STOCK TITAN

Active Ransomware Threat Groups Up 30% in 2024

Rhea-AI Impact
(Neutral)
Rhea-AI Sentiment
(Negative)
Tags

Secureworks' 2024 State of the Threat Report reveals a 30% year-over-year increase in active ransomware groups, indicating fragmentation in the criminal ecosystem. Key findings include:

- 31 new ransomware groups emerged in the past 12 months
- LockBit remains the most active group with 17% of listings, down 8% from last year
- PLAY doubled its victim count, becoming the second most active group
- RansomHub, a new group, quickly became the third most active

The report also highlights an increase in adversary-in-the-middle (AiTM) attacks and the growing use of AI by cybercriminals. Law enforcement activities have disrupted major ransomware operations, leading to a more fragmented landscape with varying tactics and dwell times.

Il Rapporto sullo Stato della Minaccia 2024 di Secureworks rivela un incremento del 30% anno su anno dei gruppi di ransomware attivi, indicando una frammentazione nell'ecosistema criminale. I principali risultati includono:

- Sono emersi 31 nuovi gruppi di ransomware negli ultimi 12 mesi
- LockBit rimane il gruppo più attivo con il 17% delle segnalazioni, in calo dell'8% rispetto all'anno scorso
- PLAY ha raddoppiato il numero delle sue vittime, diventando il secondo gruppo più attivo
- RansomHub, un nuovo gruppo, è rapidamente diventato il terzo gruppo più attivo

Il rapporto evidenzia anche un aumento degli attacchi adversary-in-the-middle (AiTM) e il crescente utilizzo dell'IA da parte dei criminali informatici. Le attività delle forze dell'ordine hanno interrotto operazioni major di ransomware, portando a un paesaggio più frammentato con tattiche e tempi di permanenza variabili.

El Informe sobre el Estado de la Amenaza 2024 de Secureworks revela un aumento del 30% año tras año en los grupos de ransomware activos, lo que indica una fragmentación en el ecosistema criminal. Los hallazgos clave incluyen:

- 31 nuevos grupos de ransomware surgieron en los últimos 12 meses
- LockBit sigue siendo el grupo más activo con el 17% de las listas, una disminución del 8% en comparación con el año pasado
- PLAY duplicó su número de víctimas, convirtiéndose en el segundo grupo más activo
- RansomHub, un nuevo grupo, se convirtió rápidamente en el tercer grupo más activo

El informe también destaca un aumento en los ataques adversary-in-the-middle (AiTM) y el creciente uso de IA por parte de los ciberdelincuentes. Las actividades de las fuerzas del orden han interrumpido las grandes operaciones de ransomware, llevando a un paisaje más fragmentado con tácticas y tiempos de permanencia variados.

Secureworks의 2024 위협 현황 보고서에서는 활동 중인 랜섬웨어 그룹의 연간 30% 증가를 밝혀내어 범죄 생태계의 분열을 나타냅니다. 주요 결과는 다음과 같습니다:

- 지난 12개월 동안 31개의 새로운 랜섬웨어 그룹이 등장했습니다.
- 락빗(LockBit)은 여전히 17%의 비율로 가장 활발한 그룹이며, 작년보다 8% 감소했습니다.
- PLAY는 피해자 수를 두 배로 늘려 두 번째로 활발한 그룹이 되었습니다.
- 새로운 그룹인 RansomHub는 빠르게 세 번째로 활발한 그룹이 되었습니다.

이번 보고서는 또한 중간자 공격(adversary-in-the-middle, AiTM)의 증가와 사이버 범죄자에 의한 AI 사용 증가를 강조합니다. 법 집행 활동은 주요 랜섬웨어 작전을 중단시켰으며, 이로 인해 다양한 전술과 체류 시간이 나타나는 더욱 분열된 환경이 조성되었습니다.

Le Rapport sur l'État de la Menace 2024 de Secureworks révèle une augmentation de 30 % des groupes de ransomware actifs d'une année sur l'autre, indiquant une fragmentation de l'écosystème criminel. Les principales conclusions sont :

- 31 nouveaux groupes de ransomware ont émergé au cours des 12 derniers mois
- LockBit reste le groupe le plus actif avec 17 % des listings, soit une baisse de 8 % par rapport à l'année dernière
- PLAY a doublé le nombre de ses victimes, devenant ainsi le deuxième groupe le plus actif
- RansomHub, un nouveau groupe, est rapidement devenu le troisième groupe le plus actif

Le rapport souligne également une augmentation des attaques adversaire-intermédiaire (AiTM) et un usage croissant de l'IA par les cybercriminels. Les actions des forces de l'ordre ont perturbé d'importantes opérations de ransomware, conduisant à un paysage plus fragmenté avec des tactiques et des temps de prolongation variables.

