Content:
It is estimated that by 2031, there will be a ransomware attack every 2 seconds. That’s a significant rise from the (already high) figure of one every 11 seconds, as predicted for 2021. And given the effectiveness of AI, we might see that number shrink into nanoseconds before long.
Just one look at the ransomware landscape since the start of the year is enough to make that claim all but believable. Gangs like Hunters, BlackBasta, RansomHub, and more have been causing chaos and keeping us all vigilant.
Leaning on a list of all ransomware attacks (since as far back as 2016), here is an overview of the most active ransomware groups in 2024, with a specific look at their targets, ransoms, and tactics.
Play – 108 Ransomware Attacks
- Targets | With 42 incidents in Manufacturing since the start of the year, ransomware gang Play has made no secret of its primary target. These companies hail mostly from the United States, with several in Canada, the Netherlands, Germany, Sweden, Australia, the UK, and Italy. Next in line was Business Services, with 20 attacks, most of them in the US. This North American and European expansion is relatively new; initially, the group focused primarily on Latin American targets.
- Ransoms | While little is given on their ransom amounts, they are known to leak the data of those who refuse to pay.
- Tactics | An evolving Ransomware-as-a-Service platform, Play pioneered the intermittent encryption technique in order to remain under the radar and evade detection. Commonly operating on a double-extortion model, Play also utilizes:
- PowerTool – To disable antiviruses.
- SystemBC RAT, Plink, AnyDesk – For persistence.
- Cobalt Strike – For post-compromise lateral movement.
The group is also known for gaining initial access through exploiting vulnerabilities in FortiOS, RDP servers, and Microsoft Exchange.
RansomHub – 105 Ransomware Attacks
- Targets | Since the start of this year, RansomHub has successfully attacked 12 organizations in Business Services, 10 in Manufacturing, 8 in Construction, and 8 in Government, with another forty-plus attacks spread throughout a myriad of different industries. Complex global supply chains and wide-ranging project management activities make Manufacturing and Construction companies a particular target.
- Ransoms | Popular attacks this year have been on RiteAid, the Florida Health Department, UK auction house Christies, and telecom giant Frontier. This group also delivers on its promises to leak data if demands are not met, as evidenced by its release of 100 gigabytes of sensitive health data from the Florida Department of Health.
- Tactics | Another RaaS group, this one is fairly new on the scene (first seen in February of this year), believed to be based in Russia, and speculated to be an updated version of older Knight ransomware – the source code of which incidentally went for sale on the Dark Web in February as well. Notably, RansomHub uses Golang to write its ransomware, a popular trend among serious ransomware operators. This choice indicates a shift toward more tactics that are more resilient and harder to detect. As noted by Trend Micro, “One possible reason for this uptick in popularity is that Go statically compiles necessary libraries, making security analysis much harder.”
Akira – 82 Ransomware Attacks
- Targets |Akira is another group with sights set on the Manufacturing world. Since January, it has had 23 successful ransomware attacks in that sector. There have also been 12 incidents within Business Services, 8 in Construction, and 8 in Transportation.
- Ransoms | Since the start of the year, Akira has raked in over $42 million from over 250 victims. This is all from ransoms ranging from as “low” as $200,000 to upwards of $4 million.
- Tactics | Focusing primarily on small to medium-sized businesses, Akira also employs double-decryption ploys, encrypting the victims’ systems after data has been pilfered, then asking for a ransom to not only decrypt the systems but delete the stolen data. Akira’s modus operandum includes:
- Unauthorized access to VPNs
- Credential theft
- Lateral movement
- RClone, FileZilla, WinSCP – For data exfiltration
The group has been found to deploy previously unreported backdoors in several cases. However, what makes Akira a formidable threat is its ability to stay agile and adapt its tactics. Just last year, the group expanded its scope from just Windows systems to Linus-based VMware ESXi virtual machines.
While these three groups have been the most prolific, they are followed closely by others who haven’t exactly been sitting on their hands in 2024 either: Hunters International (74 attacks), Black Suit (69 attacks), Qilin (39 attacks), and Blackbasta (30 attacks). Staying ahead of the most contemporary, nefarious ransomware gangs is one way to see what’s trending in the space and stay prepared. Vigilance is rewarded, and the more we know about these groups and their ways, the more Defenders can use that data to customize new methods of defense, stay sharp, and know what to look for when tracking exploits in their environment.