Ransomware Groups’ Data Leak Site Listings Increased by 20% in Q2, 2024
An analysis of ransomware groups’ data leak sites by Reliaquest has shown a marked increase in activity in Q2, 2024, with listings increasing by 20% from Q1 with 1,237 organizations added to the data leak sites in Q2.
To add some perspective, the number of new listings on data leak sites in Q1, 2024, was atypically low for two main reasons. In Q1, an international law enforcement operation disrupted the LockBit ransomware group, and following a ransomware attack on Change Healthcare, the ALPHV/Blackcat conducted an exit scam and shut down its operation. These two groups were the most prolific RaaS operations at the time.
While the number of additions to data leak sites increased by 20% in Q2, ransomware actively is down 13% from Q2, 2023, with the number of victims up 1% in H1 2024 compared to H1, 2023. The shutdown of ALPHV/Blackcat has meant affiliates of that group have had to move to other RaaS groups, and several RaaS groups have been recruiting those affiliates, such as RansomHub, BlackSuit, and BlackBasta, all of which increased their activity in the quarter. RansomHub, which now includes the Scattered Spider threat group among its affiliates, has been particularly active, with listings increasing by 243% from the previous quarter. LockBit has also stepped up attacks, and had a spike in data leak site listings in May, when 35.8% of all ransomware data leak listings were for LockBit attacks.
More than half of the listings in Q2 were for US-based organizations. Reliaquest explained that many RaaS groups are based in the Commonwealth of Independent States (CIS) and are prohibited from conducting attacks in those countries, and there are nationalistic motivations for conducting attacks in the United States. Attacks in the US are also likely to be financially motivated – victims of attacks are viewed as more likely to pay the ransom, as the US has among the highest levels of cybersecurity insurance coverage.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Certain industries face greater risks than others. While attacks on healthcare and public health (HPH) entities are common, the HPH sector was the 5th most targeted sector, with manufacturing and the professional, scientific, and technical services (PTST) sectors each having more than twice the number of attacks as healthcare. Similar numbers of attacks were conducted in construction and retail trade as healthcare. Ransomware groups are targeting these sectors due to the cost and impact of downtime, which allows them to demand high ransoms and increases the probability of being paid as payment shortens the downtime. Reliaquest points out that the PTST sector, which pulled to within 1% of manufacturing, is a particularly attractive target due to the potential for supply chain compromise.
ReliaQuest predicts attacks will continue to increase through Q3, 2024, especially from supply chain compromise and compromised credentials, although increasing law enforcement activity and the prevalence of free decryption keys may lead to a reduction in attacks in the medium to long term.
