Ransomware Groups Increasingly Targeting Poorly Secured and Outdated VPNs for Initial Access
Ransomware attacks continue to be conducted at elevated levels, with the number of new victims added to data leak sites increasing slightly (0.72%) in Q3, 2024 from the previous quarter, according to the 2024 Q3 Cyber Threat Report from Corvus. In Q3, 2024 Corvus tracked 1,257 new additions to data leak sites, down 1.64% from Q3, 2023.
There has been a marked change in the ransomware landscape, which is far more distributed than last year when a few highly prolific threat groups conducted the majority of attacks. Successful law enforcement operations against LockBit and ALPHV saw affiliates of both groups jump ship, and following the ransomware attack on Change Healthcare, the ALPHV operation was shut down pushing the remaining affiliates into joining other groups or starting up their own operations.
In Q3, 2024, there were 59 active ransomware groups, many of which were small-scale ransomware groups, although some highly active ransomware groups remain. The most active group in the quarter was RansomHub, which increased its activity by 160% with at least 195 successful attacks. RansomHub has been rapidly increasing its dominance, helped by the recruitment of experienced ransomware affiliates from other groups. In March 2024, RansomHub conducted fewer than 20 attacks, then increased to more than 45 attacks in July, and between 70 and 80 in August and September. Play ransomware was the second most active group with 93 victims, and there were 91 new LockBit 3.0 victims, less than half the number of LockBit victims in Q2, 2024. The Medusa and Akira ransomware groups round out the top 5 with each claiming between 40 and 50 victims.
Healthcare was the second most targeted industry sector behind construction and experienced a 12.8% increase in attacks from the previous quarter with 53 new victims, up from the 47 victims in Q2. While many ransomware groups have a policy of not attacking healthcare organizations, groups such as Play and Medusa are actively targeting healthcare organizations.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The most common initial access vector in Q3 was Virtual Private Networks (VPNs), which accounted for 28.7% of all claims. Victims have made it too easy for ransomware groups by failing to keep their VPN software up to date and having poorly security accounts. All too often ransomware groups can easily brute force VPNs due to the use of default usernames and weak passwords, combined with a lack of multi-factor authentication. The importance of MFA cannot be overstated. Corvus reports that around 75% of policyholders submitting a claim for a ransomware attack either did not have MFA, had not implemented MFA fully, or MFA coverage could not be determined.
