Ransomware: Attacks Once More Nearing Peak Levels

Ransomware activity increased markedly in the second quarter of 2024 as attackers seemingly recovered their momentum following the disruption experienced in late 2023 and early 2024. 

Analysis of data from ransomware leak sites found that ransomware actors claimed 1,310 attacks in the second quarter of 2024, a 36% increase on the first quarter of this year. This was the second highest amount of attacks claimed in a quarter by ransomware operators, short of the record 1,488 attacks claimed in the third quarter of 2023. 

Powering this increase in attacks has been the complete recovery of LockBit from disruption experienced following an international law enforcement operation in February 2024. LockBit, which is operated by the Syrphid cybercrime group, has long been the most prolific ransomware operation but experienced a dip in activity in the first quarter of this year. However, LockBit attacks increased significantly in the second quarter of 2024 and, with 353 attacks claimed this quarter, are now higher than ever.

Another factor driving the overall increase in attacks has been the emergence of a number of operators to occupy the space once controlled by the now-departed Noberus ransomware operation. Noberus, along with LockBit, was among the dominant players before it closed down in March 2024, citing the impact of a law enforcement operation along with reports of a falling out with many of its affiliates.

Chief among these successors has been Qilin (aka Agenda), which first emerged in late 2022 and is reportedly run as a ransomware-as-service (RaaS) operation. Attacks claimed by Qilin increased by 47% to 97 in the second quarter of 2024. Play, which has reportedly opened an RaaS operation, saw its attacks increase by 27% to 89 in the second quarter. 

Perhaps the most significant uptick in claimed attacks involved RansomHub, which first appeared in only February 2024 but appears to have been quick in winning over affiliates to its RaaS operation. Attacks claimed by RansomHub more than tripled in the second quarter to 75, up from 23 in the first quarter of this year. RansomHub’s surge in activity has pushed it into the center of the ransomware ecosystem and it was the fourth most prolific ransomware family in the second quarter. 

Yet again, there were marked differences between overall, publicly claimed activity levels and ransomware activity investigated by Symantec. While LockBit in both cases counted for the largest proportion of attacks, it claimed 27% of all publicly reported attacks and was responsible for 19% of all attacks investigated by Symantec. 

Conversely, Play was behind 19% of all attacks investigated by Symantec, but only accounted for 7% of all publicly claimed attacks. 

The comparison may give some indication of success rates experienced by actors linked to each operation. For Symantec to positively identify an attack as associated with a certain ransomware family, the attack has to advance to the stage where the attackers attempt to deploy a payload. This suggests that attackers using Play are more likely to advance their attacks at least to the payload deployment stage.

Vectors

Although the vector may not be discovered for every ransomware attack, the available evidence suggests that attackers are continuing to favor the exploitation of known vulnerabilities in public-facing applications as a means of access.

For example, in July 2024, Symantec found that threat actors linked to the Snakefly cybercrime group were actively scanning for CrushFTP servers vulnerable to CVE-2024-4040 to run remote commands to download malware onto compromised machines. While CVE-2024-4040 was patched on April 19, 2024, Snakefly was continuing to search for and exploit unpatched systems. 

Snakefly is a specialist in these kinds of attacks and has a long track record of exploiting recently patched and zero-day vulnerabilities in order to mount extortion campaigns.

Snakefly is responsible for the Cl0p ransomware and it appeared to be highly likely that the final objective of this campaign was the deployment of Cl0p ransomware.

Along with exploitation of known vulnerabilities there is anecdotal evidence of attackers targeting exposed RDP servers with weak credentials and poor network segmentation to facilitate lateral movement. In many cases, the absence of multi-factor authentication (MFA) across these services means that weak credentials are particularly vulnerable to exploitation. 

Cause for concern

The sharp increase in attacks in the second quarter of this year suggests that momentum is once again with attackers. While high-profile ransomware operations such as Noberus shut down, the pool of skilled affiliates appears to be undisturbed and many appear to simply migrate to alternative franchises. 

Protection/Mitigation

For the latest protection updates, please visit the Symantec Protection Bulletin.