September 2024 witnessed a 10.92% decline in ransomware incidents compared to the previous month, primarily due to a reduction in victim count from prominent groups such as LockBit. Ransomware groups like Medusa and Play saw dramatic increases, highlighting the ever-changing nature of the threat landscape. Despite a slight decline in victim count, RansomHub remained a dominant player. Sectors like FMCG and IT saw an increase in attacks, while others, including healthcare and hospitality, experienced a decrease. Geographically, the United States continued to be the most targeted region.
Welcome to the September 2024 ransomware report, offering an in-depth analysis of the evolving threat landscape. This report compares ransomware activity levels between August and September 2024, highlighting key shifts and the strategies of prominent ransomware groups. It also identifies the most targeted industries and regions, providing insights into how attacks are adapting and evolving. By examining these trends, the report aims to provide a comprehensive understanding of the changing tactics and focus areas of ransomware actors throughout the month.
Throughout September 2024, there was notable activity from several ransomware groups. Here are the trends regarding the top 5:
In September 2024, ransomware trends exhibited significant shifts, with emerging groups gaining momentum. Notably, the Play ransomware group saw a sharp increase in activity, with a 48.3% rise in victims compared to August. Medusa displayed the most dramatic growth, recording a staggering 525% increase in its victim count. On the other hand, RansomHub experienced a slight decrease, with a 7% decline, dropping from 71 to 66 victims. Meanwhile, the Meow ransomware witnessed a significant drop in activity, with a 55.3% decrease. Lastly, Qilin ransomware remained consistent, with minor changes in victim numbers. These shifts highlight the volatile nature of ransomware activity, where certain groups are rapidly expanding while others see diminished operations.
RansomHub
Despite the reduction in the victims count, RansomHub retains the highest number of victims in September 2024.
RansomHub, a newly emerged ransomware group, debuted its leak site in February 2024. It is likely an updated iteration of the older Knight ransomware, rebranded by new actors who possibly acquired Knight’s source code earlier in 2024, and their sophisticated ransomware targets multiple platforms and leverages vulnerabilities for initial access. Employing advanced obfuscation and attack techniques, RansomHub has swiftly become a significant player in the ransomware threat landscape in a very short period.
Below are the observed TTPs of RansomHub
Tactics | ID | Technique |
Initial Access | T1190 | Exploit Public-Facing Application |
Initial Access | T1133 | External Remote Services |
Resource Development | T1588.006 | Obtain Capabilities: Vulnerabilities |
Resource Development | T1587.001 | Develop Capabilities: Malware |
Persistence | T1098 | Account Manipulation |
Defense Evasion | T1562.009 | Impair Defenses: Safe Mode Boot |
Defense Evasion | T1562 | Impair Defenses |
Defense Evasion | T1562.001 | Impair Defenses: Disable or Modify Tools |
Discovery | T1016 | System Network Configuration Discovery |
Collection | T1560.001 | Archive Collected Data: Archive via Utility |
Command and Control | T1105 | Ingress Tool Transfer |
Command and Control | T1219 | Remote Access Software |
Command and Control | T1090 | Proxy |
Exfiltration | T1041 | Exfiltration Over C2 Channel |
Impact | T1486 | Data Encrypted for Impact |
Impact | T1657 | Financial Theft |
In September 2024, ransomware attacks demonstrated varying trends across industries. Manufacturing saw a 13.2% decrease in its victims, while FMCG recorded a 35.3% rise, increasing from 34 to 46 attacks. Real estate and construction experienced a 13.7% decline, while banking and finance saw a 16.7% drop. The IT sector observed a 23.5% increase in its incidents. Healthcare saw a 13% decline, and e-commerce & telecommunications recorded a 13.6% drop. Government and law were down by 15%, and hospitality saw the sharpest decline, at 26.1%. Transportation, on the other hand, rose by 33.3%, while education saw a 29.4% drop. Media and internet experienced a slight 11.1% increase, while the energy sector dropped by 44.4%. Metals and mining remained constant with no change. These fluctuations reflect the dynamic nature of ransomware attacks across sectors.
