Active Ransomware Threat Groups Up 30% in 2024

Rhea-AI Summary

Secureworks' 2024 State of the Threat Report reveals a 30% year-over-year increase in active ransomware groups, indicating fragmentation in the criminal ecosystem. Key findings include:

- 31 new ransomware groups emerged in the past 12 months
- LockBit remains the most active group with 17% of listings, down 8% from last year
- PLAY doubled its victim count, becoming the second most active group
- RansomHub, a new group, quickly became the third most active

The report also highlights an increase in adversary-in-the-middle (AiTM) attacks and the growing use of AI by cybercriminals. Law enforcement activities have disrupted major ransomware operations, leading to a more fragmented landscape with varying tactics and dwell times.

Positive

• 30% year-over-year increase in active ransomware groups, indicating market growth
• Emergence of new ransomware groups like RansomHub, showing market dynamism
• Increased use of AI by cybercriminals, potentially leading to more sophisticated attacks

Negative

• Fragmentation of ransomware ecosystem may lead to unpredictable attack patterns
• Rise in adversary-in-the-middle (AiTM) attacks, potentially reducing MFA effectiveness
• Growing use of AI by cybercriminals for scaling attacks and improving scam credibility

Secureworks annual State of The Threat Report outlines cybercriminals response as law enforcement operations successfully cause widespread disruption to ransomware operations

ATLANTA, Oct. 8, 2024 /PRNewswire/ -- Secureworks^® (NASDAQ: SCWX) 2024 State of the Threat Report has revealed a 30% year-over-year rise in active ransomware groups, which demonstrates fragmentation of an established criminal ecosystem. 31 new groups entered the ransomware ecosystem during the last 12 months, and based on numbers of victims listed the three most active groups are:

1. LockBit:The long established 'top dog' of ransomware groups accounted for 17% of listings, down 8% from last year, proving even further how the takedown has impacted their operations.
2. PLAY: The second most active group, PLAY doubled its victim count year-over-year.
3. RansomHub: A new group, emerging only a week after the LockBit takedown, is already the third most active group with 7% of the share of victims listed.

A landscape previously dominated by a few, is now home to a broader set of emerging ransomware players. As smaller groups look to become established, it means there is less repeatability and structure in how they operate and organizations need to continue to remain alert for a wider variety of tactics. This year's median dwell time of 28 hours reflects the newness of these partnerships. While some clusters of groups are executing fast 'smash-and-grab' attacks within hours, others spend hundreds of days in networks in the most extreme cases. As the new ecosystem continues to take shape, we can expect to see further variation and shifts in dwell times and methodology.

The annual State of the Threat Report examines the cybersecurity landscape from June 2023 to July 2024. Additional key findings include:

• Law enforcement activity targeting GOLD MYSTIC (LockBit) and GOLD BLAZER (BlackCat/ALPV) caused significant disruption to the status quo of the ransomware operating landscape.
• The number of active ransomware groups using "name and shame" leak sites grew 30% year-over-year.
• Despite this growth in ransomware groups, victim numbers did not rise at the same pace, showing a significantly more fragmented landscape posing the question of how successful these new groups might be.
• Scan-and-exploit and stolen credentials remain the two largest initial access vectors (IAV) observed in ransomware engagements based on our observations.
• Observed increase in adversary-in-the-middle (AiTM) attacks – a notable and concerning trend for cyber defenders.
• AI is growing in use and in variation for cybercriminals – expanding the scale and credibility of existing scams like CEO fraud or "obituary pirates."

Shifting Sands of Ransomware

"Ransomware is a business that is nothing without its affiliate model. In the last year, law enforcement activity has shattered old allegiances, reshaping the business of cybercrime. Originally chaotic in their response, threat actors have refined their business operations and how they work. The result is a larger number of groups, underpinned by substantial affiliate migration," said Don Smith, VP Threat Intelligence, Secureworks Counter Threat Unit™ (CTU™). "As the ecosystem evolves, we have entropy in threat groups, but also unpredictability in playbooks, adding significant complexity for network defenders."

AiTM and AI as Growing Threats

In the past year, threat actors are increasingly stealing credentials and session cookies to gain access by using AiTM attacks. This potentially reduces the effectiveness of some types of MFA, a worrying trend for network defenders. These attacks are facilitated and automated by phishing kits that are available for hire on underground marketplaces and Telegram. Popular kits include Evilginx2, EvilProxy and Tycoon2FA.

As AI tools have become widespread and readily available, it was inevitable that cybercriminals would take note as they look to scale. Since mid-February 2023, Secureworks CTU researchers have observed an increase in posts on underground forums about OpenAI ChatGPT and how it can be employed for nefarious purposes. Much of the discussion relates to relatively low-level activity including phishing attacks and basic script creation.

"The cybercrime landscape continues to evolve, sometimes minor, occasionally more significant. The growing use of AI lends scale to threat actors, however the increase of AiTM attacks presents a more immediate problem for enterprises, reinforcing that identity is the perimeter and should cause enterprises to take stock and reflect on their defensive posture," continued Smith.  

