RansomHub Overtakes LockBit as Most Prolific Ransomware Group
Summary:
According to Symantec’s new report, Ransomware: Threat Level Remains High in Third Quarter, ransomware continues to be a growing threat in the cyber landscape, with Symantec observing 1,255 ransomware attacks in the third quarter of 2024. One of the biggest developments observed by Symantec in Q3 of 2024 was a decline in LockBit activity, a previously dominant player in the ransomware ecosystem. In Q3, LockBit claimed 188 victims on its data leak site, highlighting a 47% decrease in overall attacks compared to Q2 (353 victims claimed).
LockBit’s infrastructure was the target of a law enforcement operation in February 2024, which resulted in several of its servers being taken down as well as authorities managing to gain access to thousands of decryption keys. This takedown operation has since then played a huge role in the decline in LockBit activity, with affiliates of the ransomware gang losing trust and moving to other groups like RansomHub.
Security Officer Comments:
One of the biggest beneficiaries of this decline in LockBit activity is RansomHub. RansomHub is a fairly new group that initiated operations earlier this year. Despite this, the group has managed to create a name for itself within the ransomware landscape, replacing LockBit as the most active ransomware gang in Q3 of 2024. Based on listings observed by Symantec, RansomHub accounted for 15% of all ransomware attacks in Q3, more than double the number of attacks attributed to LockBit. A key reason for RansomHub’s rapid growth is that affiliates of LockBit have joined its rankings. These affiliates have aided in gaining initial access and deploying the encryptor on RansomHub’s behalf, allowing the group to scale its operations.
Based on metrics collected by the IT-ISAC, the top five sectors targeted by RansomHub this year include Critical Manufacturing, Commercial Facilities, Food and Agriculture, Information Technology, and Government Facilities. The Healthcare sector has also seen a fair share of RansomHub attacks, with victims like New York-based reproductive healthcare provider Planned Parenthood being recently listed on its data leak site.
Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.
Link(s):
https://www.infosecurity-magazine.com/news/ransomhub-overtakes-lockbit/
According to Symantec’s new report, Ransomware: Threat Level Remains High in Third Quarter, ransomware continues to be a growing threat in the cyber landscape, with Symantec observing 1,255 ransomware attacks in the third quarter of 2024. One of the biggest developments observed by Symantec in Q3 of 2024 was a decline in LockBit activity, a previously dominant player in the ransomware ecosystem. In Q3, LockBit claimed 188 victims on its data leak site, highlighting a 47% decrease in overall attacks compared to Q2 (353 victims claimed).
LockBit’s infrastructure was the target of a law enforcement operation in February 2024, which resulted in several of its servers being taken down as well as authorities managing to gain access to thousands of decryption keys. This takedown operation has since then played a huge role in the decline in LockBit activity, with affiliates of the ransomware gang losing trust and moving to other groups like RansomHub.
Security Officer Comments:
One of the biggest beneficiaries of this decline in LockBit activity is RansomHub. RansomHub is a fairly new group that initiated operations earlier this year. Despite this, the group has managed to create a name for itself within the ransomware landscape, replacing LockBit as the most active ransomware gang in Q3 of 2024. Based on listings observed by Symantec, RansomHub accounted for 15% of all ransomware attacks in Q3, more than double the number of attacks attributed to LockBit. A key reason for RansomHub’s rapid growth is that affiliates of LockBit have joined its rankings. These affiliates have aided in gaining initial access and deploying the encryptor on RansomHub’s behalf, allowing the group to scale its operations.
Based on metrics collected by the IT-ISAC, the top five sectors targeted by RansomHub this year include Critical Manufacturing, Commercial Facilities, Food and Agriculture, Information Technology, and Government Facilities. The Healthcare sector has also seen a fair share of RansomHub attacks, with victims like New York-based reproductive healthcare provider Planned Parenthood being recently listed on its data leak site.
Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.
Link(s):
https://www.infosecurity-magazine.com/news/ransomhub-overtakes-lockbit/