Self Assessment

TRACKING RANSOMWARE JULY 2024

Published On : 2024-08-12
Share :
TRACKING RANSOMWARE JULY 2024

EXECUTIVE SUMMARY

This report presents a comprehensive analysis of ransomware activities in July 2024, highlighting the marked increase in ransomware incidents led by groups like LockBit and RansomHub. The report also examines sector-specific impacts, with Education, Government & Law, and Energy showing notable attack increases. Additionally, the evolution of key ransomware groups, such as Black Basta and Play, and emerging threats like Vanir Group, and MAD LIBERATOR are discussed, emphasizing the growing complexity and reach of ransomware operations globally.

INTRODUCTION

This report analyses ransomware trends in July 2024 and explores the targeting of specific industries and regions. Vulnerabilities exploited by ransomware groups are also covered as well as, emerging ransomware groups, and significant incidents. The findings emphasize the evolving threat landscape and the necessity for enhanced cybersecurity strategies to mitigate financial and operational risks.

KEY POINTS

  • In July 2024, the RansomHub ransomware group emerged as a significant threat, leading with a victim count of 45.
  • The Manufacturing sector is the primary target of ransomware attacks, experiencing 49 incidents in July 2024.
  • The USA was the most targeted geography in July 2024, with 183 ransomware incidents.
  • Ransomcortex, Vanir Group and Mad Liberator Ransomware groups emerged as new threats in June 2024.

TREND COMPARISON OF JULY 2024’s TOP 5 RANSOMWARE GROUPS WITH JUNE 2024.

Throughout July 2024, there was notable activity from several ransomware groups. Here are the trends regarding the top 5:

RansomHub saw a significant 87.5% increase in victims, indicating a sharp rise in activity. LockBit3 experienced a substantial 245.5% growth, reflecting a major escalation in its operations. Akira’s victim count increased by 45%, while Hunters saw a notable 187.5% rise, suggesting an intensifying threat. In contrast, Play’s victim count decreased by 38.7%, highlighting a reduction in its activity or effectiveness. This trend suggests an overall increase in ransomware activity, with LockBit3 and Hunters showing the most pronounced growth.

RANSOMWARE OF THE MONTH

RansomHub
RansomHub, a newly emerged ransomware group, debuted its leak site in February 2024. It is likely an updated iteration of the older Knight ransomware, rebranded by new actors, who possibly acquired Knight’s source code earlier in 2024, and their sophisticated ransomware targets multiple platforms and leverages vulnerabilities for initial access. Employing advanced obfuscation and attack techniques, RansomHub has swiftly become a significant player in the ransomware threat landscape in a very short period.

INDUSTRIES TARGETED IN JULY 2024 COMPARED WITH JUNE 2024

In July 2024, the victim counts across industries showed varied trends: Manufacturing decreased by 10.9%, Real Estate and Construction fell by 12.8%, and Government & Law rose by 42.9%. Education saw a significant increase of 250%, while Healthcare experienced a 21.7% rise. E-commerce and Telecommunications grew by 22.2%, and IT increased by 11.1%. Banking and Finance dropped by 19%, Hospitality went up by 60%, and Transportation decreased by 21.1%. FMCG saw a notable decline of 46.4%, Media and Internet increased by 42.9%, Energy rose by 125%, and Metals and Mining experienced a 200% increase. This data indicates a substantial rise in incidents in sectors like Education, Government & Law, and Energy, contrasting with declines in Manufacturing, Real Estate & Construction, and FMCG.

As anticipated in our previous monthly report, ransomware groups made a notable resurgence, demonstrating a return to their previous levels of activity.

TRENDS COMPARISON OF RANSOMWARE ATTACKS

In July 2024, the ransomware victim count reflected a 12% increase compared to the month prior. This rise in July follows a pattern of fluctuating activity observed in previous months, with July 2024’s count showing a rebound from the previous month’s lower figures. This trend indicates a renewed intensity in ransomware attacks as we move through 2024.

GEOGRAPHICAL TARGETS: TOP 5 LOCATIONS

Ransomware groups have primarily targeted the following five geographies: the United States (183), Canada (19), the United Kingdom (14), Italy (14), and Brazil (12). This data highlights the concentration of ransomware attacks in these regions, emphasizing the need for enhanced cybersecurity measures.

EVOLUTION OF RANSOMWARE GROUPS IN JULY 2024

Recent Evolution of Black Basta
Black Basta ransomware has evolved significantly in 2024, demonstrating adaptability by shifting to custom malware and new tools, following the disruption of its previous partner, QBot. The group now employs SilentNight backdoor malware, memory-only droppers like DawnCry and KnowTrap, and custom tunneling tools, such as PortYard and SystemBC. Additionally, Black Basta has integrated reconnaissance and execution utilities like CogScan and KnockTrock into its attack lifecycle. This evolution highlights Black Basta’s resilience and sophistication, as it continues to be a formidable global threat, leveraging advanced tactics and exploiting zero-day vulnerabilities to maintain its influence in the ransomware landscape.

