RansomHub is now the number one ransomware operation in terms of claimed successful attacks, according to new data from Symantec.
The security vendor’s latest threat intelligence report for Q3 2024, Ransomware: Threat Level Remains High in Third Quarter, is based on analysis of leak sites.
Overall, threat actors claimed 1255 attacks in the quarter, down slightly from 1325 in Q2. However, the macro trend is of attacks ticking up, Symantec warned.
RansomHub only became active in February this year but claimed top spot in Q3 with 191 victims posted to leak sites, up 155% on Q2’s haul.
“The group’s rapid rise may be explained by its success in recruiting experienced affiliates for its ransomware-as-a-service operation, reportedly offering more attractive terms than rival outfits,” said Symantec.
Read more on ransomware: Ransomware Attack Demands Reach a Staggering $5.2m in 2024
RansomHub’s rise appears to have come at the expense of LockBit, which boasted three times more successful attacks than closest rival Qilin in the second quarter. It saw this figure fall 88% quarter-on-quarter to 188 data leak posts in Q3, according to Symantec.
“LockBit was the target of an international law enforcement operation in February 2024, which impacted its level of activity in the first quarter of this year,” the report continued.
“By the second quarter, it appeared to recover completely, but it is possible that the operation has led to a loss of trust among LockBit affiliates, particularly since authorities indicated they had collected information that could identify affiliates.”
Qilin’s fortunes are also on the up, after its victim count increased 44% to reach 140 in Q3.
Symantec pointed out the disparity between publicly claimed attacks and ransomware activity investigated by its own threat researchers. For example, LockBit accounted for just 7% of attacks investigated by Symantec in Q3 but claimed a share of 15%, while for RansomHub the figures were 33% and 15%.
In the case of RansomHub, the disparity could potentially be explained by the fact that not all victims end up on ransomware leak sites – if they pay their extortionists promptly, for example.
The Most Popular Ransomware Tools
Symantec revealed the four most commonly observed tools and techniques used by ransomware actors in Q3 as:
- Living off the land: Native Windows utilities that enable lateral movement, execution of commands and other actions without setting off any alarms.
- Bring your own vulnerable driver (BYOD): Attackers deploy a signed vulnerable driver, which is given kernel access and therefore can be used to kill processes related to security software. These drivers are usually deployed with a malicious executable to issue commands.
- Remote desktop/admin: RDP, AnyDesk, Splashtop, ScreenConnect and other legitimate remote administration tools are abused to provide backdoor access to victims’ machines.
- Data exfiltration: Theft of data prior to encryption (double extortion) now accounts for most ransomware attacks. Rclone is the most popular exfiltration tool, although remote admin software also has such capabilities.
Image credit: Sue Thatcher / Shutterstock.com