Ransomware groups have altered their tactics in gaining access to victim networks, shifting away from mass compromise events through vulnerability exploits to more targeted and reliable methods, as highlighted in Travelers’ latest Cyber Threat Report.
One of the key tactics identified in the report is the targeting of weak credentials on VPN and gateway accounts that lack multifactor authentication (MFA) protection. This shift in strategy started gaining traction in the second half of 2023 and became widespread among ransomware operators and initial access brokers (IAB) throughout 2024.
The report drew attention to a ransomware training playbook leaked by an IAB in the Summer of 2023, which emphasized the importance of focusing on exploiting weak credentials rather than zero-day vulnerabilities. The manual recommended using tools to identify default usernames and common passwords to infiltrate networks.
Unlike in 2023, where mass ransomware exploits were often the result of vulnerabilities in common software products like MOVEit and GoAnywhere, there was no single vulnerability that led to widespread ransomware attacks in 2024. Instead, ransomware groups capitalized on exploiting weak credentials to target victims effectively.
Jason Rebholz, Vice President and Cyber Risk Officer at Travelers, highlighted the effectiveness of basic attack techniques for ransomware groups. He emphasized the importance of implementing security controls like MFA to make it harder for malicious actors to launch successful attacks.
Ransomware activity hit a quarterly record in Q4 2024, with 1663 new victims posted on leak sites. This marked a 32% increase from Q3 2024 and the highest level of ransomware activity observed in a single quarter by Travelers. November saw the highest number of victims posted on leak sites, followed by a decline in December.
Throughout 2024, a total of 5243 ransomware victims were posted on leak sites, representing a 15% increase from the previous year. The report also noted a 67% increase in new ransomware groups formed in 2024 compared to 2023, with 55 new groups identified.
The rise of new ransomware groups indicates a rapid expansion of smaller, more agile actors in the ransomware ecosystem following the disruption of major RaaS operators like LockBit and Clop by law enforcement. RansomHub emerged as the top player in Q4 2024, accounting for the highest number of attacks, followed by Akira and Play.
Overall, the report underscores the evolving tactics of ransomware groups towards exploiting weak credentials and the increased activity of new ransomware groups in the cybersecurity landscape. Businesses are urged to implement robust security measures like MFA to protect against these evolving threats.