Summary:
Corvus Insurance reported a surge in ransomware attacks in November 2024, with 632 victims being listed on ransomware groups’ data leak sites. This number is more than double the monthly average of 307 victims and exceeds the previous peak of 528 victims recorded in May 2024. The surge in attacks can be attributed to heighted activity from several ransomware groups, notably that of RansomHub and Akira. RansomHub is a fairly new ransomware group, that initiated operations in February 2024. Despite this, RansomHub has already created a name for itself within the ransomware community, accounting for a large portion of monthly ransomware attacks. In just November, 98 attacks were attributed by Corvus Insurance to RansomHub. Akira ransomware, which initiated operations in March 2023, also accounted for the surge in attacks observed in November, with Corvus Insurance accounting 73 attacks to the group. Other notable players in November include Kill Security, SAFEPAY, and Qilin. Together, these five groups were responsible for nearly 50% of all ransomware incidents observed in November.

Security Officer Comments:
In November, 13% of victims listed on data leak sites were using VPN products, which are frequently targeted by ransomware actors for initial access. Corvus Insurance reports that threat actors are increasingly exploiting software vulnerabilities and weak credentials, particularly in cases where multi-factor authentication is absent. Between Q2 and Q3 of 2024, Corvus observed a significant rise in the use of VPNs as an initial access vector in ransomware incidents, with the percentage of attacks using this method increasing from 4.8% to 28.6%. Beyond VPNs, ransomware actors are also targeting known vulnerabilities for initial access. In November, nearly 6% of victims were running outdated Microsoft Exchange Servers, many still using versions from 2021 and 2022, which remain vulnerable to the long-standing ProxyShell and ProxyNotShell exploits, commonly leveraged by ransomware groups.

Suggested Corrections:
Organizations should prioritize regular software updates, particularly for systems like Microsoft Exchange, and implement multi-factor authentication (MFA) to secure access points, especially VPNs. Employing network segmentation, endpoint detection, and regular, secure backups can help limit the impact of ransomware attacks.

Link(s):
https://www.corvusinsurance.com/blog/november-2024-ransomware-update

https://www.infosecurity-magazine.com/news/akira-ransomhub-ransomware-claims/