Ransomware continues to plague businesses and organisations globally, with 2024 not much different to previous years. While an uptick in targeting against the manufacturing sector has been observed, both government and healthcare remain among the top victims of ransomware attacks.

This blogpost is intended to give a summary of some of the top trends and incidents observed by Silobreaker’s Analyst Team throughout the year. Of note is the continued exploitation of vulnerabilities in various products and the emergence of multiple new ransomware strains. However, not everything is all doom and gloom, as continuous global law enforcement efforts are making headway at countering the increasing threat of ransomware attacks.

January 2024

Multiple threat actors were observed abusing the remote access tool TeamViewer to gain initial access to organisations’ endpoints and deploy ransomware. The ransomware was found to be based on the leaked LockBit builder. This leaked builder has been leveraged by multiple threat actors throughout 2024, resulting in the creation of several modified LockBit variants. Additionally, Akira ransomware operators were observed exploiting CVE-2020-3259, a vulnerability impacting Cisco Adaptive Security Appliance and FirePower Threat Defense. The flaw enables the extraction of sensitive memory contents, including usernames and passwords. At least eight observed Akira incidents involved Cisco AnyConnect SSL VPN as the entry point, with at least six of the compromised devices running different versions of the vulnerable software. Other vulnerabilities, such as CVE-2024-37085, CVE-2024-40766, and CVE-2024-40711, were also exploited in Akira attacks throughout 2024. Some notable victims this month included Southern Water in the UK and the Swiss Air Force, both of which confirmed having had sensitive data stolen in a ransomware attack. The attacks were claimed by Black Basta and ALPHV, respectively.

February 2024

One of the most significant ransomware attacks of 2024 transpired in February, when ALPHV exploited the so-called CitrixBleed vulnerability in Citrix NetScaler to target the United States healthcare technology company, Change Healthcare. The attack caused widespread network disruptions at many healthcare providers. Over 100 critical applications were impacted by the attack, leading to a knock-on effect that resulted in patients being unable to access medications and medical services. Meanwhile, a global law enforcement operation, dubbed Operation Cronos, took down LockBit’s data leak site, various affiliate and support servers, and LockBit’s administrative panel. Law enforcement also obtained source code that could potentially help victims decrypt their systems and arrested two suspected members. Only days later, LockBit announced it had resumed its operations, threatening to focus more of its attacks on the government sector. Alongside this, a new platform-agnostic version of LockBit ransomware, dubbed LockBit-NG-Dev, emerged. The steadily increasing proliferation of LockBit variants, including via the exploitation of vulnerabilities in ConnectWise, has led to confusion over whether the LockBit group itself was behind new attacks, or if other actors were using the leaked builder to create their new versions.

March 2024

ALPHV announced on March 5th that it would cease operations, in what is widely considered to have been an exit scam. The group claimed it was ‘screwed by the feds’, displaying a seizure notice from the Federal Bureau of Investigation (FBI) on its website, though the seizure was not confirmed by the FBI, and it has been speculated that the notice was a copied image from a previous FBI seizure notice in December 2023. The announcement came shortly after one of the group’s affiliates accused ALPHV of failing to pay its share of a $22 million ransom payment allegedly received from Change Healthcare. With ALPHV having left the scene, other ransomware groups, such as Medusa, Cloak, and RansomHub, quickly seized the opportunity to drive recruitment. Ransomware groups also sought to capitalise on the recent LockBit disruption, using it to bolster their own recruitment efforts. Meanwhile, the INC Ransom ransomware gang claimed responsibility for an attack on NHS Scotland and threatened to leak 3TB of data. The claims followed NHS Dumfries and Galloway’s disclosure of a cyberattack, with many documents posted by INC appearing to originate from the same region, indicating a link between the two incidents.

April 2024

Change Healthcare was in the headlines again this month, with RansomHub claiming an attack on the company. The group claimed to be in possession of personally identifiable information belonging to active US military personnel, as well as other patients’ medical records, payment information, and more, some of which was later leaked. RansomHub stated that they collaborated with an ALPHV affiliate who, at the time, claimed to still be in possession of the stolen data. Some researchers suspected that ALPHV may have rebranded as RansomHub, noting an overlap in the source code of both ransomware. Besides Change Healthcare, the United Nations Development Programme was also a victim of ransomware this month. The attack was claimed by 8Base, who also published stolen files after failing to receive a ransom payment. The attack concerned data held at a locally hosted server in UN City, Copenhagen. Throughout April, threat actors also continued to leverage the leaked LockBit builder, with researchers uncovering a DragonForce ransomware binary believed to be based on the LockBit Black strain, along with several other new variants, including BhutiRansom and Wing Ransomware.