In September 2024, ransomware incidents decreased by 10.92% compared to August 2024. With medium confidence, this decline can be attributed to the weakened influence of prominent ransomware groups like LockBit. This shift in the threat landscape likely resulted from law enforcement takedowns targeting these groups.
This chart illustrates the geographical distribution of ransomware targets, with the United States being the most affected, accounting for 52.86% of attacks. Canada follows with 6.27%, and the United Kingdom at 4.63%. Other countries collectively represent 30.25% of the total. Notable targets also include Brazil at 3.54% and Belgium at 2.45%. This distribution underscores the concentration of ransomware attacks in key regions, with developed economies being prime targets for cybercriminals.
Sr.No | CVE | CVSS | Vulnerability Name | Associated Threat Actor | Vulnerable Software Versions | Patch |
1 | CVE-2024-40766 | 9.8 | SonicWall SonicOS Improper Access Control Vulnerability | Akira | SonicWall Gen 5 running SonicOS version 5.9.2.14-12o and older
SonicWall Gen 6 running SonicOS version 6.5.4.14-109n and older SonicWall Gen 7 running SonicOS version 7.0.1-5035 and older |
YES |
Kransom ransomware disguises itself as the legitimate StarRail game, utilizing DLL side-loading to execute its malicious payload. It stores a malicious DLL file alongside the game, which the executable loads, allowing the ransomware to hijack the execution flow. By employing a valid certificate, the malware evades detection, appearing harmless to security measures. The encrypted ransomware code within the DLL is obfuscated using XOR, complicating detection efforts. When activated, the ransomware displays a message prompting users to contact the game’s developers for assistance, masking its true intent and exploiting the game’s structure to execute its attack.
A new ransomware group launched its dark web leak site this week. They go by the name Nitrogen and have currently listed more than 6 victims on the site, during the writing of this report.
Source: Underground forum
Orca Ransomware is identified as a variant of the Zeppelin malware family, known for its potent encryption capabilities. Once it infiltrates a system, Orca encrypts files and modifies their names by appending the extension .ORCA followed by a unique victim ID. The group has claimed 3 victims during the writing of this report.
Source: Underground forum
Based on available public reports, approximately 31% of enterprises are compelled to halt their operations, either temporarily or permanently, in the aftermath of a ransomware onslaught. The ripple effects extend beyond operational disruptions, as detailed by additional metrics:
Impact Assessment
Ransomware remains a major threat to organizations and individuals, encrypting critical data and demanding payment for its release. The impact extends beyond ransom demands, leading to financial losses from cybersecurity measures, recovery efforts, and operational disruptions. These attacks also erode customer trust, cause emotional distress, and result in potential regulatory violations. The damage to reputation and consumer confidence can destabilize markets and disrupt business operations. As such, it is crucial for businesses and governments to proactively address ransomware threats to protect financial stability and maintain public trust.
Victimology
Cybercriminals are intensifying their focus on businesses that store sensitive information, such as personal data, financial records, and intellectual property. Sectors like manufacturing, real estate, healthcare, FMCG, e-commerce, finance, and technology are especially vulnerable due to their extensive data assets. Targeting countries with strong economies and advanced digital systems, these criminals aim to maximize their ransom demands. Their approach involves exploiting vulnerabilities, encrypting essential data, and demanding substantial ransoms to achieve significant financial gains.
September 2024 demonstrated that the threat landscape remains highly adaptable and dynamic. The significant rise in attacks by groups like Medusa and the persistent influence of RansomHub emphasizes the need for continuous vigilance and proactive defence strategies. The diverse impact across industries and regions indicates that ransomware operators are constantly shifting their targets and tactics to exploit vulnerabilities. New and evolving groups, such as Mallox and Cicada3301, highlight a trend toward more sophisticated multi-platform attacks. As groups increasingly leverage advanced tools and exploit critical vulnerabilities, the importance of robust cybersecurity measures and timely patching remains paramount. Ongoing monitoring and analysis will be essential to counter these evolving threats effectively.