- A significant shift taking place in the ransomware ecosystem in 2024 due to leaked source code and tools from disbanded or deceased larger groups
- Groups demonstrate a sophisticated understanding of network vulnerabilities and utilise a variety of tools and techniques to achieve their objectives.
While many prominent ransomware gangs have disappeared, smaller and more elusive groups are emerging in 2024 due to leaked source code and tools from disbanded or deceased larger groups.
“Ransomware operations are becoming increasingly fragmented. Larger, more coordinated groups are breaking down into smaller fractions, making it more challenging for law enforcement to target them,” Kaspersky said in its report.
Moreover, each of these smaller groups has less impact and is of less interest for law enforcement, thus having a reduced likelihood of being tracked and prosecuted, giving independent ransomware actors a higher chance of escaping arrest.
30% increase in groups
Kaspersky research revealed a 30 per cent global increase in the number of targeted ransomware groups in 2023 compared to 2022, with the number of known victims of their attacks rising by a staggering 71 per cent.
Unlike random attacks, the research reported that these targeted groups focus on governments, high-profile organisations, or specific individuals within an organisation.
“Moreover, most of them distribute their malware under the Ransomware-as-a-Service (RaaS) model, which involves a number of smaller groups (called affiliates) getting access to the ransomware for a subscription fee or a portion of the ransom.”
The ransomware most frequently encountered in organisations’ systems in 2023 was Lockbit 3.0. The reason for its remarkable activity may be its builder leak in 2022. That led to various independent groups using the builder to create custom ransomware variants, which they then used to target organizations all over the world. The group itself also has a large affiliate network.
Second was BlackCat/ALPHV, which first appeared in December 2021. In December 2023, the FBI, together with other law enforcement agencies, disrupted BlackCat’s operations and seized several websites of the group.
The third most active ransomware in 2023 was C10p. This group managed to breach managed the file transfer system MoveIt to get to its customers’ data. According to New Zealand security firm Emsisoft, as of December 2023, this breach had affected over 2500 organisations.
Exploitation of vulnerabilities
According to Kaspersky’s incident response team, in 2023, every third incident (33.3 per cent) was related to ransomware, which remained the primary threat to all organisations, whatever sector of economy or industry they belonged to.
“Another important trend observed in 2023 was attacks via contractors and service providers, including IT services, became one of the top three attack vectors for the first time. This approach facilitates large-scale attacks with less effort, often going undetected until data leaks or encrypted data are discovered,” the report said.
Overall, the research stated that ransomware groups demonstrated a sophisticated understanding of network vulnerabilities and utilised a variety of tools and techniques to achieve their objectives.
“The use of well-known security tools, exploitation of vulnerabilities in public-facing applications, and the use of native Windows commands highlight the need for robust cybersecurity measures to defend against ransomware attacks and domain takeovers.”