May 2024

GhostSec announced that the group would return to its original hacktivist activity and cease any cybercrime operations, claiming they had gathered sufficient funds from ransomware operations to support other activities. The group stated that existing clients would be transferred to the new Stormous Locker operation, who would also take over GhostSec’s associates within the Five Families hacktivist collective. The group also stated that the source code of the V3 Ghostlocker ransomware strain would be shared with Stormous, likely to avoid any exit scams or disruptions. The decision to seize cybercrime and ransomware operations was likely motivated by recent law enforcement operations against international ransomware groups, such as the sentencing of Yaroslav Vasinskyi for his role in over 2,500 REvil ransomware attacks. In addition to actively attempting to recruit new affiliates, RansomHub began to establish itself as key player in the ransomware ecosystem by expanding its targeting to industrial control systems and SCADA systems. By targeting such infrastructure, RansomHub underscored its intent to play a more disruptive role in the ransomware landscape. Meanwhile, a Storm-1811 social engineering campaign, first emerging in late April 2024, continued to target multiple managed detection and response customers. The campaign aimed to install remote monitoring and management tools, such as AnyDesk or Quick Assist, as well as payloads including QakBot, Cobalt Strike, and ultimately Black Basta ransomware.

June 2024

June was largely defined by a ransomware attack that targeted the pathology services provider, Synnovis. The incident impacted almost all of the company’s IT systems, resulting in interruptions to many pathology services, including at multiple NHS London trusts. The attack was claimed by the Qilin ransomware gang, who stated that their actions were a deliberate act of revenge on the UK government’s actions in an undisclosed war. This marks the first time Qilin claimed to have a political motive for its attacks. The group later posted almost 400GB of sensitive data stolen from Synnovis to its leak site. RansomHub continued to cement itself as one of 2024’s leading ransomware groups by claiming responsibility for a ransomware attack on the US telecommunications provider, Frontier Communications, that occurred in mid-April. LockBit continued to make headlines, with some notable attacks linked to the ransomware including breaches at Indonesia’s National Data Center and the US-based Evolve Bank & Trust. A Chaos ransomware actor also impersonated operators of LockBit in their ransom notes. In the meantime, LockBit continued to be targeted by law enforcement operations, resulting in the recovery of over 7,000 LockBit ransomware decryption keys.

July 2024

Ransomware attackers increasingly targeted operating systems, particularly VMware ESXi and Linux environments. Notably, Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest exploited an authentication bypass flaw, tracked as CVE-2024-37085, to deploy Akira and Black Basta ransomware. A new Linux variant of Play ransomware was also discovered targeting VMware ESXi environments. The variant was found to be hosted on a domain associated with the threat actor Prolific Puma, suggesting a possible collaboration between Prolific Puma and Play ransomware operators. Meanwhile, a new, customisable variant of the Mallox ransomware was deployed to target Linux environments. The variant features a custom Python script for payload delivery and data exfiltration. Ransomware operators also increasingly targeted cloud service providers, with Nigeria’s Computer Emergency Response Team noting an increase in Phobos ransomware attacks against critical cloud services in the country. Organisations most at risk include IT and telecommunications providers. The ransomware is typically delivered through phishing campaigns or by exploiting exposed Remote Desktop Protocol vulnerabilities. In a separate effort, Dark Atlas Squad researchers leveraged a security failing by the Medusa ransomware group to infiltrate their cloud account and access stolen data from multiple victims, including the Kansas City Area Transportation Authority. A notable victim this month was the city of Columbus, Ohio, who was targeted in an attack that would later be claimed by Rhysida. The incident impacted the personal information of over 500,000 individuals.

August 2024

Ransomware groups were increasingly observed using endpoint detection and response (EDR) killing malware. One such tool, deployed by RansomHub, was a new EDR loader, named EDRKillShifter, that is likely also being used by other threat actors. The loader executes a vulnerable driver payload designed to disable EDR protection. EDRKillShifter exploits legitimate drivers, leveraging proof-of-concept exploits from GitHub that have been modified by threat actors. An updated variant of the malicious kernel driver, Poortry, was also identified. Unlike previous versions that terminated processes, the latest version deletes critical EDR components. Poortry attacks have been observed alongside ransomware variants such as Cuba, BlackCat, Medusa, LockBit, and RansomHub. In a continuation of law enforcement action against ransomware operators, a joint operation by the FBI and international partners targeted the Dispossessor ransomware group, resulting in the seizure of multiple servers and domains globally. Vulnerabilities in the web dashboards used by Everest, BlackCat, and Mallox were also discovered. The flaws enabled security researcher Vangelis Stykas to access their leak sites without logging in, extract information, and obtain two decryption keys, which he shared with the affected companies. Some notable victims in August include the US Marshals Service and Berlin’s telecommunications infrastructure, indicating the government and critical infrastructure sectors remain prime targets. The attacks were claimed by Hunters International and Doubleface, respectively.

