More groups, fewer families, more attacks – no great change over 2023 except, if anything, the ransomware threat is even more severe in 2024. And the growth in leaks and leak sites suggests ransomware is even more successful.
Rapid7’s Ransomware Radar Report 2024 (PDF) gleans its intelligence from an analysis of visible leak sites, the analysis of ransomware code, and an analysis of underground forum chatter. The result is an intriguing insight into the current state of global ransomware – and it is not a comforting result.
2023 had been a high water mark in ransomware attacks, but 2024 is on course to be worse. Rapid7 has tracked more than 2,500 ransomware attacks in the first half of 2024. That’s more than 14 publicly claimed attacks every day. Since this is primarily compiled from monitored leak sites, the true figure could be much higher (including attacks where the ransom is paid but not disclosed and no data is leaked, and attacks by groups that don’t operate a leak site).
The number of postings to leak sites continues to grow, up from an average of 24 per month in H1 2023 to 40 per month in H1 2024. This is perhaps unsurprising with the bad actors’ continued migration to the double extortion of encryption and data exfiltration – Christiaan Beek, senior director of threat analytics at Rapid7 commented, “Encryption only ransomware hardly exists anymore; it’s all double extortion today.”
It may appear surprising that the Dark Angels group, recently tied to a $75 million ransom attack and payment, is not included within the report. The reason is that Rapid7 focuses its analysis on the top 20 groups actively using leak sites. Dark Angels uses the Dunghill leak site but is not the most active group. It seems to be engaged in focused whaling rather than large scale trawling, and simply on the volume of leaks published, misses the cut for this report.
One of the conclusions Rapid7 reaches is that trawling rather than whaling is the bigger threat. “We did an analysis of the access brokers on a ransomware underground forum,” comments Beek. “What we found is that the access they provided was primarily for companies with around $5 million annual revenue – that’s small to midsize companies.”
The report provides a fascinating and illuminating graph of group leak posts from the ten most active ransomware groups from the beginning of January 2024 to the end of June 2024.
Two things standout. Firstly, the consistently high activity from the LockBit group until it suddenly tails off in June. It was in June that the FBI announced it had obtained 7,000 LockBit decryption keys.
“There’s a lot going on with LockBit at the moment,” explained Beek. “And if you follow the underground chatter, there were rumors and denials about partnerships, and rumors that LockBit was changing its leak site, and you’d need a password to get into it to add new leaks. But there is also a downward trend in the number of leaks coming from the LockBit consortium.”
This is all too recent to draw conclusions on how things will eventually pan out. But, added Beek, “There’s also a big opportunity when you are caught by law enforcement and decryption keys are leaked – your affiliates lose faith.” Cybercrime is run like a business; and businesses succeed or fail on their brand reputation. Law enforcement action can weaken brand reputation. And if that happens, affiliates can jump ship and move to a different family; and even group members can leave and join a different group.
The second standout from the graphic is the sudden appearance of the RansomHub group. This occurred close to the disappearance of AlphV (aka BlackCat, Noberus) – so close that there were strong rumors the RansomHub is basically a reincarnation of AlphV. Beek is not so sure.
The report describes two ways Rapid7 examines Ransomware code to look for connections between different families. The first is the Jaccard similarity coefficient, which measures the similarity between finite sample sets. This shows, for example, a strong link between Play ransomware and the Morok ransomware family that surfaced in February 2024.
Rapid7 then uses the Machoc Hash, introduced by the French Cybersecurity Agency (designed to provide a fuzzy hash representation of the function calls in binary) for analyzing the underlying structure of software. The combined result of these two analyses shows possible relationships between different ransomware families.
Such analyses show some connections between AlphV code and RansomHub code, but nothing that could not be explained by one coder rewriting lines from a different source. “The suggestion that RansomHub is AlphV reborn is not something I could defend in a court of law,” said Beek.
While the report provides detailed information suitable for a deep dive into the current state of the ransomware world and some of the methods Rapid7 uses to track and detect different families, it also provides high level data that can immediately be used to increase resiliency against attacks. For example, business is still not covering the basics. RDP and VPNs remain the most common cause of access provided by the access brokers, despite this already being known for several years.
But, added Beek, “The number one attack vector where people are being compromised is through not implementing multi factor authentication, or doing so in the wrong way. And we’re still leaving the door wide open by not patching critical vulnerabilities. So, this tells me our basic cyber hygiene is still not good. I’ve been in this industry for 20 years and I’ve been saying the same thing for 20 years: ‘Get your basics sorted’.”
Related: LockBit Ransomware Again Most Active – Real Attack Surge or Smokescreen?
Related: Cyber Insights 2023 | Criminal Gangs
Related: Fighting Back Against Multi-Staged Ransomware Attacks Crippling Businesses
Related: French Museum Network Hit by Ransomware Attack, but No Disruptions Are Reported at Olympic Events