and stop operations.
SEE: Timeline: 15 Notable Cyberattacks and Knowledge Breaches
These observations counsel that regulation enforcement takedowns are proving efficient towards the more-established gangs whereas concurrently opening up new alternatives for smaller teams. The Malwarebytes analysts added that the brand new gangs “are sure to be attempting to draw their associates and supplant them because the dominant forces in ransomware.”
However Cyberint analysts are optimistic in regards to the ripple impact of takedown operations on smaller gamers, writing: “As these massive operations battle, it’s solely a matter of time earlier than different massive and small ransomware teams observe the identical path. The continued crackdown has created a extra hostile setting for these teams, signaling that their dominance might not final for much longer.”
Certainly, as a substitute of continuous the upwards development from the second quarter, the place the variety of ransomware assaults elevated by virtually 21.5%, the Cyberint researchers discovered the 1,209 instances in Q3 truly marked a 5.5% lower.
SEE: World Cyber Assaults to Double from 2020 to 2024, Report Finds
Probably the most outstanding ransomware group of the quarter was RansomHub, because it was answerable for 16.1% of all instances, claiming 195 new victims. Distinguished assaults embody these on international producer Kawasaki and oil and gasoline providers firm Halliburton. The Cyberint analysts say that the group’s roots are doubtless in Russia and that it has connections to former associates of the now-inactive ALPHV group.
Second within the record of most energetic ransomware teams is Play, which claimed 89 victims and seven.9% of all instances. It has purportedly executed over 560 profitable assaults since June 2022, with probably the most outstanding one from this yr concentrating on the VMWare ESXi setting.
“If not hindered, Play goes to interrupt its personal file of yearly victims in 2024 (301),” the analysts wrote.
Ransomware teams concentrating on Linux and VMWare ESXi Programs
The Cyberint report famous a development that ransomware teams are closely specializing in concentrating on Linux-based methods and VMware ESXi servers.
VMware ESXi is a bare-metal hypervisor that allows the creation and administration of digital machines immediately on server {hardware}, which can embody vital servers. Compromising the hypervisor can enable attackers to disable a number of digital machines concurrently and take away restoration choices comparable to snapshots or backups, guaranteeing vital impression on a enterprise’s operations.
Ransomware teams Play and Cicada3301 developed ransomware that particularly targets VMWare ESXi servers, whereas Black Basta has exploited vulnerabilities that enables them to encrypt all of the information for the VMs.
SEE: Black Basta Ransomware Struck Extra Than 500 Organizations Worldwide
Linux methods additionally usually host VMs and different vital enterprise infrastructure. Such focus highlights cyberattackers’ curiosity within the enormous payday obtainable from executing most injury on company networks.
Attackers are utilizing customized malware and exploiting professional instruments
The sophistication of ransomware teams’ strategies has elevated significantly over the previous yr, with Cyberint researchers observing attackers utilizing customized malware to bypass safety instruments. For instance, the Black Basta gang used a lot of customized instruments after gaining preliminary entry to focus on environments.
Attackers are additionally exploiting professional safety and cloud storage instruments to evade detection. RansomHub was noticed utilizing Kaspersky’s TDSSKiller rootkit remover to disable endpoint detection and response and the LaZagne password restoration software to reap credentials. Plus, a number of teams have used Microsoft’s Azure Storage Explorer and AzCopy instruments to steal company information and retailer it in cloud-based infrastructure.
Bleih advised TechRepublic: “As these gangs grow to be extra profitable and well-funded, they grow to be more and more refined and function equally to a professional enterprise. Whereas we frequently see the identical tried-and-true assault vectors used – phishing assaults, the usage of stolen credentials, exploitation of vulnerabilities on Web-facing belongings – they’re turning into extra inventive in how they execute these frequent strategies.
“They’re additionally turning into more and more agile and scalable. As an example, whereas risk actors have at all times been technically adept, they’re now in a position to begin exploiting new vulnerabilities at scale just some days after a vital CVE is documented. Up to now, this will have taken weeks or maybe longer.”