Summary: The ransomware industry is stabilizing in productivity after a peak in late 2023, with a shift towards targeting small and medium-sized businesses and ongoing law enforcement efforts disrupting major operations. Despite these disruptions, the dynamics within the ransomware ecosystem continue to evolve, with increased competition among Ransomware-as-a-Service (RaaS) collectives and changing tactics among threat actors.
Threat Actor: Ransomware Groups | ransomware groups
Victim: Small and Medium-sized Businesses | small and medium-sized businesses
Key Point :
- Ransomware attacks and ransom payments have increased in the first half of 2024 compared to previous years.
- Law enforcement actions, including the takedown of the Lockbit group, have disrupted major ransomware operations but their long-term impact is uncertain.
- There is growing competition among ransomware franchises to attract affiliates, especially after the decline of prominent groups.
- Trust within the cybercriminal community has been eroded due to incidents like ALPHV’s alleged exit scam.
- Ransomware actors are increasingly using edge service exploitation and legitimate remote management tools for initial access.
After peaking in late 2023, the ransomware industry is beginning to stabilize in productivity, with notable developments in ransomware targets, and industry dynamics, according to WithSecure.
Sectors impacted by ransomware (Source: WithSecure)
While ransomware productivity has shown signs of leveling off in 2024, the frequency of attacks and ransom payments collected remained higher in the first half of 2024 than in 2022 and 2023.
“There has been a marked shift towards targeting small and medium-sized businesses, which now represent a larger proportion of ransomware victims,” says Tim West, Director of Threat Intelligence and Outreach at WithSecure.
Law enforcement actions, notably the takedown of the Lockbit ransomware group in February 2024, have played a critical role in disrupting major ransomware operations. These efforts have led to the seizure of significant assets and the dismantling of critical infrastructure ransomware groups use. Despite these disruptions, the long-term impact of law enforcement on the ransomware ecosystem remains uncertain, with ransomware groups adapting and evolving in response.
The report examines the architecture of Ransomware-as-a-Service (RaaS) collectives, emphasizing the growing competition among ransomware franchises to attract affiliates. Notably, following the decline of prominent groups like Lockbit and ALPHV, many newly “nomadic” ransomware affiliates have aligned themselves with more established RaaS brands.
“Trust within the cybercriminal community has probably been significantly eroded due to incidents such as ALPHV’s alleged exit scam, where affiliates were defrauded of their earnings, further complicating the dynamics within the ransomware ecosystem,” West describes.
A notable trend identified in the report is the increased adoption of initial access through edge service exploitation and the frequent use of legitimate remote management tools by ransomware actors.
Source: https://www.helpnetsecurity.com/2024/08/23/changing-dynamics-of-ransomware