Ransomware Threat Landscape Continues to Diversify in 2024

The frequency of R&DE attacks is on an upward trajectory, with the number of observed incidents during Q1 2024 only slightly less than that of Q4 2023. This is despite the first quarter of the year historically seeing significantly lessened activity and ZeroFox observing more attacks during Q4 2023 than in any other quarter on record. Given high levels of R&DE activity during the first part of April, there is a likely chance that Q2 2024 will surpass Q1. 

• Reporting suggests that victim refusal to meet ransom demands fell to an all-time low in Q1 2024, indicating a very likely chance that the total number of R&DE attacks was much higher than that observed by ZeroFox.

An increasingly diverse threat landscape is contributing to the high number of incidents, with a large, growing number of collectives responsible for attacks. This is being propelled in part by several smaller and newer collectives becoming significantly more active. 

• Throughout 2023, the top five most active collectives (LockBit, ALPHV, Cl0p, Play, and 8Base) together accumulated a total of at least 2,100 attacks—approximately 52 percent of total R&DE activity.
• So far in 2024, the five most active collectives have been responsible for a continually decreasing proportion of total R&DE activity. Throughout January and February, the most prominent threat groups were LockBit, 8Base, ALPHV, Hunters International, and Akira, which accounted for approximately 47 percent of total activity. This reduced to 41 percent in March and 35 percent so far in April, due primarily to the reduction of LockBit and ALPHV activity.

While still conducting comparatively low numbers of attacks, several threat collectives have increased their operational tempo during 2024. 

• The number of attacks conducted by BlackSuit have increased each month during 2024, from three in January (accounting for approximately 1 percent of global R&DE) to 13 so far in April (accounting for approximately 7 percent of global R&DE).
• Despite being first observed as recently as February 2024, RansomHub has already conducted at least 35 attacks, displaying a tempo that is atypical for a newer collective. It is almost certain that RansomHub obtained affiliates from ALPHV following its disruption. This is supported by the addition of technology organization Change Healthcare to the RansomHub victim leak site on April 8, 2024; Change Healthcare had initially been extorted by ALPHV in February 2024.
• Black Basta conducted at least 41 attacks in March 2024—the highest observed in any previous month and significantly higher than its average of 16 monthly since they were first observed in approximately May 2022.
• Medusa Locker conducted at least 60 attacks during February, March, and April 2024, exhibiting an upward trajectory and its most active months on record.
• Hunters International conducted at least 30 attacks in February 2024, accounting for 9 percent of global R&DE activity, and it is likely that this will be surpassed in April 2024. Hunters International has also exhibited a significant operational tempo since it was first observed in Q3 2023.

Several smaller R&DE collectives, such as DarkVault, DragonForce, MyData, and Red, have also exhibited notably high attack tempos for relatively new outfits. Like RansomHub, it is very likely that such groups are benefitting from the acquisition of experienced affiliates from LockBit and ALPHV.

Newer threat collectives are likely to continue exhibiting upward attack trajectories as their efficacy increases, their services and reputation become established in DDW forums, and they are able to garner new and experienced affiliates.

The two most prominent threat groups of 2023, ALPHV and LockBit, have been conducting a smaller proportion of total R&DE activity each month following their disruption by law enforcement (LE) entities in December 2023 and February 2024, respectively.

In the weeks following LockBit’s disruption, the group continued to upload significant numbers of victims to its leak site. It is almost certain that the majority of these were associated with extortion operations that were ongoing at the time of the LE disruption of the collective’s digital infrastructure.

• LockBit’s proportion of monthly R&DE activity peaked in February 2023, at over 50 percent of observed attacks. This reduced to 22 percent in February 2024 and stands at just 3 percent so far in April 2024.

There is a roughly even chance that LockBit’s attack tempo will increase throughout 2024, as the collective attempts to recover digital infrastructure and attract new affiliates. However, the group is very unlikely to reach the heights observed during 2023 due to the damage inflicted upon its reputation in DDW forums, the release of a decryption tool, and the continued LE scrutiny that is likely deterring affiliates.

• LockBit’s continued—albeit reduced—tempo is being enabled through its [.]onion “LockBit 3.0” leaksite, which continues to list both new victims and those from before LE disruption. 

ALPHV was responsible for approximately 10 percent of all R&DE attacks from January 2023 up until its December LE disruption. This reduced to 4 percent during Q1 2024, with no incidents being observed so far in April. It is likely that the damage to ALPHV’s digital infrastructure and the significant loss of affiliates will prevent the collective from resuming operations. There is a roughly even chance that senior figures will attempt a rebrand during 2024, though it is very unlikely that recovery will be sufficient to meet the activity levels of 2023.

ZeroFox observed very little change in the industries of targeted organizations during Q1 2024. Compared to 2023, small increases were noted in the manufacturing, retail, construction, healthcare, and professional services industries. It is very unlikely that these increases are indicative of new targeting patterns; rather, they are likely the result of expected threat landscape fluctuations.

Manufacturing will very likely remain the most targeted industry over the coming months, though variations will likely be observed as newer and smaller threat collectives establish and adapt their techniques, tactics, and procedures (TTPs).

The region of victims also exhibited little variation between 2023 and Q1 2024. Slight increases in the targeting of North America-based organizations are very likely the result of natural fluctuations and not indicative of increased emphasis. North America will almost certainly remain the region most targeted by R&DE attacks over the coming months. 

ZeroFox Intelligence Recommendations

• Adopt a Zero-Trust cybersecurity posture based upon a principle of least privilege. 
• Implement network segmentation to separate resources. 
• Implement secure password policies with phishing-resistant multi-factor authentication (MFA), complex passwords, and unique credentials.
• Leverage cyber threat intelligence to inform detection of R&DE threats and their associated TTPs and Indicators of Compromise (IOCs).
• Ensure critical, proprietary, or sensitive data is always backed up to secure, off-site or cloud servers at least once per year—and ideally more frequently. 
• Develop a comprehensive incident response strategy.
• Configure email servers to block emails with malicious indicators and deploy authentication protocols to prevent spoofed emails.
• Deploy a holistic patch management system and ensure all business IT assets are updated with the latest software as quickly as possible. 
• Proactively monitor for compromised accounts being brokered in DDW forums. 
• Configure ongoing monitoring for Compromised Account Credentials.