31 New Ransomware Groups Join the Ecosystem in 12 Months
Summary:
Secureworks' 2024 State of the Threat Report highlights a significant 30% rise in active ransomware groups over the past year, despite extensive law enforcement actions aimed at disrupting these operations. In the last 12 months, 31 new ransomware groups have emerged, shifting the landscape from a few dominant players to a more fragmented ecosystem. LockBit remains the most active group, accounting for 17% of all ransomware victims, though its activity declined by 8%, largely due to the impact of Operation Cronos, which targeted and disrupted the group’s operations. Meanwhile, PLAY doubled its victim count from the previous year, securing its position as the second most active group. RansomHub, a new player, quickly claimed 7% of ransomware victims following LockBit's brief disruption in early 2024. However, BlackCat/ALPHV, once a leading group, was severely impacted by law enforcement activity and did not make the top three this year. While the number of ransomware groups has grown, the overall number of victims has not risen as sharply, indicating a fragmented landscape that raises questions about the long-term viability of these newer groups. Secureworks suggests that this fragmentation, combined with affiliate migration between groups, adds complexity for defenders.
In addition to the ransomware findings, the report highlights the growing threat posed by AI and Adversary-in-the-Middle (AiTM) attacks. Cybercriminals are increasingly using AI tools like OpenAI’s ChatGPT to assist in attacks such as phishing and basic script creation, though much of this activity remains at a low level for now. AiTM attacks, which involve stealing credentials and session cookies to bypass multi-factor authentication, are becoming more widespread. These attacks, facilitated by easily accessible phishing kits like Evilginx2 and EvilProxy, pose a serious challenge to enterprises by diminishing the effectiveness of certain MFA protections. Don Smith, VP of Threat Intelligence at Secureworks, emphasized that while AI enhances threat actors’ operations, AiTM attacks present a more immediate danger and highlight the importance of treating identity as the new perimeter in enterprise defense.
Security Officer Comments:
The report also provides insights into state-sponsored cyber threats, with China, Russia, Iran, and North Korea continuing to be the primary adversaries. Russia has adapted its cyber operations in relation to the Ukraine conflict, focusing on espionage and military intelligence gathering, with a particular emphasis on critical infrastructure within Ukraine. China's cyber activities remain centered on espionage, leveraging sophisticated obfuscation techniques in cloud and edge environments to steal political, economic, and military information. Iranian cyber operations, led by the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS), are driven by political motivations, with a focus on targeting Israel, regional adversaries like Saudi Arabia and the UAE, and the U.S. North Korean cyber actors continue their focus on cryptocurrency theft and fraudulent employment schemes to infiltrate Western companies, particularly in the IT sector.
Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.
Link(s):
https://www.infosecurity-magazine.com/news/new-ransomware-groups-emerge-2024/
Secureworks' 2024 State of the Threat Report highlights a significant 30% rise in active ransomware groups over the past year, despite extensive law enforcement actions aimed at disrupting these operations. In the last 12 months, 31 new ransomware groups have emerged, shifting the landscape from a few dominant players to a more fragmented ecosystem. LockBit remains the most active group, accounting for 17% of all ransomware victims, though its activity declined by 8%, largely due to the impact of Operation Cronos, which targeted and disrupted the group’s operations. Meanwhile, PLAY doubled its victim count from the previous year, securing its position as the second most active group. RansomHub, a new player, quickly claimed 7% of ransomware victims following LockBit's brief disruption in early 2024. However, BlackCat/ALPHV, once a leading group, was severely impacted by law enforcement activity and did not make the top three this year. While the number of ransomware groups has grown, the overall number of victims has not risen as sharply, indicating a fragmented landscape that raises questions about the long-term viability of these newer groups. Secureworks suggests that this fragmentation, combined with affiliate migration between groups, adds complexity for defenders.
In addition to the ransomware findings, the report highlights the growing threat posed by AI and Adversary-in-the-Middle (AiTM) attacks. Cybercriminals are increasingly using AI tools like OpenAI’s ChatGPT to assist in attacks such as phishing and basic script creation, though much of this activity remains at a low level for now. AiTM attacks, which involve stealing credentials and session cookies to bypass multi-factor authentication, are becoming more widespread. These attacks, facilitated by easily accessible phishing kits like Evilginx2 and EvilProxy, pose a serious challenge to enterprises by diminishing the effectiveness of certain MFA protections. Don Smith, VP of Threat Intelligence at Secureworks, emphasized that while AI enhances threat actors’ operations, AiTM attacks present a more immediate danger and highlight the importance of treating identity as the new perimeter in enterprise defense.
Security Officer Comments:
The report also provides insights into state-sponsored cyber threats, with China, Russia, Iran, and North Korea continuing to be the primary adversaries. Russia has adapted its cyber operations in relation to the Ukraine conflict, focusing on espionage and military intelligence gathering, with a particular emphasis on critical infrastructure within Ukraine. China's cyber activities remain centered on espionage, leveraging sophisticated obfuscation techniques in cloud and edge environments to steal political, economic, and military information. Iranian cyber operations, led by the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS), are driven by political motivations, with a focus on targeting Israel, regional adversaries like Saudi Arabia and the UAE, and the U.S. North Korean cyber actors continue their focus on cryptocurrency theft and fraudulent employment schemes to infiltrate Western companies, particularly in the IT sector.
Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.
Link(s):
https://www.infosecurity-magazine.com/news/new-ransomware-groups-emerge-2024/