Play Started targeting VMware ESXi VMs
Play ransomware has recently evolved to target VMware ESXi environments with a dedicated Linux locker, designed to encrypt virtual machines. This is the first recorded instance of Play ransomware focusing on ESXi systems, indicating a strategic shift towards broader Linux platform attacks. The ransomware first verifies its environment before executing, demonstrating advanced evasion techniques. It scans for and powers off all running virtual machines before encrypting files, such as VM disks and configurations, and appending them .PLAY extension.
Additionally, Play ransomware now utilizes URL-shortening services for operational aspects, further illustrating its adaptability and sophistication in the ransomware landscape.

SEXi rebranded as APT INC
The SEXi ransomware operation, now rebranded as APT INC, has intensified its attacks since February 2024, using leaked Babuk and LockBit 3 encryptors. APT INC primarily targets VMware ESXi servers, encrypting virtual machine files, while leaving OS files unaffected. The operation gained notoriety with a significant attack on Chilean hosting provider IxMetro Powerhost. Victims report ransom demands ranging from tens of thousands to millions of dollars, with no known weaknesses in the encryptors for file recovery. APT INC continues to use the same encrypted messaging application for ransom negotiations as its predecessor.

Eldorado now Targets VMware ESXi VMs.
Eldorado ransomware, a new ransomware-as-a-service (RaaS) that emerged in March, initially targeted Windows systems. It has since expanded to include VMware ESXi VMs. This ransomware encrypts files on both platforms using advanced ChaCha20 encryption, with customizable attack options for affiliates.

VULNERABILITIES EXPLOITED IN JULY 2024 BY RANSOMWARE GROUPS

Sr.No CVE CVSS Vulnerability Name Associated Threat actor Affected product Patch
1 CVE-2024-37085 7.2 VMware ESXi Authentication Bypass Vulnerability Black Basta ransomware VMware ESXi: 7.0 – ESXi80U2sb-23305545 Available
2 CVE-2023-27532 7.5 Veeam Backup & Replication Cloud Connect Missing Authentication for Critical Function Vulnerability EstateRansomware Backup & Replication: before 12.0.0.1420 P20230223 Available

EMERGING GROUPS

Vanir Group
The Vanir Group, a new ransomware group, has quickly gained attention for its aggressive and professional tactics, publicizing its attacks so far via a data leak site. The group issued an intimidating message to the CEOs or domain administrators of the affected companies, stating that their internal infrastructure had been compromised, backups deleted or encrypted, and critical data stolen. They emphasize the importance of cooperation to avoid further damage and threaten to sell or distribute the stolen data if their demands are not met. The Vanir Group’s website also features an interactive terminal for updates and invites potential affiliates to join their operations.

Interestingly the leak site of the group appears similar to Akira, another infamous ransomware group.

Data leak site of the Ransomware group

Ransomcortex
Limited information is currently available about this ransomware, but the group has claimed three victims, all notably within the healthcare sector and located in Brazil.

Data leak site of the Ransomware group

MAD LIBERATOR
MAD LIBERATOR, a newly emerged ransomware group, launched its leak site in July 2024. They claim to assist companies in fixing security issues and recovering files for a fee. If payment is not made, the group threatens to list the companies and publish their data. Files are encrypted using AES/RSA for security. During the writing of this report, the group had listed 8 victims on its leak site.

Data leak site of the Ransomware group

KEY RANSOMWARE EVENTS IN JULY 2024

Russian-speaking groups seen dominating the ransomware landscape
Russian-speaking threat actors have increasingly dominated the ransomware landscape, accounting for over 69% of crypto-related proceeds in the past year, exceeding $500 million. This shift highlights their significant role in cybercrime, including ransomware, illicit crypto exchanges, and darknet markets. In 2023, these actors led major ransomware operations and controlled a substantial share of illicit crypto transactions. The trend reflects their evolving tactics and the growing sophistication of their operations. The dominance of Russian-speaking groups in both ransomware and other crypto-enabled crimes underscores their entrenched position in the global cybercrime ecosystem.

Russians plead guilty
Two Russian nationals have admitted to participating in LockBit ransomware attacks, which targeted victims worldwide. As affiliates of LockBit’s ransomware-as-a-service operation, they breached vulnerable systems, stole data, and deployed ransomware to encrypt files. One individual has been arrested and faces up to 25 years in prison, while the other has been sentenced to four years. Despite recent law enforcement actions that seized LockBit infrastructure and decryption keys, the ransomware group remains active, continuing to target victims and release stolen data.

DoNex ransomware decryptor released
A flaw in the cryptographic scheme of the DoNex ransomware family has been identified, allowing victims to recover their files for free, using a newly released decryptor. The flaw, impacting all variants of DoNex, was revealed at a recent cybersecurity conference. The vulnerability involves issues with the encryption key generation and application of ChaCha20 and RSA-4096 algorithms. The decryptor, which has been available since March 2024 through private channels, was publicly released following the flaw’s disclosure. Victims are advised to use a large example file for decryption and to back up their encrypted data before proceeding.

