In April 2024, ransomware activities displayed dynamic trends, with prominent shifts observed among top groups. While Hunters experienced a significant increase, LockBit faced a considerable decline. Industries like manufacturing and FMCG witnessed contrasting trends, while geographical targeting predominantly affected the United States. Emerging groups like SEXi and APT73 highlight evolving threats. Major incidents include attacks on Hoya Corporation and Omni Hotels, emphasizing the critical need for robust cybersecurity measures.
Against the backdrop of notable activity in April 2024, multiple ransomware groups displayed dynamic trends, affecting various sectors worldwide. This report explores a comparative analysis of the top five ransomware groups’ activities from March to April 2024. It also provides insights into industry-specific targeting and geographical impacts. Furthermore, it discusses emerging ransomware groups and key events, highlighting the evolving threat landscape and the imperative need for enhanced cybersecurity measures.
Throughout April 2024, there was notable ransomware activity, with the below graphic showing the evolving trends among the five most prominent groups:
In April 2024, Hunters experienced a significant surge in victims, marking a 66.67% increase compared to March. Conversely, Play witnessed a notable decline of 30.9% in its victim count during the same period. 8Base and Ransomhub both saw increases of 47.06% and 33.33% respectively, whereas LockBit faced a considerable decrease of 56.5% in its victim count compared to March.
Hunters International
In November 2023, the emergence of the Hunters International ransomware group marked a significant development in the ransomware landscape. Since then, it has consistently targeted various industries and geographies.
In April 2024, a notable shift occurred, with the decline of LockBit ransomware’s dominance coinciding with the rise of Hunters International (primarily by targeting the United States, and in particular, the FMCG sector).
Notably, the group’s targets varied widely in terms of revenue, ranging from $5 million to $3.4 billion, indicating a lack of specific targeting, and impacting a broad range of organizations of varying revenue scales.
From March to April, the Manufacturing sector experienced a 5.71% decline in victims, while the FMCG sector saw a notable 11.9% increase. Conversely, the Real Estate & Construction sector faced a substantial 21.43% reduction. The Government sector witnessed a significant surge of 47.06%, whereas Healthcare saw a 16% decrease. Banking & Finance noted a significant 37.5% decrease, while Transportation and IT sectors experienced minor increases of 5.56% and 5.88%, respectively. Despite variations in other sectors, the overall trend remained constant.
Despite experiencing a decrease of approximately 14.69% in victim count from March to April 2024, the impact of ransomware attacks on businesses remains significant. While the downward trend in April aligns with historical patterns, it doesn’t diminish the severity of the threat posed by ransomware attacks on businesses.
In April 2024, ransomware groups targeted various geographical regions, with the United States being the most heavily impacted, with 159 reported incidents. Canada followed with 20 incidents, while the United Kingdom, Germany, and Brazil experienced 15, 13, and 11 incidents respectively. These figures indicate a widespread global impact.
HelloKitty – Rebranded
The HelloKitty ransomware operation’s operator declared a name change to ‘HelloGookie,’ along with the release of passwords for previously leaked CD Projekt source code, Cisco network information, and decryption keys from past attacks. The rebranding coincides with a new dark web portal launch.
C3RB3R Ransomware is seen launching its data leak site by April 2024, however, at the time of writing, the leak site did not contain any victim information.
SEXi ransomware
In early April 2024, the SEXi Ransomware gained attention after targeting Chilean data center and hosting provider IxMetro Powerhost. This ransomware encrypted the company’s VMware ESXi servers and backups, appending the .SEXi extension to encrypted files and dropping ransom notes named SEXi.txt. The name ‘SEXi’ is believed to be a play on ‘ESXi,’ as the attacks exclusively target VMWare ESXi servers.
DarkVault
DarkVault, an alleged ransomware operation, surfaced in April 2024. The group has been seen engaging in illicit activities like bomb threats, doxing, and fraud, and is suspected of having ties to LockBit due to a similar data leak site. At the time of drafting this report, 22 victims were listed on the leak site by the group. Stay tuned to CYFIRMA Research reports for further details on this and the following groups.
APT73
APT73, a Ransomware Group, emerged in late April 2024 believed to be a spin-off from LockBit. This was discerned through the examination of their “Contact Us,” “How to buy Bitcoin,” or “Web Security & Bug Bounty” pages, which closely resemble LockBit’s Data Leak Site (DLS). At the time of drafting this report, 4 victims were listed on the leak site by the group.
