Q2 2024 ransomware stats mirror shifting RaaS panorama – Go Well being Professional
Ransomware statistics for Q2 of 2024 mirror a remodeling ransomware-as-a-service (RaaS) panorama following legislation enforcement shakeups earlier within the 12 months.
ReliaQuest’s Ransomware and Cyber Extortion in Q2 2024 report identifies 1,237 organizations listed on ransomware leak websites, representing a 20% enhance in contrast with Q1 2024.
Nevertheless, the variety of affected organizations noticed solely a miniscule enhance of 1% between the primary half of 2023 and first half of 2024, suggesting that latest occasions have put a damper on the general development development of ransomware assaults.
“Numbers of every month inside Q2 2024 fluctuated considerably, doubtless resulting from upheavals within the RaaS ecosystem that brought about ransomware teams to compete for associates,” ReliaQuest researchers wrote in a weblog submit Monday. “We anticipate a extra constant rise in ransomware incidents within the second half of 2024 as associates resume regular operations.”
Change of guard between previous and new ransomware teams
A significant factor influencing the numbers revealed in ReliaQuest’s report is the affect of legislation enforcement exercise on ransomware’s main gamers.
ALPHV/BlackCat’s withdrawal from the scene following FBI interference and a possible exit rip-off, paired with a weakening of LockBit after its personal legislation enforcement disruption, cleared the best way for newer ransomware gangs like RansomHub, BlackSuit and BlackBasta to recruit extra associates and ramp up actions.
On the identical time, LockBit’s try and rebound from its February takedown was attributed to a spike in claimed victims in the midst of Q2. The group claimed 179 victims on its leak web site in Could, representing greater than a 3rd of that month’s affected organizations, however these numbers fell off in June, resulting in a comparatively quiet month.
ReliaQuest stated that, regardless of the tried comeback, LockBit’s fame amongst fellow cybercriminals was sullied within the wake of its legislation enforcement disruption, with its doubtless false declare of breaching the U.S. Federal Reserve being the newest embarrassment for the previous prime canine.
“Darkish net kind customers remarked that such ‘faux’ claims will doubtless undermine associates’ willingness to collaborate,” ReliaQuest researchers wrote.
In the meantime, rising gamers like RansomHub are making the most of the disillusionment of former ALPHV/BlackCat and LockBit associates, providing recent, profitable alternatives to cybercriminals. RansomHub’s rise to fame was kicked off after its recruitment of former ALPHV/BlackCat affiliate notchy, which led to a second extortion try towards Change Healthcare.
Not like ALPHV/BlackCat, which allegedly took off with a $22 million ransom paid by UnitedHealth Group with out paying out notchy’s share, RansomHub permits associates to gather ransom funds themselves and solely ship a ten% in the reduction of to the group.
This makes RansomHub an particularly engaging accomplice for financially motivated cybercriminals, together with former associates of ALPHV/BlackCat and LockBit, and encourages concentrating on of “large sport” organizations which can be prone to pay bigger ransoms. These components doubtless led to the 243% enhance in claimed RansomHub victims between Q1 and Q2 of 2024, and the disproportionately excessive quantity of U.S. organizations focused as a result of notion that U.S.-based corporations usually tend to make excessive ransom funds.
BlackSuit was additionally famous as a rising contender within the ransomware ecosystem, seeing a 194% enhance in victims claimed on its leak web site between Q1 and Q2. ReliaQuest predicts that teams like RansomHub and BlackSuit will proceed to see rising exercise in the course of the second half of the 12 months as extra associates are recruited, together with these leaping ship from LockBit.
Preliminary entry by way of stolen credentials, provide chain assaults anticipated to extend
ReliaQuest’s report additionally factors to altering techniques amongst cyberattackers, pointing to a possible shift in preliminary entry vectors. Researchers recognized a 30% enhance in cybercriminal market listings for infostealer logs, suggesting that uncovered credentials will turn out to be a extra outstanding supply of preliminary entry in future ransomware and extortion assaults.
The breach of credentials of roughly 165 clients of information cloud firm Snowflake is one instance of this rising assault vector, with indicators that risk actors are leveraging the stolen credentials in extortion-only schemes. As extra decryption keys for ransomware strains turn out to be out there resulting from elevated legislation enforcement exercise, extortion-only assaults might steadily rise to displace double-extortion ransomware assaults, ReliaQuest predicts.
Software program provide chain assaults are additionally a priority resulting from elevated concentrating on of know-how corporations by ransomware teams, with the potential for secondary assaults towards clients of the breached software program suppliers. ReliaQuest famous a 35% enhance in ransomware victims from the skilled, scientific and technical providers (PSTS) sector, which incorporates software program corporations.