Der 2024 Threat Report von Secureworks zeigt einen 30%igen Anstieg der aktiven Ransomware-Gruppen im Jahresvergleich, was auf eine Fragmentierung im kriminellen Ökosystem hinweist. Zu den wichtigsten Erkenntnissen gehören:

- In den letzten 12 Monaten sind 31 neue Ransomware-Gruppen entstanden
- LockBit bleibt die aktivste Gruppe mit 17% der Einträge, was einem Rückgang von 8% im Vergleich zum Vorjahr entspricht
- PLAY hat die Anzahl seiner Opfer verdoppelt und ist damit die zweitaktivste Gruppe geworden
- RansomHub, eine neue Gruppe, hat sich schnell zur dritta aktivsten Gruppe entwickelt.

Der Bericht hebt auch einen Anstieg der Adversary-in-the-Middle (AiTM)-Angriffe und die wachsende Nutzung von KI durch Cyberkriminelle hervor. Die Maßnahmen der Strafverfolgungsbehörden haben große Ransomware-Operationen gestört, was zu einer fragmentierteren Landschaft mit unterschiedlichen Taktiken und Verweildauern geführt hat.

Positive
  • 30% year-over-year increase in active ransomware groups, indicating market growth
  • Emergence of new ransomware groups like RansomHub, showing market dynamism
  • Increased use of AI by cybercriminals, potentially leading to more sophisticated attacks
Negative
  • Fragmentation of ransomware ecosystem may lead to unpredictable attack patterns
  • Rise in adversary-in-the-middle (AiTM) attacks, potentially reducing MFA effectiveness
  • Growing use of AI by cybercriminals for scaling attacks and improving scam credibility

Insights

The 30% increase in active ransomware groups signifies a major shift in the cybercrime landscape. This fragmentation is likely a response to law enforcement disruptions, particularly the takedowns of major players like LockBit and BlackCat/ALPV. The emergence of 31 new groups in just 12 months indicates a rapidly evolving threat environment.

Key points for investors:

  • Market disruption: Established players like LockBit are losing market share, creating opportunities for new entrants.
  • Increased complexity: The fragmented landscape means more diverse tactics, potentially challenging cybersecurity firms to adapt quickly.
  • AI adoption: The growing use of AI by cybercriminals could lead to more sophisticated and scalable attacks, potentially driving demand for advanced AI-powered security solutions.
  • Emerging threats: The rise of Adversary-in-the-Middle (AiTM) attacks poses new challenges to traditional security measures like MFA, potentially opening up new market segments for innovative security products.

For Secureworks (SCWX), this evolving landscape could present both opportunities and challenges. The company's threat intelligence capabilities may become more valuable, but they'll need to continuously innovate to stay ahead of the rapidly changing threat environment.

Secureworks' (NASDAQ: SCWX) 2024 State of the Threat Report provides valuable insights into the cybersecurity market, which could impact the company's financial performance and stock valuation.

Key financial implications:

  • Market expansion: The 30% increase in ransomware groups suggests a growing addressable market for cybersecurity solutions, potentially driving revenue growth for Secureworks.
  • Product demand: The fragmentation of the ransomware ecosystem may increase demand for advanced threat intelligence and adaptive security solutions, aligning with Secureworks' offerings.
  • Competitive advantage: Secureworks' deep insights into the evolving threat landscape, as demonstrated by this report, could strengthen its market position and justify premium pricing.
  • R&D investment: The rapidly changing threat environment may necessitate increased R&D spending to keep pace with new attack vectors and AI-powered threats.

While specific financial figures aren't provided, this report suggests a favorable market environment for Secureworks. Investors should monitor how effectively the company capitalizes on these trends in upcoming quarterly reports.

Secureworks annual State of The Threat Report outlines cybercriminals response as law enforcement operations successfully cause widespread disruption to ransomware operations

ATLANTA, Oct. 8, 2024 /PRNewswire/ -- Secureworks® (NASDAQ: SCWX) 2024 State of the Threat Report has revealed a 30% year-over-year rise in active ransomware groups, which demonstrates fragmentation of an established criminal ecosystem. 31 new groups entered the ransomware ecosystem during the last 12 months, and based on numbers of victims listed the three most active groups are:

  1. LockBit:The long established 'top dog' of ransomware groups accounted for 17% of listings, down 8% from last year, proving even further how the takedown has impacted their operations.
  2. PLAY: The second most active group, PLAY doubled its victim count year-over-year.
  3. RansomHub: A new group, emerging only a week after the LockBit takedown, is already the third most active group with 7% of the share of victims listed.

