The Ransomware Report: New and Notable Changes in the Landscape

Ransomware attacks are evolving. It was bad enough when threat actors were encrypting your data and demanding payment. But now, cybercriminals are using multi-extortion tactics and threatening to leak your sensitive data to the dark web if you don’t pay. Of course, not paying could result in massive reputational damage to your company and the ripple effect extends to your entire book of business.

Jonathan Braley, director of threat intelligence, the Information Technology - Information Sharing and Analysis Center (IT-ISAC) told a ChannelCon 2024 audience that ransomware attacks are difficult to stop during a session called, Exploring the Depths: Analysis of the 2023 Ransomware Landscape and Insights for 2024.

“Operators reside in countries where prosecution and extradition are unlikely, groups go into hiding after law enforcement intervention only to rebrand and re-emerge later, and affiliates who work with ransomware operators move to new operations as old groups shut down,” Braley said. “And, of course, organizations continue to pay ransoms.”

But it’s not all bad news. While ransomware attacks are growing more sophisticated in nature as attackers collaborate and work together, the good guys are working together too—and it’s starting to show.

2023 Ransomware Trends and Takeaways

In 2023, the IT-ISAC recorded 2,905 ransomware attacks globally, with ransomware groups like LockBit, ALPHV/BlackCat, and CL0P taking the lead in terms of the number of victims compromised.

Critical manufacturing was the most victimized industry last year with 15% of ransomware attacks (468) targeting companies in the sector. Braley noted that these companies have an added supply chain pressure that can impact their decision to pay the ransom. Other impacted sectors included commercial facilities, financial services, healthcare and IT. 

Braley said that there aren’t any real trends regarding who ransomware groups are targeting.

“Ransomware attacks are usually opportunistic, not targeted,” he said. “They are looking for public vulnerabilities, scanning the networks and figuring out who the victim is later. The takeaway is that patching vulnerable systems is more critical than it’s ever been.”

The IT-ISAC has identified six key trends and takeaways based on 2023 analysis:

• Ransomware-as-a-Service (RaaS) operations have significantly reduced the barriers to entry for financially-motivated cybercriminals. Attackers can easily obtain ransomware software packages. Once they gain initial access to your network, they can deploy this software to encrypt files and demand payments.

   

• Methods are becoming more sophisticated. Attackers leverage zero-day vulnerabilities and employ custom tooling, making it challenging for organizations to defend against attacks using these ransomware packages.

   

• Data extortion schemes are increasing. Some ransomware groups are skipping the encryption process completely.

   

• New ransomware variant languages enable wider targeting. Switching to programming languages like Rust to develop encryptors increases the scope for potential victims beyond Windows users.

   

• Third-party vendors are being targeted. Bad actors continue to use third-party vendors to gain access to your mission-critical systems and data.

   

• Remote access management tools are appealing. Ransomware actors are using these tools because they grant high privileges.

The 2024 Ransomware Landscape

According to IT-ISAC analysis, the first quarter of 2024 showed some changes in the ransomware landscape. Ransomware attacks started strong in January (up 54% from January 2023). However, this increase was short-lived, with attacks decreasing by 42% in February 2024 compared with February 2023, and they decreased 55% in March 2024 compared with March 2023. This decrease is likely due to law enforcement efforts to take down ransomware infrastructure.

Braley said the law enforcement takedown of LockBit and ALPHV/BlackCat earlier this year caused a disruption to the ransomware landscape.

“We are seeing positive impacts from law enforcement activity,” he said.

In fact, in the second quarter of 2024, IT-ISAC observed a 21% decrease in ransomware attacks compared to the first quarter. The top three targeted sectors continue to be critical manufacturing, commercial facilities and healthcare—accounting for a total of 47.6% of all ransomware attacks. While the IT sector was targeted less frequently, it still accounted for 6.9% of all attacks.

Protect Yourself and Your Customers

The IT-ISAC offers these general guidelines for protecting yourself and your customers from a ransomware attack:

• Keep your information backed up
• Regularly update and patch systems
• Have an incident response plan ready (and test it)
• Test your security with a third party
• Segment networks for safety
• Thoroughly train your staff
• Use multi-factor authentication (MFA)
• Drive improved security of third-party partners

Download the full IT-ISAC Exploring the Depths report

Despite government agencies and law enforcement efforts to take down malicious infrastructure, new ransomware strains continue to emerge and cybercriminals continue to work together to evolve their strategies. It’s essential that the good guys continue to work together as well. When we share information we can all better defend and protect against potential cyberattacks.

Let’s work together.

Learn about the CompTIA Information and Sharing Analysis Organization (ISAO).