Within the past 12 months, a record number of vibrant teams have been reported, boasting 58 attacking international companies in the second quarter alone. Cyberint, a leading menace intelligence platform provider, has announced a minor decline in its performance for the third quarter, with 57 active teams operating under its umbrella.
Notwithstanding, a mere 58.3% of all detected ransomware attacks can be attributed to just the top 10 threat actor groups. The data reveals a surge in activity across various live teams overall, accompanied by a decrease in engagement from larger players attributed to successful regulatory enforcement actions, such as those targeting and.
According to Adi Bleih, a safety researcher at Cyberint, the number of active ransomware groups has reached an unprecedented high, suggesting that businesses are increasingly vulnerable to attacks as each gang vies for targets through cybercrime. As rival ransomware gangs continue to intensify their attacks, enterprises face an increasingly daunting task in safeguarding against these relentless threats.
“While previously undetected safety gaps and vulnerabilities may have gone unaddressed, the rise of ransomware gangs actively seeking out their next targets underscores the critical need to eliminate even minor errors, lest they escalate into significant security breaches.”
As law enforcement agencies increasingly target notorious ransomware groups, many of these cybercriminals are struggling to stay ahead of the curve.
As of Q2 2024, a thorough examination conducted by WithSecure isolated findings indicating that among 67 ransomware groups monitored in 2023, NCC Group publicly announced its annual results for both June and July this year, which
LockBit’s assault frequency significantly decreased in the third quarter, with just 85 attacks, a roughly 40% drop from the previous quarter. This represents the group’s lowest level of quarterly attacks in over a year.
According to Malwarebytes, the percentage of ransomware attacks attributed to LockBit decreased from 26% to 20% over the past year, despite conducting more individual attacks.
ALPHV, the second most prolific ransomware group, left a void after a poorly executed cyber attack on Change Healthcare in February. Following the non-payment of the $22 million ransom to an affiliate, the latter exposed the group, leading ALPHV to simulate a law enforcement takeover and subsequently halt its operations?
Regulation enforcement’s efforts to dismantle established gangs have yielded promising results, simultaneously creating opportunities for newer, less formidable organizations to fill the void. Newly emerged malware gangs are likely trying to outmaneuver their rivals, seeking to supplant existing groups as the dominant players in the ransomware landscape.
Cyberint analysts predict that the takedown operations will have a far-reaching impact, remarking that “it’s only a matter of time before other large and small ransomware groups follow suit.” The relentless pressure has spawned an increasingly inhospitable environment, casting doubt on the perpetual reign of these powerhouses.
Accordingly, despite maintaining an upward trend since the second quarter, the number of ransomware attacks showed a 5.5% decline to 1,209 instances in Q3, as per Cyberint researchers’ findings.
Notably, RansomHub stood out as the preeminent ransomware group in the latest quarter, responsible for a staggering 16.1% of all reported incidents, with 195 newly affected entities. Outstanding attacks target major international companies such as Kawasaki, a renowned producer, and Halliburton, a prominent provider of oil and gas services. The Cyberint analysts suggest that the group’s origins may be traced back to Russia, with ties to ex-associates of the infamous.
Among the most prominent ransomware groups, Play stands out as a force to be reckoned with, having successfully targeted 89 victims, accounting for a significant 7.9% of all recorded attacks. Since June 2022, it is alleged to have carried out more than 560 successful attacks, with the most notable one being that of this year.
If unchecked, Play will likely publish its annual casualty count for 2024, totaling 301 fatalities.
Ransomware operatives increasingly target Linux systems and VMware ESXi environments, exploiting vulnerabilities to cripple critical infrastructure.
The Cyberint report finds that ransomware teams have a notable tendency to focus on developing Linux-based tactics.
VMware ESXi is a type of bare-metal hypervisor that enables direct deployment and management of virtual machines on physical servers, potentially including critical infrastructure. Exploiting vulnerabilities in the hypervisor can grant malicious actors the power to simultaneously shut down multiple virtual machines, effectively eliminating options for swift recovery through snapshots or backups, thereby inflicting significant disruptions on an organization’s operations?
Ransomware operators Play and have developed a malicious strain that specifically targets VMWare ESXi servers, exploiting vulnerabilities to gain access to virtual machines (VMs).
Linux technologies often serve as a foundation for hosting virtual machines (VMs) and other critical enterprise infrastructures. Cybercriminals’ insatiable curiosity is sparked by the lucrative potential of causing maximum disruption to corporate networks, driving their relentless pursuit of financial gain through destructive attacks.
Attackers are leveraging bespoke malware and exploiting trusted tools.
Ransomware groups have dramatically upped their game in the past year, leveraging bespoke malware to outsmart traditional security measures and evade detection, according to Cyberint’s experts. The notorious Black Basta gang exploited vulnerabilities in their initial infiltration to concentrate on exploiting environmental weaknesses.
Hackers are increasingly using reputable security and cloud storage tools to avoid detection. A malicious actor employs a rootkit remover to circumvent endpoint detection and response capabilities, subsequently utilizing the LaZagne password restoration tool to harvest sensitive login credentials. Moreover, an individual had exploited Microsoft’s Azure Storage Explorer and AzCopy tools to surreptitiously pilfer confidential corporate data and store it within a cloud-based infrastructure.
Accordingly, Bleih informed TechRepublic that as these gangs become increasingly lucrative and well-financed, they evolve into sophisticated organizations, operating with the same level of respectability as a legitimate business. As cybercriminals increasingly leverage familiar tactics – such as phishing attacks and the misuse of compromised login credentials – they’re finding novel ways to deploy these established strategies.
As they continue to evolve, organizations are becoming increasingly agile and scalable. While malicious actors have historically demonstrated technical proficiency, the emergence of sophisticated exploit tools and techniques has enabled them to rapidly leverage newly disclosed vulnerabilities on a large scale, mere days after a critical Common Vulnerabilities and Exposures (CVE) identification. Until recently, processing times have sometimes stretched out over several weeks, and in some cases, even longer.
