Ransomware group RansomHub has gained the top spot in successful attacks, surpassing other notorious groups in the cybercrime landscape. Symantec’s latest threat intelligence report for the third quarter of 2024, titled “Ransomware: Threat Level Remains High in Third Quarter,” reveals the dominance of RansomHub in the ransomware scene.
According to Symantec’s analysis of leak sites, threat actors claimed a total of 1255 attacks in Q3, slightly lower than the previous quarter’s 1325 attacks. Despite this dip, there is a concerning trend of increasing attacks in the overall landscape of cyber threats, as highlighted by Symantec.
RansomHub, a relatively new player that only became active in February of the same year, managed to secure the top spot in Q3 with 191 victims posted on various leak sites. This marked a significant 155% increase from its previous quarter’s performance. Symantec attributes RansomHub’s rapid rise to its ability to recruit experienced affiliates for its ransomware-as-a-service operation, which reportedly offers more favorable terms compared to its competitors.
The rise of RansomHub has seemingly come at the expense of LockBit, a previous leader in successful ransomware attacks. LockBit, which had three times as many successful attacks as its closest competitor Qilin in the second quarter, experienced an 88% decrease in attacks in Q3, with only 188 data leak posts. Symantec highlights the impact of an international law enforcement operation targeting LockBit in February 2024, which affected its activity levels in the first quarter of the year.
On the other hand, Qilin has seen an increase in its victim count by 44% in Q3, indicating a positive trend for the group.
Symantec also points out a discrepancy between publicly claimed attacks and actual ransomware activities investigated by its researchers. While LockBit and RansomHub claim a certain share of attacks, the investigated data reveals a different distribution. This suggests that not all victims of ransomware incidents end up on public leak sites, especially if they promptly pay the ransom demanded.
In terms of ransomware tools and techniques, Symantec disclosed the four most commonly observed methods used by ransomware actors in Q3. These include living off the land, bring your own vulnerable driver (BYOD), remote desktop/admin access abuse, and data exfiltration for double extortion purposes.
The use of these tools and techniques highlights the evolving nature of ransomware attacks and the increasing sophistication of cybercriminals in their tactics.
Overall, the rise of RansomHub and the shifting landscape of successful ransomware attacks underscore the pressing need for enhanced cybersecurity measures and collaboration between law enforcement agencies and security vendors to combat the growing threat of ransomware.