Threat Research

Ransomware: Attacks Approaching Peak Levels Again

Symantec

Short Summary:

Ransomware activity surged in Q2 2024, with a 36% increase in claimed attacks compared to Q1, totaling 1,310 incidents. The resurgence is attributed to the recovery of LockBit and the emergence of new ransomware operators like Qilin and RansomHub, which have rapidly gained traction in the ransomware ecosystem.

Key Points:

  • Ransomware attacks increased by 36% in Q2 2024, totaling 1,310 claims.
  • LockBit, operated by the Syrphid group, saw a significant rise in attacks, claiming 353 incidents.
  • Noberus ransomware operation closed in March 2024, leading to the rise of new operators.
  • Qilin’s attacks increased by 47% to 97, while Play’s attacks rose by 27% to 89.
  • RansomHub’s attacks tripled to 75, making it one of the most prolific ransomware families.
  • Discrepancies exist between publicly claimed attacks and those investigated by Symantec.
  • Attackers are exploiting known vulnerabilities in public-facing applications and targeting exposed RDP servers.
  • The increase in attacks indicates a shift back to aggressive tactics by ransomware actors.

MITRE ATT&CK TTPs – created by AI

  • Exploitation of Public-Facing Application (T1190)
    • Attackers exploit known vulnerabilities in applications, such as CVE-2024-4040.
  • Remote Services (T1210)
    • Attackers target exposed RDP servers with weak credentials.
  • Credential Dumping (T1003)
    • Weak credentials are exploited due to the absence of multi-factor authentication (MFA).
  • Command and Control (T1071)
    • Threat actors use remote commands to download malware onto compromised machines.

international law enforcement operation in February 2024. LockBit, which is operated by the Syrphid cybercrime group, has long been the most prolific ransomware operation but experienced a dip in activity in the first quarter of this year. However, LockBit attacks increased significantly in the second quarter of 2024 and, with 353 attacks claimed this quarter, are now higher than ever.

which first appeared in only February 2024 but appears to have been quick in winning over affiliates to its RaaS operation. Attacks claimed by RansomHub more than tripled in the second quarter to 75, up from 23 in the first quarter of this year. RansomHub’s surge in activity has pushed it into the center of the ransomware ecosystem and it was the fourth most prolific ransomware family in the second quarter. 

CVE-2024-4040 to run remote commands to download malware onto compromised machines. While CVE-2024-4040 was patched on April 19, 2024, Snakefly was continuing to search for and exploit unpatched systems. 

Snakefly is a specialist in these kinds of attacks and has a long track record of exploiting recently patched and zero-day vulnerabilities in order to mount extortion campaigns.

Snakefly is responsible for the Cl0p ransomware and it appeared to be highly likely that the final objective of this campaign was the deployment of Cl0p ransomware.

Along with exploitation of known vulnerabilities there is anecdotal evidence of attackers targeting exposed RDP servers with weak credentials and poor network segmentation to facilitate lateral movement. In many cases, the absence of multi-factor authentication (MFA) across these services means that weak credentials are particularly vulnerable to exploitation. 

Cause for concern

The sharp increase in attacks in the second quarter of this year suggests that momentum is once again with attackers. While high-profile ransomware operations such as Noberus shut down, the pool of skilled affiliates appears to be undisturbed and many appear to simply migrate to alternative franchises. 

Protection/Mitigation

For the latest protection updates, please visit the Symantec Protection Bulletin.

Source: Original Post

Tags: EXPLOIT, CVE, RAAS, ZERO-DAY, CREDENTIAL, LATERAL MOVEMENT