A landscape previously dominated by a few, is now home to a broader set of emerging ransomware players. As smaller groups look to become established, it means there is less repeatability and structure in how they operate and organizations need to continue to remain alert for a wider variety of tactics. This year's median dwell time of 28 hours reflects the newness of these partnerships. While some clusters of groups are executing fast 'smash-and-grab' attacks within hours, others spend hundreds of days in networks in the most extreme cases. As the new ecosystem continues to take shape, we can expect to see further variation and shifts in dwell times and methodology.

The annual State of the Threat Report examines the cybersecurity landscape from June 2023 to July 2024. Additional key findings include:

  • Law enforcement activity targeting GOLD MYSTIC (LockBit) and GOLD BLAZER (BlackCat/ALPV) caused significant disruption to the status quo of the ransomware operating landscape.
  • The number of active ransomware groups using "name and shame" leak sites grew 30% year-over-year.
  • Despite this growth in ransomware groups, victim numbers did not rise at the same pace, showing a significantly more fragmented landscape posing the question of how successful these new groups might be.
  • Scan-and-exploit and stolen credentials remain the two largest initial access vectors (IAV) observed in ransomware engagements based on our observations.
  • Observed increase in adversary-in-the-middle (AiTM) attacks – a notable and concerning trend for cyber defenders.
  • AI is growing in use and in variation for cybercriminals – expanding the scale and credibility of existing scams like CEO fraud or "obituary pirates."

Shifting Sands of Ransomware

"Ransomware is a business that is nothing without its affiliate model. In the last year, law enforcement activity has shattered old allegiances, reshaping the business of cybercrime. Originally chaotic in their response, threat actors have refined their business operations and how they work. The result is a larger number of groups, underpinned by substantial affiliate migration," said Don Smith, VP Threat Intelligence, Secureworks Counter Threat Unit™ (CTU™). "As the ecosystem evolves, we have entropy in threat groups, but also unpredictability in playbooks, adding significant complexity for network defenders."

AiTM and AI as Growing Threats

In the past year, threat actors are increasingly stealing credentials and session cookies to gain access by using AiTM attacks. This potentially reduces the effectiveness of some types of MFA, a worrying trend for network defenders. These attacks are facilitated and automated by phishing kits that are available for hire on underground marketplaces and Telegram. Popular kits include Evilginx2, EvilProxy and Tycoon2FA.

As AI tools have become widespread and readily available, it was inevitable that cybercriminals would take note as they look to scale. Since mid-February 2023, Secureworks CTU researchers have observed an increase in posts on underground forums about OpenAI ChatGPT and how it can be employed for nefarious purposes. Much of the discussion relates to relatively low-level activity including phishing attacks and basic script creation.

"The cybercrime landscape continues to evolve, sometimes minor, occasionally more significant. The growing use of AI lends scale to threat actors, however the increase of AiTM attacks presents a more immediate problem for enterprises, reinforcing that identity is the perimeter and should cause enterprises to take stock and reflect on their defensive posture," continued Smith.  

One novel example of AI being used by threat actors, as observed by Secureworks researchers, was the role it played in a fraud perpetrated by so-called obituary pirates. Threat actors monitored Google trends following a death to identify interest in obituaries and then used generative AI to create lengthy tributes on sites that were manipulated to the top of Google search results by SEO poisoning. They then directed users to other sites pushing adware or potentially unwanted programs.

State-Sponsored Threat Activity – A Summary

The report also examines the significant activities and trends in the behavior of state-sponsored threat groups belonging to China, Russia, Iran, and North Korea. This year, we are also including threat group activity from Hamas, which has seen a notable increase since the outbreak of the Israel-Hamas war, now spilling over into the public domain and our aperture. The primary drivers for these countries are geopolitical.

China:

Chinese cyber activity has continued to track with previous Secureworks observations. Their aims are broadly focused on information theft for political, economic, and military gain. Much of this activity targeted at industrial sectors that align with the high-level objectives of the Chinese Communist Party's (CCP) Five Year Plan. In October 2023, the heads of the US, UK, Australian, Canadian, and New Zealand security agencies warned of the "epic scale" of Chinese espionage. State-sponsored threat actors were not immune to the law enforcement activity. In March 2024, the US State Department unsealed indictments against seven named individuals all part of the BRONZE VINEWOOD threat group. The indictments contain details of an extensive campaign of intrusions committed by the group over more than a decade of malicious activity. In the same month, the UK government stated that China was responsible for two malicious campaigns against the UK Electoral Commission between 2021 and 2022. However, no information was released about the group responsible.

