ReliaQuest report notes 20% spike in ransomware Q2 2024

ReliaQuest has released its latest quarterly ransomware and cyber extortion threat spotlight report, presenting a substantial increase in ransomware activity in Q2 2024. The report identified 1,237 organizations featured on ransomware data-leak sites during this period, marking a 20% increase from Q1 2024.

The report highlighted volatile ransomware activity, noting that 43% of the identified organizations were named in May, while June experienced unusually low numbers. These figures deviate from previous growth patterns and suggest significant disruptions within the ransomware-as-a-service (RaaS) ecosystem. This trend is notably different from the previous quarter’s downturn, seen primarily due to the ALPHV ransomware group disbanding and law enforcement's dismantling of the LockBit group's data-leak site.

Ransomware activity in Q2 2024 remains 13% lower than in Q2 2023. This reduction in activity, along with a minimal 1% increase in affected organizations in H1 2024 compared to the same period the previous year, indicates a slowing historical trend of rapid ransomware growth.

The report also pointed out significant changes in the list of the most active ransomware groups for Q2 2024. The previous crackdowns on LockBit and the dissolution of ALPHV paved the way for new groups such as RansomHub and BlackSuit to rise. An exit scam purportedly led to the dissolution of ALPHV, prompting affiliates to seek better conditions elsewhere. RansomHub’s new payment model attracted numerous former ALPHV associates, leading to a 243% increase in organizations listed on its data-leak site compared to Q1 2024. BlackSuit also saw a rise in victim numbers, moving from 17 in Q1 2024 to 51 in Q2 2024, with expectations of continued rapid growth.

ReliaQuest's observations indicate that groups like BlackSuit and RansomHub often gain initial access through exploiting vulnerabilities in internet-facing applications, such as unpatched virtual private networks (VPNs) and Remote Desktop Protocol (RDP) tools, or via social engineering. Increasing recommendations for these techniques have also been noted on various forums.

The report highlighted LockBit’s attempt to recover from its major law enforcement crackdown by announcing 179 affected organizations in May alone. The group’s apparent effort to regain credibility suggests an attempt to counter law enforcement narratives regarding its takedown. Despite this, ReliaQuest expects a significant reduction in LockBit activity in the forthcoming months as the group struggles to maintain affiliate trust.

June 2024 saw a rare single-extortion campaign, contrasting with the more common double- and triple-extortion methods. Approximately 165 customers of the data cloud company Snowflake suffered data breaches due to exposed credentials being sold on cybercriminal forums. This incident underscored the role of information-stealing malware and the lack of multi-factor authentication (MFA) in facilitating extortion activities without the typical data loss associated with ransomware attacks.

The US, along with the manufacturing and professional, scientific, and technical services (PSTS) sectors, remain the primary targets for ransomware groups. The targeting of PSTS firms signifies an increase in technology company targets, particularly in supply-chain attacks. Western countries, including the US, UK, Canada, and Germany, continue to face the highest risk of ransomware attacks, influenced in part by nationalistic motivations linked to geopolitical events, as well as a common prohibition among ransomware groups against targeting former Soviet Union countries.

Looking ahead to the next quarter, ReliaQuest anticipates a steady rise in ransomware activity. However, the increased frequency of law enforcement operations targeting ransomware groups and the rise in availability of free decryption keys are expected to contribute to an overall reduction in ransomware activity in the medium to long term.