Qiulong Ransomware
A new group dubbed Qiulong released its victim list and data leak site in April, targeting businesses specifically in Brazil. At the time of drafting this report, 6 victims were listed on the leak site.
Space Bears
A new cybercriminal group named Space Bears has emerged, sporting a unique front end with corporate stock images but also maintaining a classic “wall of shame” for their victims. Alongside instructions for affected companies, they operate both a .onion site and a clearnet website.
At the time of drafting this report, 7 victims were listed on the leak site by the group. Stay tuned to CYFIRMA Research reports for further details of this ransomware group.
Ransomware hits Hoya Corporation.
A well-known Japanese optics firm, Hoya Corporation, was hit by a ransomware attack causing significant damage to its IT systems and business units. Some reports indicate that the Hunters International ransomware group asked for $10 million to stop the release of files totaling 2 TB of data, but currently, no files have been shared on the Hunters leak site, and the group has not taken responsibility for the attack on Hoya.
LockBit making headlines again.
LockBit has added the District of Columbia Department of Insurance, Securities & Banking to its list of victims. The group claims to have obtained 800 GB of sensitive data from the department. Interestingly, they have reportedly sold the data in private and declared that it will not be published.
Akira ransomware amassed $42 million from over 250 victims.
A collective advisory from the FBI, CISA, Europol’s EC3, and the Netherlands’ NCSC-NL reveals that the Akira ransomware campaign infiltrated over 250 organizations, amassing approximately $42 million in ransom payments. Emerging in March 2023, Akira swiftly gained infamy by targeting diverse industry sectors globally. By June 2023, the group expanded its arsenal with a Linux encryptor, specifically targeting VMware ESXi virtual machines prevalent in enterprise settings.
8Base is hitting hard.
The 8Base ransomware gang targeted the United Nations Development Programme (UNDP), leading to the exfiltration of data from a locally hosted server. The breach included human resources and procurement information. Despite the attackers’ ransom demands, the agency is firm in its decision not to pay.
Daixin ransomware group claims Omni Hotels attack.
The recent cyberattack on Omni Hotels & Resorts was claimed by the Daixin Team ransomware gang. Following a significant outage that affected the company’s IT systems, reservation, hotel room door lock, and point-of-sale (POS) systems, Omni Hotels & Resorts found itself added to Daixin Team’s dark web leak site. The breach resulted in the exfiltration of a database containing 3,539,089 records of Omni Hotels visitors, including sensitive information such as names, email addresses, and more.
Based on available public reports approximately 31% of enterprises are compelled to halt their operations, either temporarily or permanently, in the aftermath of a ransomware onslaught. The ripple effects extend beyond operational disruptions, as detailed by additional metrics:
Impact Assessment
Ransomware poses a significant threat, creating hurdles for both organizations and individuals by stealing vital data and demanding payment for its return. The consequences of these attacks often result in substantial financial damages, whether through ransom payments, or subsequent investments in cybersecurity measures for data recovery. Additionally, financial losses extend to disrupted operations, and diminished customer confidence, not to mention the emotional toll on affected parties. Furthermore, such incidents can lead to breaches of data regulations, affecting reputation, consumer trust, and market stability. As a result, tackling ransomware becomes a critical imperative for businesses and government bodies to safeguard financial security and public confidence.
Victimology
Presently, threat actors concentrate on targeting businesses harboring valuable data, encompassing personal details, financial information, and intellectual property. Industries like Manufacturing, Real Estate, Healthcare, FMCG, E-commerce, Finance, and Technology face heightened susceptibility due to their wealth of data. Cybercriminals strategically select countries with robust economies and advanced digital infrastructures to optimize ransom returns. Their objective is clear: identify vulnerabilities, encrypt data, and demand substantial ransoms for release, all aimed at securing significant profits.
In April 2024, ransomware activities exhibited dynamic shifts, with notable increases in victim counts observed among groups such as Hunters, 8Base, and Ransomhub, while Play and LockBit experienced declines. The manufacturing sector emerged as the primary target, with the United States being the most affected geography. Emerging groups like SEXi, DarkVault, APT73, Qiulong, and Space Bears underscored the evolving ransomware landscape, posing continued threats to global cybersecurity. Major incidents included breaches at Hoya Corporation, and Omni Hotels & Resorts by Daixin Team. Despite fluctuations in victim counts across sectors, the overall impact of ransomware attacks on businesses remained significant, emphasizing the urgent need for enhanced cybersecurity measures and vigilance against evolving threats.
