In this period, ransomware activities displayed dynamic trends, with prominent shifts observed among top groups, with LockBit experiencing the most significant increase. Industries like Manufacturing and FMCG witnessed contrasting trends, while geographical targeting predominantly affected the United States. Emerging groups like SpiderX and Arcusmedia highlight evolving threats, and major incidents include attacks on healthcare and source code leaks of ransomware, emphasizing the critical need for robust cybersecurity measures.
This report analyses ransomware trends in May 2024. It highlights the increased targeting of specific industries and regions, emerging ransomware groups, and significant incidents. The findings emphasize the evolving threat landscape and the necessity for enhanced cybersecurity strategies to mitigate financial and operational risks.
Throughout May 2024, there was notable activity across several ransomware groups. Here are the trends regarding the top 5 among them.
Between April and May 2024, LockBit3’s activity surged by a massive 625%, while Play saw a modest increase of 10.34% in its incidents. Incransom’s activity doubled, showing a 100% rise in its activity. Ransomhub experienced a slight increase of 4.17%, and Medusa emerged with 23 incidents in May, having no activity in April, indicating a significant comeback into the ransomware scene.
Emerging in 2019, LockBit is now one of the most prolific ransomware-as-a-service groups. Suspected to be of Russian origin with global affiliates, it is capable of targeting various operating systems. After their initial variant, LockBit released another two (LockBit versions 2.0 and 3.0 – LockBit Black) in 2021 and 2022 respectively, which employ various initial access methods, such as phishing and exploiting various public-facing vulnerabilities.
Despite law enforcement actions, LockBit swiftly rebounded, registering the highest number of victims this month, highlighting its technical prowess and resilience. Manufacturing was the primary target, with the United States as the focal geography. LockBit impacted companies with revenues from $5 million to $122.3 billion, affecting a broad range of businesses.
From April to May 2024, ransomware targeting increased in several industries. Manufacturing rose by 28.79%, Real Estate & Construction by 66.67%, and Banking & Finance by 105%. Government & Law saw a 48% increase, while Healthcare rose by 71.43%. E-commerce & Telecommunications experienced a 230% surge, IT by 55.56%, and Transportation by 21.05%. Education skyrocketed by 250%, and Hospitality increased by 17.65%. Media rose by 116.67%, while Energy decreased by 33.33%. FMCG decreased slightly by 4.26%.
Comparing May 2024 and April 2024, there’s a notable 57% increase in victim count. May consistently exhibits high victim counts across the years.
:
The United States (249), United Kingdom (34), Canada (23), Spain (19), and France (18) are the top 5 targeted regions for ransomware attacks. This focus likely stems from their economic prosperity, advanced technological infrastructure, high internet penetration, and geopolitical significance, offering cybercriminals lucrative opportunities for extortion and financial gains.
LockBit Black was seen distributing via Botnet in the wild.
Since April, millions of phishing emails sent via the Phorpiex botnet have been distributing LockBit Black ransomware. The emails, using aliases like “Jenny Brown,” contain ZIP attachments with executables that deploy the ransomware. The campaign uses LockBit 3.0’s leaked builder and targets various industries globally. The Phorpiex botnet, active for over a decade, has evolved from a worm to an IRC-controlled trojan and has been involved in sextortion and cryptocurrency theft.
Blackbasta involved in social engineering attacks.
Researchers observed threat actor Storm-1811 using Microsoft Teams and Quick Assist to perpetrate social engineering attacks leading to Black Basta ransomware’s deployment. Storm-1811 employs voice phishing (vishing) and malicious links to gain access via Quick Assist. They deliver Qakbot, RMM tools like ScreenConnect and NetSupport Manager, and Cobalt Strike. Storm-1811 also leverages EvilProxy phishing sites and SystemBC for persistence and command-and-control. PsExec is used to deploy Black Basta ransomware post-compromise.
SpiderX
SpiderX, a new ransomware-as-a-service promoted by threat actors on underground forums, is designed for Windows systems with advanced features surpassing its predecessor, Diablo. Key capabilities include ChaCha20-256 encryption for fast file encryption, offline functionality for stealth operations, comprehensive targeting of all connected drives, and a built-in information stealer that exfiltrates data to MegaNz. Marketed for $150 SpiderX offers a significant cybersecurity threat due to its affordability and efficiency.