Iran:

Iranian internal and external cyber activity remained driven by its political imperatives. Internationally, Iran primarily focuses on Israel, regional adversaries including Saudi Arabia, United Arab Emirates and Kuwait, and the US. Iran makes regular use of fake hacktivist personas to target enemies, allowing itself plausible deniability. There are two primary Iranian sponsors of cyber activity: the Islamic Revolutionary Guard Corp (IRGC) and the Ministry of Intelligence and Security (MOIS).

North Korea:

North Korean threat actors continued their pursuit of revenue generation via cryptocurrency theft and sophisticated fraudulent employment schemes to gain access to Western jobs. They were persistent in targeting the IT sector and weaknesses in the supply chain. There was a major focus on entities in the US, South Korea, and Japan. These activities were set within the geopolitical context of an increased willingness on the part of North Korea to work with Russia and Iran, with the intent to foster relations with countries that are prepared to confront related, perceived enemies despite international sanctions.

Hamas:

Secureworks tracks three threat groups: ALUMINUM SHADYSIDE, ALUMINUM SARATOGA and ALUMINUM THORN considered to be aligned with Hamas, the militant group that governs the Gaza Strip. The outbreak of the Israel-Hamas war in October 2023 led to an uptick of cyber activity targeted at Israel and countries perceived to be aligned with them. However, much of that activity is thought to have been the work of hacktivist groups and personas masquerading as Palestinian but more likely linked to Iran or Russia.

Russia:

The war in Ukraine continues to drive Russian state-sponsored cyber activity, both in Ukraine and abroad. Groups associated with all three of Russia's intelligence agencies were active throughout the past year. CTU researchers assess that Russia's most aggressive use of cyber capabilities in sabotage operations will remain focused on critical infrastructure targets within Ukraine. One notable example of this kind of activity this year was IRON VIKING's cyber espionage attacks against battlefield control systems used by Ukrainian defense forces.

State of the Threat Report 2024

This 8th edition of Secureworks State of the Threat Report provides a concise analysis of how the global cybersecurity threat landscape has evolved over the last 12 months. The information within the report is drawn from the Secureworks CTU firsthand observations of threat actor tooling and behaviors and includes actual incidents. Our annual threat analysis provides a deep dive insight into the threats our team has observed on the front line of cybersecurity.

The Secureworks State of the Threat Report can be read in full here: https://www.secureworks.com/resources/rp-state-of-the-threat-2024 

About Secureworks

Secureworks (NASDAQ: SCWX) is a global cybersecurity leader that secures human progress with Secureworks® Taegis™, a SaaS-based, open XDR platform built on 20+ years of real-world detection data, security operations expertise, and threat intelligence and research. Taegis is embedded in the security operations of thousands of organizations around the world who use its advanced, AI-driven capabilities to detect advanced threats, streamline and collaborate on investigations, and automate the right actions.

Connect with Secureworks via LinkedIn and Facebook or Read the Secureworks Blog

Cision View original content to download multimedia:https://www.prnewswire.com/news-releases/active-ransomware-threat-groups-up-30-in-2024-302267728.html

SOURCE Secureworks, Inc.

FAQ

What is the percentage increase in active ransomware groups according to Secureworks' 2024 report?

According to Secureworks' 2024 State of the Threat Report, there was a 30% year-over-year increase in active ransomware groups.

How many new ransomware groups entered the ecosystem in the last 12 months?

The report states that 31 new groups entered the ransomware ecosystem during the last 12 months.

What is the median dwell time for ransomware attacks in 2024 according to Secureworks (SCWX)?

According to Secureworks (SCWX), the median dwell time for ransomware attacks in 2024 is 28 hours.

Which ransomware group remains the most active according to Secureworks' 2024 report?

LockBit remains the most active ransomware group, accounting for 17% of listings, although this is down 8% from the previous year.

SecureWorks Corp

NASDAQ:SCWX

SCWX Rankings

SCWX Latest News

SCWX Stock Data

752.90M
13.94M
23.07%
52.59%
0.1%
Software - Infrastructure
Services-prepackaged Software
Link
United States of America
ATLANTA