The ransomware landscape remains dynamic and fast-moving. This is demonstrated by the significant increase in ransomware attacks and their impact in the second quarter (April-June) of 2024.
Despite the decline in incidents and the relatively low impact of ransomware attacks in the first quarter, the second quarter saw a renewed increase. This return to last year’s figures is particularly notable, as large ransomware groups suffered severe setbacks in the first quarter of 2024 due to law enforcement measures.
Ransomware attacks increased significantly in the 2nd quarter
While the activities of some leading ransomware groups were temporarily curtailed by these initial disruptions, the number of ransomware attacks almost doubled in the second quarter compared to the first quarter. For example, ALPHV (also known as BlackCat) was targeted by a US law enforcement operation in December 2023, which ultimately led to the group’s demise in March 2024. Law enforcement actions against LockBit 3.0 in February 2024 led to a significant decline in its activities. Dmitry Khoroshev, a key figure in the LockBit Ransomware Group, was placed on a wanted list. Despite these significant measures, these groups quickly adapted and refocused their strategies, resulting in a significant increase in the number of incidents. The increase in this activity has taken ransomware operations to a new level and caused significant business disruption to industrial organizations.
The renaming of Royal Ransomware to BlackSuit reflects a strategic realignment of the ransomware group and demonstrates enhanced capabilities such as more sophisticated encryption and improved lateral movement tactics. Similarly , the Knight ransomware transformed into RansomHub. The resilience and adaptability of ransomware groups increases the ongoing threat to industry sectors. This quarter also saw a significant change in the landscape of Ransomware-as-a-Service (RaaS). Groups such as BlackSuit and RansomHub emerged with updated tactics and methods – including more sophisticated encryption algorithms, improved lateral movement methods in networks and more effective evasion mechanisms to bypass detection mechanisms.
Critical industrial companies are the main target of ransomware activities
The industrial sector remains a prime target for these groups due to the critical nature of its operations and the potentially large impact of disruption. Ransomware is increasingly impacting industrial companies, with ransomware groups focusing on high-performing operators to maximize their profits. The risk of ransomware is exacerbated by government-affiliated groups using ransomware tactics and hacktivists increasingly using and even developing their own ransomware tools. For example, it has been reported that the Ikaruz Red Team is targeting critical infrastructure in the Philippines with ransomware, highlighting the merging of ideological and financial motives in the cyber threat landscape. This growing trend shows that the ransomware threat is evolving and escalating. It goes beyond traditional cybercriminal organizations to include politically and ideologically motivated adversaries.
Impact of ransomware operations on industrial companies
The second quarter of 2024 confirmed Dragos’ assessment that ransomware attacks are having a greater impact on the business of industrial companies. The incidents had a more severe impact than in previous quarters. The frequency and scale of attacks increased significantly this quarter, reflecting the evolution of the threat landscape and the continued risk posed by ransomware groups.
(pd/Dragos)