Summary: Ransomware activity increased in the second quarter, with threat groups listing 1,237 organizations on data leak sites, and LockBit accounting for a significant number of victims in May. U.S.-based businesses were the most targeted, particularly in the manufacturing and professional services sectors.
Threat Actor: LockBit | LockBit
Victim: Various organizations | LockBit ransomware victims
Key Point :
- Ransomware activity increased in Q2, with 1,237 organizations listed on data leak sites, a 20% increase from Q1.
- LockBit accounted for 36% of the alleged ransomware victims in May.
- U.S.-based businesses were the most targeted, and the manufacturing and professional services sectors were heavily affected.
Dive Brief:
- Ransomware activity jumped in the second quarter as threat groups listed 1,237 organizations on data leak sites during the period, marking a 20% increase from Q1, Reliaquest said in a Tuesday report.
- May was an especially active month due to a spike in posts from the ransomware group LockBit, which accounted for 36% of the month’s alleged victims, the report found. Yet, an abnormally slow June dragged the total count of alleged ransomware victims down 13% year over year, according to Reliaquest.
- U.S.-based businesses bore the brunt of ransomware attacks during Q2, composing more than half of all claimed ransomware victims listed on data leak sites during the period. Sectors targeted most heavily by cybercriminals during the quarter included manufacturing and professional, scientific and technical services, the report found.
Dive Insight:
The May surge in claimed attacks followed by a June slowdown is attributed to LockBit’s attempt to recover from an international law enforcement takedown of the group’s infrastructure.
“Announcing 179 affected organizations in May alone, the group likely tried to regain notoriety and disprove law enforcement’s statements regarding the group’s takedown,” Reliaquest’s Threat Research Team said in the report.
The most active ransomware groups during Q2 typically gained initial access to victim networks by exploiting unpatched VPNs, remote desktop protocol tools or social engineering campaigns, according to Reliaquest.
Marketplace listings in cybercriminal forums featuring data harvested by infostealers also jumped 30%, according to Reliaquest.
A wave of attacks targeting more than 100 Snowflake customer environments during Q2 underscored the increased use of legitimate credentials for initial access.
“Credentials obtained by infostealer malware, which covertly infiltrates systems and collects sensitive information, serve as an initial point of entry and can affect software ranging from authentication applications to cloud data services like Snowflake,” Reliaquest said in the report. “We predict that, as the use of infostealers continues to grow, so will the use of exposed credentials in ransomware attacks.”
Reliaquest expects ransomware activity to rise steadily in the short term, despite disruptions to the ransomware as a service ecosystem, and return to peak levels by the end of 2024.
Source: https://www.cybersecuritydive.com/news/ransomware-leak-site-increase/721480
“An interesting youtube video that may be related to the article above”