Ransomware: Threat Level Remains High in Third Quarter
Recently established RansomHub group overtakes LockBit to become most prolific ransomware operation.
Ransomware attacks continued to occur at near peak levels during the third quarter of this year, which also saw the newly formed RansomHub group overtake the veteran LockBit operation as the number one ransomware threat.
Analysis of data from ransomware leak sites found that ransomware actors claimed 1,255 attacks in the third quarter of 2024, down very slightly from 1,325 in the second quarter, but the overall number of attacks is continuing to trend upwards.
The biggest development during the quarter was the decline of LockBit, which was previously the dominant player in the ransomware ecosystem, claiming more than three times more attacks than its nearest rival Qilin in the second quarter. The number of LockBit attacks claimed in the third quarter was 188, down from the 353 attacks claimed in the second quarter. LockBit was the target of an international law enforcement operation in February 2024, which impacted its level of activity in the first quarter of this year. By the second quarter, it appeared to recover completely, but it is possible that the operation has led to a loss of trust among LockBit affiliates, particularly since authorities indicated they had collected information that could identify affiliates.
The biggest beneficiary of LockBit’s decline was RansomHub, which only became active in February 2024 but is now the number one ransomware operation in terms of the number of attacks claimed. RansomHub claimed 191 attacks in the third quarter, up from 75 in the second quarter. The group’s rapid rise may be explained by its success in recruiting experienced affiliates for its ransomware-as-a-service operation, reportedly offering more attractive terms than rival outfits.
Another group that stepped up attacks was Qilin (aka Agenda), which claimed 140 attacks in the third quarter, up from 97 in the second quarter.
There was once again a significant difference between the overall, publicly claimed activity levels and ransomware activity investigated by Symantec. While LockBit still figured highly in the number of claimed attacks, it only accounted for 7% of the attacks investigated by Symantec in the third quarter. While RansomHub accounted for 15% of publicly claimed attacks, it was responsible for a third of the attacks investigated by Symantec, supporting reports that it is signing up experienced affiliate attackers from rival groups.
Dual-use tools
Today’s ransomware attacks are complex multi-stage intrusions that involve the deployment of multiple tools and often a significant amount of hands-on-keyboard activity on the part of the attackers. An analysis of the most frequently seen tools used in ransomware attacks gives some indication of the favored tactics, techniques, and procedures (TTPs) among ransomware actors at present.
These tools fall mostly into four categories:
Living off the Land: Utilities that are native to the Windows environment that can be leveraged by an attacker. Tools such as PsExec and WMI can be leveraged by attackers to move laterally on networks and execute commands on remote machines. PowerShell, meanwhile, is a powerful scripting tool that can be used to run commands, download payloads, move laterally, and carry out reconnaissance.
Impairing Defenses: A growing number of attackers are using tools that leverage the Bring Your Own Vulnerable Driver (BYOD) technique. Attackers will deploy a signed vulnerable driver to the target network and use that driver to kill security software. Drivers are given kernel access, which means that they can be used to kill processes. In most cases, the vulnerable driver is deployed along with a malicious executable, which will use the driver to issue commands.
Remote Desktop/Remote Admin: While these software packages are used legitimately for remote administration or tech support, attackers are turning to them because they effectively provide backdoor access to a machine. Tools such as RDP, AnyDesk, Splashtop, and ScreenConnect are frequently deployed by ransomware actors.
Data Exfiltration: Most ransomware groups carry out double-extortion attacks, stealing data from a victim’s network prior to encryption and using the threat of leaking that stolen data as an additional form of leverage. Rclone is the most frequently used exfiltration tool. Many of the remote admin packages used by ransomware actors also have exfiltration capabilities.
Robust ecosystem
The growth of ransomware operations such as RansomHub and Qilin to rival LockBit isn’t welcome news, as it may make the ransomware ecosystem more robust and less likely to experience major disruption should a dominant operator be taken down or go offline.
Protection/Mitigation
For the latest protection updates, please visit the Symantec Protection Bulletin.
We encourage you to share your thoughts on your favorite social platform.