Fakepenny
Researchers identified a new North Korean hacking group, Moonstone Sleet, active since August 2023. The threat actor uses custom ransomware – ‘FakePenny’ – which was first detected in April 2024, and includes a loader and an encryptor (its ransom notes resembling those used by Seashell Blizzard’s NotPetya). Moonstone Sleet’s ransom demands are notably high, with one reaching $6.6 million in Bitcoin, surpassing previous North Korean ransomware demands like WannaCry 2.0 and H0lyGh0st.
Arcusmedia
First identified in May, this group has been responsible for at least 17 incidents by the time of writing this report, primarily targeting South America across a wide range of sectors, including government, banking, finance, construction, architecture, music, entertainment, IT, manufacturing, professional services, healthcare, and education.
Rhysida’s attack on healthcare continues.
Singing River Health System, a major healthcare provider in Mississippi, suffered a ransomware attack, impacting 895,204 individuals. Sensitive data was exfiltrated, which included personal and medical details. The attack, attributed to the Rhysida ransomware gang, led to data exfiltration and operational disruptions. Rhysida has leaked 80% of the stolen data. Singing River offers credit monitoring and urges vigilance against identity theft.
Ransomware source code for sale on hacking forums.
A cybercriminal known as “salfetka” is allegedly selling the source code of INC Ransom, a ransomware-as-a-service operation, for $300,000 on hacking forums. This sale coincides with changes within the INC Ransom operation, possibly indicating internal discord or plans for a new encryptor. However, the legitimacy of the sale remains uncertain.
Ransomware group seen targeting Windows admins via PuTTY, WinSCP ads.
A ransomware campaign targets Windows system administrators by promoting fake download sites for Putty and WinSCP via search engine ads. These sites contain Trojanized installers that deploy the Sliver toolkit, enabling further network access and potential ransomware deployment. The campaign mirrors tactics seen with BlackCat/ALPHV ransomware, indicating a growing threat via search engine advertisements for popular software.
Hacker gets 13 years’ imprisonment.
Ukrainian national Yaroslav Vasinskyi, a key REvil ransomware operator, was sentenced to 13 years in prison and ordered to pay $16 million in restitution for his role in over 2,500 attacks demanding over $700 million in ransoms. Arrested in 2021, he was linked to major incidents like the Kaseya supply-chain attack.
RansomHub hits online portal
RansomHub, a ransomware group, claimed responsibility for hacking Christie’s, accessing sensitive client information. The breach occurred before Christie’s spring sales, forcing alternatives to online bidding. Christie’s confirmed limited personal data theft but no financial records. The group threatened data release after Christie’s ceased ransom negotiations.
Based on available public reports approximately 31% of enterprises are compelled to halt their operations, either temporarily or permanently, in the aftermath of a ransomware onslaught. The ripple effects extend beyond operational disruptions, as detailed by additional metrics:
Impact Assessment
Ransomware represents a severe threat, impacting organizations and individuals by hijacking critical data and demanding ransom for its return. These attacks often lead to significant financial losses, including ransom payments and substantial investments in cybersecurity for recovery. The repercussions also extend to operational disruptions, reduced customer trust, and emotional distress for those affected. Additionally, ransomware incidents can cause data regulation breaches, harming reputation, consumer confidence, and market stability. Consequently, combating ransomware is essential for businesses and government bodies to protect financial security and maintain public trust.
Victimology
Currently, cybercriminals are focusing on businesses that store valuable data, such as personal details, financial information, and intellectual property. Industries like manufacturing, real estate, healthcare, FMCG, e-commerce, finance, and technology are particularly vulnerable due to their extensive data resources. These criminals target countries with strong economies and advanced digital infrastructures to maximize their ransom demands. Their strategy is straightforward: find weaknesses, encrypt the data, and demand hefty ransoms, all with the goal of making substantial profits.
In May 2024, ransomware activity surged significantly, with LockBit3 and other groups intensifying their operations. Key industries such as manufacturing, finance, and education saw notable increases in attacks. Emerging threats like SpiderX and FakePenny highlight the evolving landscape, while high-profile incidents underscore the persistent threat ransomware poses globally. Despite law enforcement efforts, ransomware groups remain resilient and adaptive, exploiting vulnerabilities and targeting lucrative sectors, emphasizing the need for robust cybersecurity measures and vigilant monitoring.