ESET, a prominent antimalware vendor, has identified RansomHub as the top ransomware group in the threat landscape. This declaration came after law enforcement successfully disrupted the notorious LockBit ransomware gang earlier this year. In their recently published “Threat Report H2 2024,” ESET outlined various ransomware trends, a notable increase in infostealers, and a rise in attackers targeting macOS devices. The report, based on data collected from June through November, shed light on new attack vectors, social engineering methods, and a shift in established ransomware groups following successful law enforcement operations.
One of the significant disruptions in the ransomware landscape was the operation against LockBit earlier this year. The joint effort, known as Operation Cronos, commenced in February and resulted in arrests, infrastructure seizures, and the exposure of one of the group’s leaders, Dmitry Yuryevich Khoroshev, also known as “LockBitSupp.”
Following the downfall of LockBit, ESET observed the emergence of the RansomHub gang as the new dominant force in the ransomware as a service (RaaS) domain. The report highlighted RansomHub’s rapid ascension since July 2024, solidifying its position as the most active RaaS operation. This observation aligns with previous research from NCC Group, further emphasizing RansomHub’s rise to power.
According to ESET, RansomHub made its presence known in February, coinciding with the same month as Operation Cronos. The group quickly established itself as one of the most active ransomware groups, targeting both Linux and Windows systems. Utilizing “living off the land” techniques to evade detection, RansomHub has been effective in its malicious endeavors.
An analysis of RansomHub’s public data leak site revealed nearly 500 victims listed since February, including well-known entities such as Halliburton and Kawasaki Europe. The group also claimed responsibility for a disruptive attack against Oklahoma City Abstract and Title Co. in October, further solidifying its status as a formidable cyber threat.
While ESET researchers acknowledge the competitive nature of the RaaS landscape, they predict that RansomHub will continue to reign supreme well into 2025. Believed to consist of former members of LockBit and BlackCat ransomware groups, RansomHub’s rapid expansion and growing victim count indicate its appeal to experienced cybercriminal affiliates.
In addition to RansomHub, the report highlighted the emergence of the Embargo ransomware group as a noteworthy competitor. ESET noted the group’s proficiency in developing malicious tools using Rust, showcasing their agility in modifying their tactics during active intrusions.
Despite an overall decrease in ransomware detections in the second half of 2024, ESET raised concerns about nation-state actors from North Korea, China, and Iran increasingly engaging in ransomware attacks. The report specifically mentioned the Iran-aligned Pioneer Kitten group, which acted as an initial access broker and collaborated with various ransomware groups, including RansomHub.
Furthermore, ESET identified a concerning trend of threat actors targeting macOS systems, noting a significant increase in password stealing ware on the platform. The rise in cryptostealing activities on macOS, exemplified by the exploitation of zero-day vulnerabilities and the spread of malicious malware like AMOS, highlights the growing threat landscape for Mac-based attacks.
In conclusion, ESET’s comprehensive report provides valuable insights into the evolving ransomware landscape, emphasizing the rise of RansomHub as a dominant player and the increased targeting of macOS devices by malicious actors. As cybersecurity threats continue to evolve, vigilance and proactive measures are crucial in mitigating the risks posed by ransomware and other forms of cyber attacks.