The Shifting Sands of Ransomware in 2024: Who’s Who and What’s New?

In the wake of significant law enforcement takedowns, 31 new ransomware groups have emerged. Don Smith looks at what (and who) is new on the ransomware scene

Over the past 12 months, significant and sustained law enforcement activity has targeted some of the biggest names in ransomware. Household names LockBit and BlackCat, as well as a whole series of botnets, were famously taken offline.

The impact of this action was clearly visible in Secureworks’ annual State of the Threat Report. Affiliates reliant on these ransomware groups and models had to find a new home and tools to execute their criminal activities. As a result, an influx of new ransomware groups have been vying to establish themselves, employing a shifting variety of tools and techniques—with mixed success and some added entropy to the landscape.

Who’s who and what’s new?

In the wake of these significant law enforcement takedowns, 31 new ransomware groups emerged – an increase of 30%. However, this hasn’t translated to an equivalent rise in victim numbers on leak sites. To me, this indicates the fragmentation of an ecosystem that a few established groups have dominated for some time.

Among the shifting ecosystem landscape, two groups in particular are worth noting. PLAY has doubled its victim count year over year and is currently on track to become the most active group overall in 2024. RansomHub, a group that emerged only a week after the LockBit takedown, quickly rose to become the third most active group by mid-2024.

“An influx of new ransomware groups have been vying to establish themselves, employing a shifting variety of tools and techniques”

As the new groups seek to establish themselves, there is less repeatability and structure in how they operate. Tactics and modes of operation are less predictable, so organisations must be alert to a wider variety of playbooks and more entropy in the kill chain.

One area where this is most visible is the median dwell time for attacks. Last year, we tracked median dwell times of under 24 hours. This reflected the dominant “smash and grab” approach, a shift from lengthier exfiltrate and encrypt tactics that had previously been more common. In this year’s report, the median dwell time rose marginally to 28 hours, reflecting the change and diversity of tactics.

The growth of Adversary-in-the-Middle attacks

While exploitation of known vulnerabilities and abuse of stolen credentials remain the primary threats to organisations, Adversary-in-the-Middle (AiTM) attacks have significantly increased. In the past year, threat actors have increasingly been stealing credentials and session cookies to gain access. This is notable for network defenders as it potentially reduces the effectiveness of some types of multi-factor authentication. Phishing kits are available for hire in underground marketplaces, and Telegram facilitates and automates these attacks.

AI as a threat tool – hype or here?

As AI tools have become widespread and readily available, it was inevitable that cyber criminals would look to gain traction and scale quickly.  Since the hype around generative AI hit the mainstream, Secureworks Counter Threat Unit researchers have observed increased posts on underground forums about OpenAI ChatGPT and how to employ the new technology for nefarious purposes.

“Threat actors monitored Google trends following a death to identify interest in obituaries. They used generative AI to create tributes manipulated to the top of Google search results by SEO poisoning”

While much of the discussion relates to relatively low-level activity, including phishing attacks and basic script creation, there have been some more significant incidents where AI has been employed.

Secureworks researchers observed a novel example of how threat actors use AI: its role in a fraud perpetrated by so-called obituary pirates. Threat actors monitored Google trends following a death to identify interest in obituaries. They then used generative AI to create lengthy tributes on sites manipulated to the top of Google search results by SEO poisoning. Users were then directed to other sites pushing adware or potentially unwanted programmes.

Staying secure

The ransomware ecosystem will continue to shift, as it always has. But never before has law enforcement played such a crucial role in disrupting established groups and bringing individuals who seemed previously untouchable to justice.

For organisations, building a great cybersecurity posture means understanding and responding to the changing nature of the threat landscape. As things evolve, priorities remain the same – basic security hygiene should always be at the forefront of people’s minds. Regular patching, hardening of identity domains, and thorough security training are enduring business imperatives.