Search

Ransomware Report February 2024

An In-Depth Analysis of the Latest Ransomware Trends and Threat Landscape

Dive into the constantly shifting world of ransomware, as we uncover the latest tactics, dissect the most prolific actors, and offer insights to keep your organization one step ahead.

The healthcare industry has seen a rise in ransomware attacks, with the Change Healthcare incidents being the most critical. We have provided additional details regarding this incident in our latest Focus Friday blog post.

The group responsible for the attack, AlphV/BlackCat, is looking to exit with a final jackpot. They have already placed their source code up for sale and shut down their website. Two possible outcomes could result from this exit: either they will develop a new ransomware and re-emerge under a different name, or we will see new variants of AlphV ransomware operated by others. We have provided a detailed analysis of their exit in our blog post, and I have also shared my thoughts on this with DarkReading.

Law enforcement has dealt a significant blow to Lockbit through Operation Cronos, damaging their infrastructure and reputation. While they remain operational, they are not as effective as they were previously. They have begun to attack countries such as Turkey due to the involvement of agencies or cybersecurity companies in Operation Cronos. We have also conducted a thorough analysis of this operation in our blog, and I have shared my thoughts on this with InformationWeekly.

With AlphV exiting the stage and Lockbit recovering from the hit, new ransomware groups such as Hunters are on the rise. Play, 8Base, Akira, and BianLian continue to be among the top ranks.

targeted by them in the coming months. Akira and 8base are now in second and third place, respectively, while Lockbit remains the dominant player.

Lockbit appears to be less strict about their ground rules regarding not attacking NGOs and hospitals.

Although the number of victims is similar to that of last month, the educational sector has become the third most attacked sector this month, having been in fifth place last month.

RANSOMWARE THREAT ANALYSIS

Ransomware Perpetrators Unmasked!

In the complex world of cybercrime, identifyin the culprits is key to understanding and mitigating the threat.

Our data showcases a diverse range of ransomware groups, each with their own unique tactics, techniques, and procedures.
The top three dominating the landscape are Lockbit 3.0Play, and WereWolves Group. Each of these groups has a distinct modus operandi and target preference, painting a picture of a highly specialized and segmented market.

It’s important to remember, however, that while these groups grab the headlines, countless other smaller, yet equally dangerous groups are operating under the radar. By understanding the tactics of these leading groups, organizations can better anticipate potential threats and adapt their defenses accordingly.

Geographic Hotspots of Ransomware

Global Reach: Tracing Ransomware’s Impact Across Nations

Ransomware attacks are a global epidemic, but they disproportionately affect certain regions. The United States consistently tops the chart with the highest number of ransomware victims.

Following the USUK and Canada are next on the list this month. Wealthy countries are generally favored targets due to their lucrative digital environments. Despite their wealth, some nations see fewer tracks, due to a sense of nationalism from the cybercriminal groups. This suggests the motivations of criminals vary from group to group, with some seeking financial gain and others making political statements.

Industry Breakdown

The distribution of ransomware attacks across industries highlights the varying degrees of cyber risk exposure.

Not all industries are targeted equally by ransomware groups. Our data shows that ManufacturingProfessional, Construction, and Healthcare bear the brunt of these attacks. The high value of data and often weaker cybersecurity defenses make these sectors particularly attractive targets. However, no industry is immune, and the ever-evolving nature of ransomware means that staying ahead of the curve is vital for all sectors. By understanding which industries are most targeted, we can infer the sectors that ransomware groups perceive as the most vulnerable or lucrative, helping to direct focus and resources in the ongoing fight against this cyber menace.

Geographical Preferences of Ransomware Groups

The geographical focus of ransomware groups reveals strategic patterns and preferences.

Each ransomware group has a unique footprint in terms of their geographical targets. The data shows that groups like LockBit 3.0, Hunters, and Play predominantly target specific regions.

Understanding these patterns can help nations and organizations to better anticipate and prepare for potential threats.

However, it’s critical to remember that cybercrime knows no borders, and organizations in all countries should remain vigilant against these rapidly evolving threats. The diversity in targeting underscores the global nature of the ransomware problem and the need for international cooperation in addressing it.

    Ransomware Strikes: Industry-wide

    Ransomware threats are industry-agnostic, but some sectors attract more attention than others.

    Each ransomware group has a unique pattern of target selection, but some industries find themselves more frequently caught in the crosshairs. Based on our data, Manufacturing, Professional, Scientific and Technical Services, and Healthcare and Social Services often emerge as primary targets for ransomware attacks. For instance, one particular ransomware group, Lockbit 3.0, shows a discernible preference for Manufacturing. It’s critical for these industries to understand and anticipate these patterns, preparing robust defenses against potential threats. Remember, forewarned is indeed forearmed.

      Spotlight on Ransomware Indicators

      Ransomware indicators expose exploited vulnerabilities, shaping our understanding of ransomware group tactics.

      Leveraging the data-rich platform of Black Kite, we analyze ransomware indicators to identify common vulnerabilities that ransomware groups exploit. These indicators, including IP addresses, domains, or hashes, have been associated with our list of victims this month.

      By shedding light on Use of out-of-date services/productat least one credential leaked in the last 90 days, and MX and DNS misconfigurations, we highlight the cyber vulnerabilities ransomware groups actively exploit. Recognizing these indicators and taking prompt preventive measures can significantly strengthen an organization’s defenses against ransomware attacks.

      0

      At least one IP address that was part of a botnet, malware propagation, or spam propagation

      0

      Use of out-of-date services/products with possible vulnerabilities of high exploitability

      0

      At least one possible phishing domain

      0

      Open RDP or SMB ports publicly visible

      0

      At least one credential leaked in the last 90 days

      0

      MX and DNS misconfiguration that may allow spoofing and phishing attacks

      Industry-wide RSI Breakdown

      An Analysis of the average RSI values across industries provides a clear picture of industry-specific cyber risks.

      In our continuous monitoring of hundreds of thousands of companies, we’ve computed the average RSI (Ransomware Susceptibility Index values for each industry. These values paint a comprehensive picture of the industry-specific cyber risks that organizations face. In this month’s analysis, EducationNuclear reactors, materials and waste, and Communications show the highest average RSI values. The data suggests that these industries may have heightened exposure to ransomware threats and need to be especially proactive in bolstering their cybersecurity defenses.

      Share the report data

      Do you have the cyber insight you need?