September 2024

The Akira and Fog ransomware operations made headlines this month, with both groups observed exploiting two recently patched vulnerabilities. The first was a critical SSL VPN access control flaw, tracked as CVE-2024-40766, impacting SonicWall firewalls, while the second was a critical remote code execution flaw, tracked as CVE-2024-40711, in Veeam Backup & Replication servers. In the case of the Veeam flaw, the attackers gained initial access using compromised VPN gateways that lacked multi-factor authentication. One observed Fog ransomware attack targeted a financial company using compromised VPN credentials, possibly indicating a shift in the group’s targeting, with Fog previously known to focus on targets in the education and recreational sectors. Another potential new RansomHub affiliate, CosmicBeetle, emerged, with the threat actor observed using RansomHub’s EDR killer tool and a new ransomware payload, dubbed ScRansom. Issues with ScRansom’s decryption keys led CosmicBeetle to use the leaked LockBit 3.0 builder instead and attempt to impersonate LockBit by using similar ransom notes and leak site layout. Additionally, a campaign by the threat actor Storm-0501 targeted multiple sectors in the US, including government, manufacturing, transportation, and law enforcement, with the deployment of Embargo ransomware observed in some cases.

October 2024

Law enforcement again proved effective in disrupting ransomware group operations, with Europol announcing the arrest of four suspected LockBit members. Australia, the UK, and the US also announced sanctions against members of Evil Corp. The sanctioned individuals included Alexsandr Ryzhenkov, who was also identified as an affiliate of LockBit and a user of BitPaymer ransomware. Russia also sentenced four members of the REvil ransomware gang to prison. Undeterred by law enforcement action, CyberVolk announced it would shift its operations from hacktivism to ransomware. The group cited retaliation against governments opposed to Russian interests as its motivation for the shift in activity. While some similarities were observed with Babuk ransomware, CyberVolk added unique functionalities to its ransomware, such as anti-analysis techniques and AES encryption. Multiple new ransomware strains were also identified, including NotLockBit, a Linux variant of Helldown, and a Golang-based sample that imitates LockBit and abuses Amazon S3 Transfer Acceleration for data exfiltration. Notable victims this month included Wayne County government, Volkswagen Group, and Sonoma County Superior Court. Scattered Spider also deployed RansomHub ransomware in a double extortion attack on an organisation in the manufacturing sector.

November 2024

On November 18th, Akira added 35 victims to its darknet leak site, the most ever recorded in a single day, with more reportedly added later. Of the listed victims, 32 were new, with the majority from the business services sector and based in the US. The surge in listings was likely due to an increase in the number of new affiliates using the scheme to extort victims, or Akira administrators holding back previous leaks. Operation Synergia II signified a continued effort in law enforcement’s fight against ransomware operations. The INTERPOL-led operation dismantled over 22,000 malicious addresses and servers, many of which were linked to ransomware activity. The US Department of Justice also charged Evgenii Ptitsyn for allegedly administering the sale, distribution, and operation of Phobos ransomware. This month, notable victims included the Mexican government, who was targeted by RansomHub, and the US third-party supply chain management company, Blue Yonder. The attack on Blue Yonder resulted in service disruptions at several of its customers, including Starbucks, Sainsbury’s and Morrisons.

December 2024

This month, the energy sector entered the crosshairs of ransomware actors. ENGlobal Corporation and Refinadora Costarricense de Petróleo, a state-owned energy provider in Costa Rica, were among the most notable victims, with both incidents resulting in significant operational disruptions. The Brain Cipher ransomware gang also claimed to have stolen over 1TB of data in an attack on the UK branch of Deloitte. Law enforcement efforts targeting ransomware operations concluded the year strongly with the arrest and indictment of Mikhail Pavlovich Matveev. Known by his online alias ‘Wazawaka’, Matveev is alleged to have been involved in the operations of Hive and LockBit ransomware and is reportedly the original administrator of the Babuk ransomware operation. Given the recent success of law enforcement, it is clear that authorities are ramping up their efforts. However, the holiday season presents a prime opportunity for ransomware actors to strike, suggesting that we may see more attacks in the coming weeks.

To learn how the Silobreaker Intelligence Platform can help in boosting visibility into ransomware targeting your organisation or industry, profile threat actors, attack types and TTPs to deliver actionable intelligence, request a demo today.