Ransomware Surge: Attackers Reclaim Momentum in 2024's Second Quarter

Symantec released a detailed report highlighting the resurgence of ransomware attacks in the second quarter of 2024. According to the report, ransomware actors claimed 1,310 attacks during this period, marking a 36% increase compared to the first quarter.

Ransomware Surge: Attackers Reclaim Momentum in 2024's Second Quarter
The original image was generated by OpenAI's DALL-E and edited by the author. Source: OpenAI (September 2024)

Introduction

On September 11, 2024, cybersecurity firm Symantec released a detailed report highlighting the resurgence of ransomware attacks in the second quarter of 2024. According to the report, ransomware actors claimed 1,310 attacks during this period, marking a 36% increase compared to the first quarter. The surge follows a temporary dip in activity observed in late 2023 and early 2024 due to a series of law enforcement actions.

Report Overview

Leading the increase was the LockBit ransomware operation, operated by the Syrphid cybercrime group. Following a significant disruption caused by an international law enforcement operation in February 2024, LockBit bounced back with 353 attacks in Q2, surpassing its previous activity levels. This made LockBit the most prolific ransomware actor in the current quarter.

The vacuum left by Noberus, another dominant player in the ransomware scene, has been filled by emerging operations such as Qilin (aka Agenda) and RansomHub. Noberus shut down in March 2024 after reporting internal conflicts and external pressures, including law enforcement operations. Qilin, a ransomware-as-a-service (RaaS) platform, saw a 47% increase in attacks, claiming 97 incidents in Q2. Similarly, RansomHub, a newcomer to the scene since February 2024, quickly gained traction and tripled its attacks to 75.

Insights and Analysis

Symantec's report also highlighted that while LockBit accounted for 27% of all publicly reported ransomware attacks, it was responsible for only 19% of incidents that advanced to payload deployment in Symantec's investigations. On the other hand, Play ransomware, which claimed a smaller share of publicly reported attacks, was involved in 19% of Symantec's confirmed cases.

The ransomware ecosystem has proven to be resilient, with skilled affiliates switching to new operations as older groups dissolve or face disruption. This adaptability poses a continued threat to organizations that may become the next target.

Symantec's report points out that many ransomware attacks are still exploiting known vulnerabilities. Notably, the Snakefly cybercrime group was observed actively targeting unpatched CrushFTP servers, leveraging CVE-2024-4040 to gain access to systems. Despite a patch being available since April 2024, many organizations had not updated their systems, leaving them vulnerable to attack.

The use of compromised Remote Desktop Protocol (RDP) servers with weak credentials also remains a prevalent vector. Symantec noted that poor network segmentation and the absence of multi-factor authentication (MFA) continue to expose organizations to heightened risks, enabling attackers to move laterally within networks.

Conclusion

The resurgence in ransomware attacks demonstrates that despite law enforcement efforts, attackers continue to adapt and find new opportunities. Organizations are urged to prioritize patching known vulnerabilities, enforcing MFA, and maintaining strong cybersecurity hygiene to mitigate the risk of falling victim to these attacks. As new ransomware operations gain momentum, the threat landscape remains dynamic and dangerous.

Preventative Measures:

  • Regularly patch public-facing applications.
  • Enforce strong passwords and MFA for all remote access systems.
  • Implement strict network segmentation to prevent lateral movement.

The current surge underscores the importance of proactive defenses in the face of a constantly evolving cyber threat environment.

References

Ransomware: Attacks Once More Nearing Peak Levels
Attacks surge again in second quarter of 2024 as attackers bounce back from disruption.