Number of Active Ransomware Groups Highest on Record

This year has seen the highest number of active ransomware groups on record, with 58 attacking global businesses in the second quarter. Threat intelligence platform provider Cyberint has reported only a slight dip in the third quarter, with 57 active groups.

Furthermore, in Q3, the top 10 ransomware groups were responsible for only 58.3% of all detected attacks. This reflects both the increase in the number of active groups in general and a decline in activity from the larger players thanks to successful law enforcement takedowns, such as those of ALPHV and Dispossessor.

Adi Bleih, security researcher at Cyberint, told TechRepublic in an email: “The number of active ransomware groups having reached an all-time high means that businesses face an increased risk of attacks as each of these competing gangs must now vie for targets. The competition between different ransomware groups has fuelled increasingly frequent attacks, leaving very little room for error on the part of enterprise cybersecurity teams.

“Whereas security gaps and vulnerabilities may have previously gone unnoticed, the proliferation of ransomware groups, with all of them scouring the web for their next victims, means that even minor errors can now quickly lead to major security incidents.”

The most prolific ransomware groups are succumbing to law enforcement operations

Indeed, separate research from WithSecure found that of the 67 ransomware groups tracked in 2023, 31 were no longer operational as of Q2 2024. NCC Group also noted a year-over-year decline in ransomware attacks in both June and July this year, which experts linked to the LockBit disruption.

SEE: LockBit Back Online as Ransomware Gang Continues to Clash with Law Enforcement

LockBit specifically used to account for the majority of attacks, but with only 85 attacks in the third quarter, it attacked almost 60% less companies than it did the second, according to Cyberint’s report. This marks the group’s lowest number of quarterly attacks in a year and a half.

An August report from Malwarebytes also found that the proportion of ransomware attacks that LockBit claimed responsibility for fell from 26% to 20% over the past year, despite carrying out more individual attacks.

ALPHV, the second-most prolific ransomware group, also created a vacancy after a sloppily executed cyber attack against Change Healthcare in February. The group did not pay an affiliate their percentage of the $22 million ransom, so the affiliate exposed them, prompting ALPHV to fake a law enforcement takeover and cease operations.

SEE: Timeline: 15 Notable Cyberattacks and Data Breaches

These observations suggest that law enforcement takedowns are proving effective against the more-established gangs while simultaneously opening up new opportunities for smaller groups. The Malwarebytes analysts added that the new gangs “are certain to be trying to attract their affiliates and supplant them as the dominant forces in ransomware.”

But Cyberint analysts are optimistic about the ripple effect of takedown operations on smaller players, writing: “As these large operations struggle, it’s only a matter of time before other big and small ransomware groups follow the same path. The ongoing crackdown has created a more hostile environment for these groups, signaling that their dominance may not last much longer.”

Indeed, instead of continuing the upwards trend from the second quarter, where the number of ransomware attacks increased by almost 21.5%, the Cyberint researchers found the 1,209 cases in Q3 actually marked a 5.5% decrease.

SEE: Global Cyber Attacks to Double from 2020 to 2024, Report Finds

The most prominent ransomware group of the quarter was RansomHub, as it was responsible for 16.1% of all cases, claiming 195 new victims. Prominent attacks include those on global manufacturer Kawasaki and oil and gas services company Halliburton. The Cyberint analysts say that the group’s roots are likely in Russia and that it has connections to former affiliates of the now-inactive ALPHV group.

Second in the list of most active ransomware groups is Play, which claimed 89 victims and 7.9% of all cases. It has purportedly executed over 560 successful attacks since June 2022, with the most prominent one from this year targeting the VMWare ESXi environment.

“If not hindered, Play is going to break its own record of yearly victims in 2024 (301),” the analysts wrote.

Ransomware groups targeting Linux and VMWare ESXi Systems

The Cyberint report noted a trend that ransomware groups are heavily focusing on targeting Linux-based systems and VMware ESXi servers.

VMware ESXi is a bare-metal hypervisor that enables the creation and management of virtual machines directly on server hardware, which may include critical servers. Compromising the hypervisor can allow attackers to disable multiple virtual machines simultaneously and remove recovery options such as snapshots or backups, ensuring significant impact on a business’s operations.

Ransomware groups Play and Cicada3301 developed ransomware that specifically targets VMWare ESXi servers, while Black Basta has exploited vulnerabilities that allows them to encrypt all the files for the VMs.

SEE: Black Basta Ransomware Struck More Than 500 Organizations Worldwide

Linux systems also often host VMs and other critical business infrastructure. Such focus highlights cyberattackers’ interest in the huge payday available from executing maximum damage on corporate networks.

Attackers are using custom malware and exploiting legitimate tools

The sophistication of ransomware groups’ techniques has increased considerably over the past year, with Cyberint researchers observing attackers using custom malware to bypass security tools. For example, the Black Basta gang used a number of custom tools after gaining initial access to target environments.

Attackers are also exploiting legitimate security and cloud storage tools to evade detection. RansomHub was observed using Kaspersky’s TDSSKiller rootkit remover to disable endpoint detection and response and the LaZagne password recovery tool to harvest credentials. Plus, multiple groups have used Microsoft’s Azure Storage Explorer and AzCopy tools to steal corporate data and store it in cloud-based infrastructure.

Bleih told TechRepublic: “As these gangs become more successful and well-funded, they become increasingly sophisticated and operate similarly to a legitimate enterprise. While we often see the same tried-and-true attack vectors used – phishing attacks, the use of stolen credentials, exploitation of vulnerabilities on Internet-facing assets – they are becoming more creative in how they execute these common techniques.

“They are also becoming increasingly agile and scalable. For instance, while threat actors have always been technically adept, they are now able to start exploiting new vulnerabilities at scale just a few days after a critical CVE is documented. In the past, this may have taken weeks or perhaps longer.”