Ransomware remains an ever-present operational, financial, and reputational risk to organizations. This year, the frequency, cost, and disruption caused by ransomware groups are on track to match 2023, considered one of the worst years on record regarding attack numbers and total ransoms paid.
However, complex and covert law enforcement actions are countering this trend. These actions have caused some ransomware groups, such as Hive and ALPHV aka BlackCat, to close up shop while others, such as LockBit, have been severely undermined. Nonetheless, other ransomware groups have filled the void, making this crime a pervasive threat.
This article will review ransomware gang activity from the second quarter of this year, focusing specifically on the three most active groups: LockBit, Play, and RansomHub. It will also address broad ransomware trends and notable tactics, techniques, and procedures (TTPs) of ransomware groups.
By the Numbers
We reported 913 ransomware breach events in the second quarter of 2024 versus 1,080 for the second quarter of 2023, marking a 16% drop. The drop in breach events is likely partly due to Operation Cronos, a law enforcement action led by the U.K. National Crime Agency (NCA), which targeted LockBit. Ransomware-as-a-service — known as RaaS — operators such as LockBit rely on networks of other malicious hackers known as affiliates to carry out attacks.
RaaS operators provide the malware and infrastructure to affiliates, and the two sides share the ransom paid.
Law enforcement activity tends to disrupt these relationships, and affiliates often change groups following a bust. Hence, law enforcement’s disruption of LockBit caused disturbances in its affiliate network, which had numbered more than 190. Other ransomware groups then sought to attract LockBit affiliates whom the attention on the group may have put off.
Now that the stage has been set, let’s examine the three top ransomware groups we observed in the second quarter of this year: LockBit, Play, and RansomHub.
LockBit
LockBit was the most prolific and largest RaaS group in 2022 and 2023. Operation Cronos secretly infiltrated the group’s infrastructure and recovered decryption keys. Perhaps most significantly, the U.S. and U.K. identified LockBit’s alleged leader by name, Dmitry Yuryevich
Khoroshev, and the U.S. indicted him. The operation also proved useful in recovering internal data on LockBit affiliates. Despite the operation, LockBit has continued as a ransomware entity, with 122 attacks attributed to the group in the second quarter of this year, the highest number of all groups.
Why is LockBit still active? Khoroshev — who allegedly goes by the nickname LockBitSupp — is believed to be in Russia, and Russia does not extradite its citizens. Following the law enforcement actions, we saw LockBit post new and old victims to its data leak site, an effort that may have aimed to project confidence in the operation to its affiliates. In July 2024, the group posted new contact information on its data leak blog, indicating that it was actively trying to recruit new affiliates into the RaaS program. However, the National Crime Agency announced on Oct. 1, 2024, that its continuing disruption of LockBit had reduced the gang’s operational capabilities, causing a decline in attacks and affiliates.
Play
One of the first Play ransomware infections was reported in late June 2022. The ransomware group gained notoriety two months later, in August 2022, when it attacked Argentina’s Judiciary of Córdoba. Play stands out as a different group as it does not run an affiliate program. The group claims that ransom payments are tailored to each victim, aligned with their assessed ability to pay. Play’s data leak site, where it posts stolen data, warns that if a victim does not get in contact within three days, their name will be listed on the portal. The group also warns it will contact the victim’s customers and partners, sending them a link to stolen data. During attacks, Play employs the “double-extortion” tactic, which means it exfiltrates data before encrypting it, giving it two ways to pressure victims into paying.
From a target perspective, Play does not prefer industries or locations when choosing victims. Play has exploited exposed remote services, including firewall products, virtual private networks (VPNs) and remote desktop protocol (RDP) connections to gain initial access. Other Play TTPs include using the SystemBC malware for persistent access, the Cobalt Strike threat emulation software and the PowerShell scripting language for
post-compromise lateral movement. It also uses Mimikatz to extract credentials from memory, and the ADFind and BloodHound tools for network enumeration and discovery.
RansomHub
RansomHub emerged in early February 2024 and has been one of the most active groups since. We recorded 54 attacks by RansomHub across April, May and June. The RansomHub RaaS claimed victims across a multitude of industries. They demonstrated a clear preference for entities in Europe and the U.S. Most of RansomHub’s victims were low-profile entities with low or undisclosed revenues. This suggests the group prioritizes targets that may be easier to attack but likely will pay some ransom. However, RansomHub also claimed to have compromised seven organizations with more than US $1 billion in revenues. This suggests the group possibly
tries to attract experienced ransomware operators capable of conducting attacks against high-profile targets who may pay higher ransoms.
Additionally, the group’s victim count increased rapidly after the second quarter. It rose to 46 attacks in July compared with just 17 attacks in June. Regarding TTPs, RansomHub often uses compromised access credentials for RDP, VPNs and Citrix systems. Attackers will also try to disable endpoint, detection and response (EDR) and antivirus software with various tools and scripts. The group employs double-extortion techniques by threatening to publish or sell stolen sensitive data if victims do not comply.
Broad Trends, Looking Ahead
Two significant ransomware incidents this year that netted very large ransom payments are worth noting. The now-defunct ALPHV, aka BlackCat ransomware group, attacked Change Healthcare, which develops a platform used by its customers who process more than a third of all medical claims in the U.S. The attack put immense pressure on medical clinics and put some at risk of insolvency. The attackers reportedly received a US $22 million ransom. Another notable incident that generated headlines was the June 2024 attack against CDK Global, which developed customer relationship management (CRM) and inventory software for car dealerships. The incident affected as many as 15,000 dealerships, hampering their ability to ship and sell cars. The attack was carried out by the BlackSuit group, which reportedly received a US $25 million ransom.
These two incidents highlight a few important aspects related to ransomware defense. First, they show these groups can still bring down large, important players in certain industry supply chains. They also show that paying a ransom—and perhaps gaining decryption keys in exchange for not publicly publishing their data—is the only viable way some organizations feel they can resolve these situations. Unfortunately, this rewards adversaries, who can use those funds to become better attackers.
However, there are indications that efforts to improve baseline security measures are making organizations more resilient. Insurance broker and risk advisory firm Marsh found that its claims related to cyberattacks were going down, which it attributed to helping its clients improve their security controls. Marsh says 23% of companies faced with an extortion demand in 2023 paid a ransom, the lowest figure the firm has recorded in five years. Incident response and negotiation specialist Coveware reported that only 29% of victims it worked with opted to pay a ransom in the fourth quarter of 2023. This is good news. However, the cryptocurrency analysis firm Chainalysis concluded that at least US $1 billion was paid in ransoms in 2023. Its reasoning is that ransomware groups are landing much larger ransoms from fewer victims, which would seem to align with what we’ve witnessed in the first half of 2024, and it’s unlikely we will see a major shift in this fight the rest of the year.
Ransomware groups often gain access to organizations through the reuse of valid account credentials and by exploiting vulnerabilities, and there are several types of threat intelligence
That security teams can prioritize to anticipate where these actors may target next. Threat intelligence collected from underground forums can reveal if cybercriminals have stolen and are reselling valid credentials, allowing organizations to secure the accounts. Vulnerability-related threat intelligence can help organizations understand which software flaws threat actors are interested in exploiting and allow defenders to patch before exploit code is developed.
Breach-related intelligence can help organizations assess their risk of attack via partners, suppliers and third parties. With the right intelligence and analysis, organizations can make risk-based decisions to avoid becoming the next ransomware victim.
