### #RansomwareTrends #RansomHub #VPNExploits
Summary: The Corvus Insurance Q3 2024 Cyber Threat Report reveals that five ransomware groups, including RansomHub and LockBit 3.0, accounted for 40% of cyber-attacks, with VPN vulnerabilities being a significant entry point for attackers. The report highlights the evolving ransomware landscape and the need for enhanced security measures.
Threat Actor: RansomHub | RansomHub
Victim: Various Sectors | Various Sectors
Key Point :
- Five ransomware groups accounted for 40% of all cyber-attacks in Q3 2024, with RansomHub emerging as a leading threat.
- VPN vulnerabilities and weak passwords contributed to nearly 30% of ransomware incidents, emphasizing the need for stronger security measures.
- Law enforcement actions, such as Operation Cronos, are reshaping the ransomware ecosystem, leading to more small-scale operations.
- RansomHub has quickly gained traction, with over 290 victims reported in 2024, while LockBit 3.0’s activity has significantly declined due to law enforcement pressure.
- Experts recommend multi-layered security approaches beyond multi-factor authentication to combat evolving threats.
Five ransomware groups, including RansomHub and LockBit 3.0, accounted for 40% of all cyber-attacks in Q3 2024, highlighting the increasing complexity and competition within the ransomware ecosystem, according to research by Corvus Insurance.
Overall, the Corvus’ Q3 2024 Cyber Threat Report, The Ransomware Ecosystem is Increasingly Distributed, noted that the ransomware threat level remained elevated.
The insurance firm’s findings showed that Q3 saw 1257 victims posted to leak sites, marking a 0.7% rise from Q2’s total of 1248 victims.
Of the ransomware attacks in Q3 2024, 40% can be traced to the following five groups:
- RansomHub
- PLAY
- LockBit 3.0
- MEOW
- Hunters International
The overall number of active ransomware groups across the world rose to reach 59, according to the research..
The report also noted that law enforcement activity, like Operation Cronos which affected LockBit, may be transforming the ransomware ecosystem, resulting in more small-scale operations than before.
RansomHub has quickly filled the void left by disruption to LockBit’s infrastructure and has accounted for more than 290 victims across various sectors in 2024.
In October, research by Symantec also noted that RansomHub is now the top ransomware operation in terms of successful attacks.
Symantec commented that the group’s success could be explained by its success in recruiting experienced affiliates for its ransomware-as-a-service operations.
Corvus said LockBit 3.0’s activity fell sharply from 208 in Q2 to 91 victims in Q3, likely signaling a response to law enforcement pressure.
Attackers Targeting VPNs Account for Third of Ransomware Incidents
Cybercriminals leveraging virtual private network (VPN) vulnerabilities and weak passwords for initial access contributed to nearly 30% of ransomware attacks.
Outdated software or VPN accounts with inadequate protections are what has led to VPN vulnerabilities being exploited.
Corvus explained that common usernames such as “admin” or “user” and a lack of multi-factor authentication (MFA) made accounts vulnerable to automated brute-force attacks, where attackers exploit publicly accessible systems by testing combinations of these weak credentials. This allows malicious actors to frequently achieve network access with minimal effort.
“Attackers are focused on finding the path of least resistance into a business to launch an attack, and in Q3 that entry point was the VPN,” said Jason Rebholz, CISO at Corvus.
“As we look forward, businesses must strengthen defenses with multi-layered security approaches that extend beyond MFA. Today, MFA is mere table stakes and must be complemented with secure access controls capable of shoring up these current and future areas of vulnerability,” he said.
Source: https://www.infosecurity-magazine.com/news/five-ransomware-groups-40-of