Q2 2024 ransomware stats mirror shifting RaaS panorama – Cyber Tech

Ransomware statistics for Q2 of 2024 mirror a remodeling ransomware-as-a-service (RaaS) panorama following legislation enforcement shakeups earlier within the yr.

ReliaQuest’s Ransomware and Cyber Extortion in Q2 2024 report identifies 1,237 organizations listed on ransomware leak websites, representing a 20% improve in contrast with Q1 2024.

Nonetheless, the variety of affected organizations noticed solely a miniscule improve of 1% between the primary half of 2023 and first half of 2024, suggesting that current occasions have put a damper on the general progress pattern of ransomware assaults.

“Numbers of every month inside Q2 2024 fluctuated considerably, seemingly attributable to upheavals within the RaaS ecosystem that triggered ransomware teams to compete for associates,” ReliaQuest researchers wrote in a weblog publish Monday. “We anticipate a extra constant rise in ransomware incidents within the second half of 2024 as associates resume regular operations.”

Change of guard between outdated and new ransomware teams

A significant factor influencing the numbers revealed in ReliaQuest’s report is the affect of legislation enforcement exercise on ransomware’s main gamers.

ALPHV/BlackCat’s withdrawal from the scene following FBI interference and a possible exit rip-off, paired with a weakening of LockBit after its personal legislation enforcement disruption, cleared the best way for newer ransomware gangs like RansomHub, BlackSuit and BlackBasta to recruit extra associates and ramp up actions.

On the identical time, LockBit’s try to rebound from its February takedown was attributed to a spike in claimed victims in the course of Q2. The group claimed 179 victims on its leak website in Could, representing greater than a 3rd of that month’s affected organizations, however these numbers fell off in June, resulting in a comparatively quiet month.

ReliaQuest stated that, regardless of the tried comeback, LockBit’s repute amongst fellow cybercriminals was sullied within the wake of its legislation enforcement disruption, with its seemingly false declare of breaching the U.S. Federal Reserve being the most recent embarrassment for the previous high canine.

“Darkish net kind customers remarked that such ‘pretend’ claims will seemingly undermine associates’ willingness to collaborate,” ReliaQuest researchers wrote.

In the meantime, rising gamers like RansomHub are benefiting from the disillusionment of former ALPHV/BlackCat and LockBit associates, providing contemporary, profitable alternatives to cybercriminals. RansomHub’s rise to fame was kicked off after its recruitment of former ALPHV/BlackCat affiliate notchy, which led to a second extortion try in opposition to Change Healthcare.

In contrast to ALPHV/BlackCat, which allegedly took off with a $22 million ransom paid by UnitedHealth Group with out paying out notchy’s share, RansomHub permits associates to gather ransom funds themselves and solely ship a ten% reduce to the group.

This makes RansomHub an particularly enticing companion for financially motivated cybercriminals, together with former associates of ALPHV/BlackCat and LockBit, and encourages concentrating on of “huge recreation” organizations which are prone to pay bigger ransoms. These elements seemingly led to the 243% improve in claimed RansomHub victims between Q1 and Q2 of 2024, and the disproportionately excessive quantity of U.S. organizations focused as a result of notion that U.S.-based firms usually tend to make excessive ransom funds.

BlackSuit was additionally famous as a rising contender within the ransomware ecosystem, seeing a 194% improve in victims claimed on its leak website between Q1 and Q2. ReliaQuest predicts that teams like RansomHub and BlackSuit will proceed to see rising exercise throughout the second half of the yr as extra associates are recruited, together with these leaping ship from LockBit.

Preliminary entry by way of stolen credentials, provide chain assaults anticipated to extend

ReliaQuest’s report additionally factors to altering ways amongst cyberattackers, pointing to a possible shift in preliminary entry vectors. Researchers recognized a 30% improve in cybercriminal market listings for infostealer logs, suggesting that uncovered credentials will turn into a extra outstanding supply of preliminary entry in future ransomware and extortion assaults.

The breach of credentials of roughly 165 prospects of information cloud firm Snowflake is one instance of this rising assault vector, with indicators that risk actors are leveraging the stolen credentials in extortion-only schemes. As extra decryption keys for ransomware strains turn into obtainable attributable to elevated legislation enforcement exercise, extortion-only assaults might steadily rise to displace double-extortion ransomware assaults, ReliaQuest predicts.

Software program provide chain assaults are additionally a priority attributable to elevated concentrating on of know-how firms by ransomware teams, with the potential for secondary assaults in opposition to prospects of the breached software program suppliers. ReliaQuest famous a 35% improve in ransomware victims from the skilled, scientific and technical companies (PSTS) sector, which incorporates software program firms.