One novel example of AI being used by threat actors, as observed by Secureworks researchers, was the role it played in a fraud perpetrated by so-called obituary pirates. Threat actors monitored Google trends following a death to identify interest in obituaries and then used generative AI to create lengthy tributes on sites that were manipulated to the top of Google search results by SEO poisoning. They then directed users to other sites pushing adware or potentially unwanted programs.

State-Sponsored Threat Activity – A Summary

The report also examines the significant activities and trends in the behavior of state-sponsored threat groups belonging to China, Russia, Iran, and North Korea. This year, we are also including threat group activity from Hamas, which has seen a notable increase since the outbreak of the Israel-Hamas war, now spilling over into the public domain and our aperture. The primary drivers for these countries are geopolitical.

China:

Chinese cyber activity has continued to track with previous Secureworks observations. Their aims are broadly focused on information theft for political, economic, and military gain. Much of this activity targeted at industrial sectors that align with the high-level objectives of the Chinese Communist Party's (CCP) Five Year Plan. In October 2023, the heads of the US, UK, Australian, Canadian, and New Zealand security agencies warned of the "epic scale" of Chinese espionage. State-sponsored threat actors were not immune to the law enforcement activity. In March 2024, the US State Department unsealed indictments against seven named individuals all part of the BRONZE VINEWOOD threat group. The indictments contain details of an extensive campaign of intrusions committed by the group over more than a decade of malicious activity. In the same month, the UK government stated that China was responsible for two malicious campaigns against the UK Electoral Commission between 2021 and 2022. However, no information was released about the group responsible.

Iran:

Iranian internal and external cyber activity remained driven by its political imperatives. Internationally, Iran primarily focuses on Israel, regional adversaries including Saudi Arabia, United Arab Emirates and Kuwait, and the US. Iran makes regular use of fake hacktivist personas to target enemies, allowing itself plausible deniability. There are two primary Iranian sponsors of cyber activity: the Islamic Revolutionary Guard Corp (IRGC) and the Ministry of Intelligence and Security (MOIS).

North Korea:

North Korean threat actors continued their pursuit of revenue generation via cryptocurrency theft and sophisticated fraudulent employment schemes to gain access to Western jobs. They were persistent in targeting the IT sector and weaknesses in the supply chain. There was a major focus on entities in the US, South Korea, and Japan. These activities were set within the geopolitical context of an increased willingness on the part of North Korea to work with Russia and Iran, with the intent to foster relations with countries that are prepared to confront related, perceived enemies despite international sanctions.

Hamas:

Secureworks tracks three threat groups: ALUMINUM SHADYSIDE, ALUMINUM SARATOGA and ALUMINUM THORN considered to be aligned with Hamas, the militant group that governs the Gaza Strip. The outbreak of the Israel-Hamas war in October 2023 led to an uptick of cyber activity targeted at Israel and countries perceived to be aligned with them. However, much of that activity is thought to have been the work of hacktivist groups and personas masquerading as Palestinian but more likely linked to Iran or Russia.

Russia:

The war in Ukraine continues to drive Russian state-sponsored cyber activity, both in Ukraine and abroad. Groups associated with all three of Russia's intelligence agencies were active throughout the past year. CTU researchers assess that Russia's most aggressive use of cyber capabilities in sabotage operations will remain focused on critical infrastructure targets within Ukraine. One notable example of this kind of activity this year was IRON VIKING's cyber espionage attacks against battlefield control systems used by Ukrainian defense forces.

State of the Threat Report 2024

This 8^th edition of Secureworks State of the Threat Report provides a concise analysis of how the global cybersecurity threat landscape has evolved over the last 12 months. The information within the report is drawn from the Secureworks CTU firsthand observations of threat actor tooling and behaviors and includes actual incidents. Our annual threat analysis provides a deep dive insight into the threats our team has observed on the front line of cybersecurity.

The Secureworks State of the Threat Report can be read in full here: https://www.secureworks.com/resources/rp-state-of-the-threat-2024 

About Secureworks

Secureworks (NASDAQ: SCWX) is a global cybersecurity leader that secures human progress with Secureworks^® Taegis™, a SaaS-based, open XDR platform built on 20+ years of real-world detection data, security operations expertise, and threat intelligence and research. Taegis is embedded in the security operations of thousands of organizations around the world who use its advanced, AI-driven capabilities to detect advanced threats, streamline and collaborate on investigations, and automate the right actions.

Connect with Secureworks via LinkedIn and Facebook or Read the Secureworks Blog

View original content to download multimedia:https://www.prnewswire.com/news-releases/active-ransomware-threat-groups-up-30-in-2024-302267728.html

SOURCE Secureworks, Inc.

FAQ

What is the percentage increase in active ransomware groups according to Secureworks' 2024 report?

According to Secureworks' 2024 State of the Threat Report, there was a 30% year-over-year increase in active ransomware groups.

How many new ransomware groups entered the ecosystem in the last 12 months?

The report states that 31 new groups entered the ransomware ecosystem during the last 12 months.

What is the median dwell time for ransomware attacks in 2024 according to Secureworks (SCWX)?

According to Secureworks (SCWX), the median dwell time for ransomware attacks in 2024 is 28 hours.

Which ransomware group remains the most active according to Secureworks' 2024 report?

LockBit remains the most active ransomware group, accounting for 17% of listings, although this is down 8% from the previous year.