Short Summary:
Ransomware activity surged in Q2 2024, with a 36% increase in claimed attacks compared to Q1, totaling 1,310 incidents. The resurgence is attributed to the recovery of LockBit and the emergence of new ransomware operators like Qilin and RansomHub, which have rapidly gained traction in the ransomware ecosystem.
Key Points:
- Ransomware attacks increased by 36% in Q2 2024, totaling 1,310 claims.
- LockBit, operated by the Syrphid group, saw a significant rise in attacks, claiming 353 incidents.
- Noberus ransomware operation closed in March 2024, leading to the rise of new operators.
- Qilin’s attacks increased by 47% to 97, while Play’s attacks rose by 27% to 89.
- RansomHub’s attacks tripled to 75, making it one of the most prolific ransomware families.
- Discrepancies exist between publicly claimed attacks and those investigated by Symantec.
- Attackers are exploiting known vulnerabilities in public-facing applications and targeting exposed RDP servers.
- The increase in attacks indicates a shift back to aggressive tactics by ransomware actors.
MITRE ATT&CK TTPs – created by AI
- Exploitation of Public-Facing Application (T1190)
- Attackers exploit known vulnerabilities in applications, such as CVE-2024-4040.
- Remote Services (T1210)
- Attackers target exposed RDP servers with weak credentials.
- Credential Dumping (T1003)
- Weak credentials are exploited due to the absence of multi-factor authentication (MFA).
- Command and Control (T1071)
- Threat actors use remote commands to download malware onto compromised machines.
international law enforcement operation in February 2024. LockBit, which is operated by the Syrphid cybercrime group, has long been the most prolific ransomware operation but experienced a dip in activity in the first quarter of this year. However, LockBit attacks increased significantly in the second quarter of 2024 and, with 353 attacks claimed this quarter, are now higher than ever.