Thought Leadership
The takedown of the LockBit ransomware group in February 2024 shook the cybercrime world. According to WithSecure’s new report, LockBit is now in a rebuilding phase, with clear signs of a planned comeback.
The new WithSecure report provides a detailed insight into the latest developments in the world of ransomware. One of the key findings from the first half of 2024 is that productivity in the ransomware industry is no longer increasing after its peak at the end of 2023. There are also interesting developments in attack targets and industry dynamics.
While ransomware productivity has slowed this year, the frequency of attacks and the amount of ransoms collected have continued to increase in the first half of 2024 compared to the same periods in the previous two years. “There is a clear shift towards small and medium-sized businesses, which now make up a larger proportion of ransomware victims,” says Tim West, Director of Threat Intelligence and Outreach at WithSecure.
What is clear is that law enforcement efforts, particularly the takedown of the LockBit ransomware group in February 2024, have played a critical role in disrupting major ransomware operations. These efforts have led to the seizure of significant assets and the destruction of critical infrastructure on the part of ransomware groups.
Despite these disruptions, the long-term impact of law enforcement on the ransomware ecosystem remains uncertain, as the groups tend to adapt and evolve. The report shows increasing evidence of a reorganization phase at LockBit, especially for the period since June 2024. As a result, the authors conclude that LockBit almost certainly intends to return to the industry with a more robust operating model.
The report examines the architecture of ransomware-as-a-service (RaaS) collectives and highlights the increasing competition between ransomware franchises to attract affiliates. Following the demise of prominent groups such as LockBit and ALPHV, many new “nomadic” ransomware affiliates have merged with more established RaaS brands.
“Trust within the cybercriminal community has likely been significantly eroded due to incidents such as ALPHV’s alleged exit scam, where partners were defrauded of their earnings. This further complicates the dynamics within the ransomware ecosystem,” West describes.
One notable trend identified is the increasing use of first access via the exploitation of edge services, as described in previous WithSecure research, as well as the frequent use of remote management tools by ransomware actors.
The report also addresses the ongoing problem of reinfection. One finding: the data shows that a significant percentage of companies that paid ransom were later attacked again by the same or other ransomware groups.
(lb/WithSecure)
