Five ransomware groups, including RansomHub and LockBit 3.0, accounted for 40% of all cyber-attacks in Q3 2024, highlighting the increasing complexity and competition within the ransomware ecosystem, according to research by Corvus Insurance.
Overall, the Corvus’ Q3 2024 Cyber Threat Report, The Ransomware Ecosystem is Increasingly Distributed, noted that the ransomware threat level remained elevated.
The insurance firm’s findings showed that Q3 saw 1257 victims posted to leak sites, marking a 0.7% rise from Q2’s total of 1248 victims.
Of the ransomware attacks in Q3 2024, 40% can be traced to the following five groups:
- RansomHub
- PLAY
- LockBit 3.0
- MEOW
- Hunters International
The overall number of active ransomware groups across the world rose to reach 59, according to the research..
The report also noted that law enforcement activity, like Operation Cronos which affected LockBit, may be transforming the ransomware ecosystem, resulting in more small-scale operations than before.
RansomHub has quickly filled the void left by disruption to LockBit’s infrastructure and has accounted for more than 290 victims across various sectors in 2024.
In October, research by Symantec also noted that RansomHub is now the top ransomware operation in terms of successful attacks.
Symantec commented that the group’s success could be explained by its success in recruiting experienced affiliates for its ransomware-as-a-service operations.
Corvus said LockBit 3.0’s activity fell sharply from 208 in Q2 to 91 victims in Q3, likely signaling a response to law enforcement pressure.
Attackers Targeting VPNs Account for Third of Ransomware Incidents
Cybercriminals leveraging virtual private network (VPN) vulnerabilities and weak passwords for initial access contributed to nearly 30% of ransomware attacks.
Outdated software or VPN accounts with inadequate protections are what has led to VPN vulnerabilities being exploited.
Corvus explained that common usernames such as “admin” or “user” and a lack of multi-factor authentication (MFA) made accounts vulnerable to automated brute-force attacks, where attackers exploit publicly accessible systems by testing combinations of these weak credentials. This allows malicious actors to frequently achieve network access with minimal effort.
“Attackers are focused on finding the path of least resistance into a business to launch an attack, and in Q3 that entry point was the VPN,” said Jason Rebholz, CISO at Corvus.
“As we look forward, businesses must strengthen defenses with multi-layered security approaches that extend beyond MFA. Today, MFA is mere table stakes and must be complemented with secure access controls capable of shoring up these current and future areas of vulnerability,” he said.