The ransomware landscape has experienced significant changes in the third quarter of 2024, as outlined by Dragos in their latest report. The emergence of 24 new ransomware groups has brought increased focus on industrial organizations, with these new actors targeting sectors such as healthcare, financial services, and industrial operations that have a low tolerance for downtime. By exploiting operationally critical IT systems, these groups have been able to put pressure on victims to make ransom payments, leveraging the critical nature of uninterrupted services.
Many of these new groups are rebrands of dismantled or other groups, with the downfall of LockBit leading to a migration of affiliates to other operations like RansomHub. RansomHub, whose website design language mirrors that of LockBit, has flourished with the help of key affiliates from dismantled RaaS operations. Dragos’ report highlights that RansomHub claimed over 300 victims globally in 2024, making it the most active ransomware group in the last quarter of the year, with 16% of all ransomware attacks attributed to the group.
Furthermore, ransomware operators have adopted new tactics often used by state-sponsored actors, including living-off-the-land techniques, remote access tool abuse, targeting virtual environments, and exploiting VPN vulnerabilities. This shift towards more sophisticated tactics is aimed at achieving their goals more effectively. In addition, hacktivist groups have integrated ransomware elements into their campaigns in a major tactical change. Groups like CyberVolk, Handala, and KillSec have used ransomware to amplify the disruption caused by their campaigns, blurring the lines between ideological activism and financially motivated cybercrime.
Of particular concern is CyberVolk, which launched its RaaS platform in June and its ransomware in July. This ransomware has been deployed in pro-Russian campaigns targeting critical infrastructure, combining encryption algorithms with advanced payload delivery mechanisms typically associated with financially motivated operations. Despite North America experiencing the highest percentage of ransomware attacks in 2024, with 304 incidents (approximately 55%), the Oceanic region, particularly Australia and New Zealand, has also been targeted, accounting for 2% of all ransomware incidents.
Overall, the evolving ransomware landscape in the third quarter of 2024 highlights the increasing sophistication and diversification of tactics employed by ransomware groups. Industrial organizations, critical infrastructure, and even hacktivist groups are all being targeted, underscoring the need for robust cybersecurity measures and heightened vigilance in the face of these evolving threats.