Ransomware August 2024 round-up: fools, rules and tools
Despite constant success from international law enforcement, ransomware continues to thrive: it’s still the number one cybercrime threat facing organisations large and small. And that isn’t my opinion, but the finding from a trio of reports covering ransomware in August 2024.
The analysis also reveals a number of worrying statistics. Statistics that can best be summed up as “fools, rules and tools”.
Let’s start with the roundup of attacks by the numbers, shall we? According to NCC Group’s August Threat Pulse, ransomware cases were 14% higher than the previous month.
RansomHub threat actors were responsible for 16% of these attacks, while 80% of the ransomware attacks targeted organisations in North America and Europe.
August also saw the largest known ransom paid to date. An unnamed multi-national known to have paid the Dark Angles group an incredible $75 million.
“The increase in ransomware attack figures this month is demonstrative of the continuing volatility of the threat landscape,” said Matt Hull, Head of Threat Intelligence at NCC Group.
“Previous months have seen a slight reduction in attacks, in-part due to the takedown of LockBit 3.0, but this month has shown that other actors are all too ready to take their place.”
Ransomware fools
This leads us nicely into the fools part of the headline, with apologies for using such a derogatory term for those who feel they have no choice but to pay a ransom to get their business back on track.
Cohesity’s Global Cyber Resilience Report 2024 revealed what many security professionals with boots on the ground already know: paying a ransom guarantees nothing. Despite 66% of those consulted saying they would not pay a ransom, and having clear policy in place to prevent it, 59% had done precisely that.
But wait, it gets worse. Only 4% of respondents recovered all their data, and the value of the recovered data remains a lottery.
“Once again, we see a gap between expectation and reality in recovering from a cyberattack,” said James Blake, Global Head of Cyber Resiliency Strategy at Cohesity. He added that “paying a ransom rarely results in the recovery of all data”.
At which point I have to interject and say that fools should be seen as not meaning idiotic in this context, but rather being fooled by the promises of threat actors during a highly stressful time for any business.
Ransomware rules
Rules are covered by Group-IB, which has completed an in-depth and technical dive into the emerging DragonForce ransomware group.
DragonForce was discovered in August and has been targeting companies in critical sectors. Which is kind of ironic given that, according to the Group-IB security researchers, there are rules in place to prevent this. The affiliates responsible for initial access say that the following are restricted from attack: hospitals, critical infrastructure, non-profit organisations, CIS and former USSR countries.
Ransomware tools
The tools part is rolled up into both the Group-IB report and new research from SpyCloud. Group-IB found that DragonForce was using the Bring Your Own Vulnerable Driver (BYOVD) tactic to the ransomware party by installing vulnerable drivers onto compromised systems – and then leveraging them to execute malicious code at the kernel level.
“DragonForce abuses digitally signed but vulnerable drivers by bringing them onto the systems and using it to terminate critical AV or EDR processes,” Group-IB said, “enabling them to operate undetected in the compromised environment.”
Meanwhile, the latest SPyCloud ransomware defence report concludes that traditional tools and solutions like antivirus and two-factor authentication are not infallible. No brown stuff Sherlock, you may be thinking, but it’s worth repeating: 2FA bypass by way of session-cookie hijacking is the greatest emerging ransomware threat.
“With ransomware operators increasingly exploiting infostealer-exfiltrated data like session cookies, it’s become clear that traditional defenses are no longer enough,” said Damon Fleury, chief product officer at SpyCloud.
“In today’s ransomware-fueled climate, organisations need to shift to an identity-centric approach for malware remediation and ransomware prevention.”
Davey Winder
NEXT UP
Dawood Khan, Commercial Director at Amdaris: “You can’t have AI dine with a client in a nice restaurant”
We interview Dawood Khan, Commercial Director at Amdaris, a seasoned sales leader with more than 26 years of experience.
Intel doubles down on Enterprise AI with Xeon 6 P-cores and Gaudi 3
Intel hopes to lure enterprises with this double release: Xeon 6 with P-cores and Gaudi 3 accelerators, both of which are now available
Avoid being left behind and jump into the generative AI movement now, before it’s too late!
Thomas Kriebernegg, General Manager, SplitMetrics Agency, explains how generative AI can and should be helping you in your job today