iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
The ransomware landscape has changed dramatically over 2024. We have seen the appearance of a number of new groups, the breakdown of some of the titans of ransomware and a migration of affiliates to other groups.
According to Dragos’ latest report, at least 24 new ransomware groups emerged in the third quarter of 2024, bringing an increased focus on industrial organisations.
“These actors consistently attacked industrial sectors, employing several advanced tactics to exploit operationally critical IT systems. Notably, their campaigns seemed to prioritise industries and organisations with a low tolerance for downtime, such as healthcare, financial services, and industrial operations.
“By focusing on environments where operational disruption can lead to cascading impacts, these groups increased the likelihood of ransom payments, leveraging the criticality of uninterrupted services to pressure victims.”
A number of these groups were rebrands of dismantled or other groups, particularly following the downfall of LockBit, which had been a cyber crime titan for some time until “Operation Cronos” dismantled its infrastructure and arrested a number of its key members.
RansomHub, for instance, whose website borrows much of its design language from LockBit, has flourished thanks to key affiliates such as Velvet Tempest, NoName, and Scattered Spider moving from the dismantled ALPHV and LockBit ransomware-as-a-aervice (RaaS) operations.
According to the report, “RansomHub … claimed over 300 victims globally in 2024”, which made it the most active ransomware group for the last quarter of the year, with 16 per cent of all ransomware attacks (90 incidents) being claimed by the group.
Dragos has also observed that ransomware operators are increasingly using new tactics often used by state-sponsored actors, such as living-off-the-land techniques, the abuse of remote access tools, targeting virtual environments, and the exploitation of VPN vulnerabilities to achieve their goals.
Dragos said that in the third quarter of 2024, hacktivist groups have also evolved to integrate ransomware elements, representing a major change in their tactics.
“Groups such as CyberVolk, Handala, and KillSec leveraged ransomware to amplify the disruption caused by their campaigns, blurring the lines between ideological activism and financially motivated cyber crime,” the report said.
CyberVolk raised particular concern, launching its RaaS platform in June and its own ransomware in July.
“This ransomware has been deployed in pro-Russian campaigns targeting critical infrastructure, combining encryption algorithms with advanced payload delivery mechanisms typically seen in financially motivated operations,” the report said.
While North America suffered the highest percentage of ransomware attacks for the year, suffering 304 incidents (approximately 55 per cent), the Oceanic region suffered 2 per cent of all ransomware incidents, with Australia and New Zealand as primary targets.
Be the first to hear the latest developments in the cyber industry.
