The number of successful ransomware attacks advertised on leak sites increased 9% year-on-year (YoY) in the first quarter of 2024 despite high-profile law enforcement disruption of major groups, Symantec has claimed.
The security vendor said it recorded 962 claimed attacks in the first quarter of 2024 – down from the 1190 attacks of the previous three months, but still more than the 886 claimed in the first quarter of 2023.
Global law enforcers teamed up to make arrests, take down infrastructure and undermine the credibility of the prolific ALPHV/BlackCat and LockBit groups in December 2023 and February 2024 respectively.
However, although BlackCat subsequently disappeared, LockBit appears to be still operational.
“LockBit’s position as the number one ransomware threat remained unchallenged in the first quarter of 2024, accounting for over 20% of all claimed attacks,” said Symantec.
Read more on ransomware: Ransomware Attack Demands Reach a Staggering $5.2m in 2024.
In terms of claimed attacks on leak sites, the chasing pack include Qilin, Play, Phobos, Hunters and Bianlian – all of which are on a share of 7% of leak site posts.
However, Symantec’s own data from investigations it conducted in Q1 2024 places LockBit on 32%, followed by Akira (14%) and Blacksuit (11%).
“The comparison may give some indication of success rates experienced by actors linked to each operation,” Symantec said.
“For Symantec to positively identify an attack as associated with a certain ransomware family, the attack has to advance to the stage where the attackers attempt to deploy a payload. This suggests that attackers using Akira and Blacksuit are more likely to advance their attacks at least to the payload deployment stage.”
Vulnerability Exploits Continue to Reap Rewards
The report also claimed that exploitation of known vulnerabilities in public facing applications continues to be the main vector for ransomware attacks. Symantec cited recent attacks on web servers exploiting CVE-2024-4577; a CGI argument injection flaw affecting all versions of PHP installed on Windows.
However, not all cybersecurity vendors agree. Coveware’s latest report covering Q1 2024 claimed that remote access compromise remains the top method of initial access, followed some way behind by phishing and vulnerability exploitation, which are virtually tied.
Elsewhere, Symantec pointed to the continued use of “Bring-Your-Own-Vulnerable-Driver” (BYOVD) tactics to disable security solutions.
“Since drivers are signed and can obtain kernel access, they are frequently used to kill processes,” it explained.
“A correctly written driver will contain checks to ensure that only the software it’s designed to work with is issuing commands and that it’s only used for its intended purpose. A vulnerable driver, in the wrong hands, becomes a de facto privilege escalation tool.”