Scattered Spider Adopts New Ransomware Strains
Scattered Spider, a threat actor group known for its social engineering tactics and attacks on VMWare ESXi servers, has recently adopted RansomHub and Qilin ransomware in its operations. RansomHub, a rebranded variant of Knight ransomware, has become increasingly popular among various threat actors. While Scattered Spider previously used the now-defunct BlackCat ransomware, it has shifted to deploying RansomHub in post-compromise scenarios.

BUSINESS IMPACT ANALYSIS

Based on available public reports, approximately 31% of enterprises are compelled to halt their operations, either temporarily or permanently, in the aftermath of a ransomware onslaught. The ripple effects extend beyond operational disruptions, as detailed by additional metrics:

  • A significant 40% of affected organizations are forced into downsizing their workforce due to the financial strain caused by the attack.
  • The aftermath sees 35% of businesses experiencing turnover at the executive level, with C-suite members stepping down in the wake of the security breach.
  • The financial toll of cyber incidents is staggering, with the average cost burden to companies, irrespective of their size, estimated at around $200,000. This figure underscores the substantial economic impact of cyber threats.
  • Alarmingly, 75% of small to medium-sized enterprises (SMEs) face existential threats, admitting the likelihood of closure should cybercriminals extort them for ransom to avoid malware infection.
  • The long-term viability of these entities is also in jeopardy, with 60% of small businesses shutting down within six months post-attack, highlighting the enduring impact of such security breaches.
  • Even in instances where ransoms are not conceded to, organizations bear significant financial weight in their recovery and remediation endeavors to restore normality and secure their systems.

In a recent incident, a Fortune 50 company paid a record $75 million ransom to Dark Angels, setting a new benchmark in ransomware payouts. This unprecedented sum highlights the increasing financial stakes of ransomware attacks, emphasizing the need for robust security measures and contingency plans to mitigate potential high-cost scenarios.

EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Impact Assessment
Ransomware is a severe threat to organizations and individuals, as it involves seizing critical data and demanding ransoms for its release. These attacks can cause significant financial losses, not only through ransom payments but also from the costs associated with cybersecurity measures and recovery efforts. The impact extends to operational disruptions, loss of customer trust, and emotional strain on victims. Additionally, ransomware incidents can lead to regulatory breaches, tarnishing reputations, eroding consumer confidence, and destabilizing markets. Thus, combating ransomware is essential for businesses and governments to protect financial stability and maintain public trust.

Victimology
Cybercriminals are increasingly targeting businesses that store valuable data, including personal details, financial information, and intellectual property. Industries such as manufacturing, real estate, healthcare, FMCG, e-commerce, finance, and technology are particularly at risk due to their vast data resources. These criminals focus on countries with strong economies and advanced digital infrastructures to maximize ransom demands. Their strategy is clear: identify vulnerabilities, encrypt critical data, and demand large ransoms, aiming to generate significant profits.

CONCLUSION

The findings from July 2024 reflect a concerning escalation in ransomware activity, driven by both established and emerging groups. The sharp rise in victim counts, particularly in sectors like Education and Energy, signals a growing threat landscape. The evolution of ransomware tactics, including the targeting of VMware ESXi environments and the emergence of new groups, suggests a continuing trend of sophistication and adaptability. Organizations must enhance their cybersecurity measures to mitigate the expanding threat posed by these increasingly aggressive ransomware actors.

STRATEGIC RECOMMENDATIONS:

  • Strengthen cybersecurity measures: invest in robust cybersecurity solutions, including advanced threat detection and prevention tools, to proactively defend against evolving ransomware threats.
  • Employee training and awareness: conduct regular cybersecurity training for employees to educate them about phishing, social engineering, and safe online practices to minimize the risk of ransomware infections.
  • Incident response planning: develop and regularly update a comprehensive incident response plan to ensure a swift and effective response in case of a ransomware attack, reducing the potential impact and downtime.

MANAGEMENT RECOMMENDATIONS:

  • Cyber Insurance: Evaluate and consider cyber insurance policies that cover ransomware incidents to mitigate financial losses and protect the organization against potential extortion demands.
  • Security audits: conduct periodic security audits and assessments to identify and address potential weaknesses in the organization’s infrastructure and processes.
  • Security governance: establish a strong security governance framework that ensures accountability and clear responsibilities for cybersecurity across the organization.

TACTICAL RECOMMENDATIONS:

  • Patch management: regularly update software and systems with the latest security patches to mitigate vulnerabilities that threat actors may exploit.
  • Network segmentation: implement network segmentation to limit the lateral movement of ransomware within the network, isolating critical assets from potential infections.
  • Multi-Factor authentication (MFA): enable MFA for all privileged accounts and critical systems to add an extra layer of security against unauthorized access.