Ransomware tactics 2024: why you need to protect yourself differently

For more than a decade, ransomware has been an ever-present threat to organisations’ security and the privacy of their customers and business partners.

I’m not talking about the earliest attacks against individuals, but rather when things got serious with the Zeus banking malware and associated CryptoLocker ransomware in 2013.

This was when the ransomware map started to be drawn with 2,048-bit RSA key pairs used for encryption. That map continued to change into the 2020s with the adoption of data-leak sites to leverage the extortion on two fronts: encrypted systems and stolen data. Now the map has evolved again, here’s what you need to know.

RansomHub marks shift in ransomware tactics

A newly published report from threat intelligence outfit Searchlight Cyber reveals that the pace of change has been primarily driven by successful law enforcement operations. These culminated in the destruction of BlackCat, one of the most prominent ransomware groups to date.

Ransomware-as-a-Service is now the dominant fixture on the threat landscape as far as these extortionist threat actors are concerned. And the newest and most successful such operator appears to be RansomHub.

The group’s rapid rise is most likely due to its attracting experienced players from gangs such as BlackCat/ALPHV and LockBit because, oh, the irony of law enforcement attention.

Searchlight Cyber warns that other groups have also emerged from these disruptions, with APT73 and DarkVault expected to become significant threats in the near future.

Luke Donovan, Head of Threat Intelligence at Searchlight Cyber, said: “As we’ve seen in the first half of 2024, the ransomware landscape is not just expanding, it’s fragmenting. With over 70 active ransomware groups now in operation, the ransomware landscape is becoming more complex for cybersecurity professionals to navigate.”

This makes it, Donovan concluded, all the more important for organisations to continuously monitor the ransomware ecosystem, identify the groups that pose the most significant risk to them, and use threat intelligence to inform their defensive strategies.

BlackFog rising

Another new ransomware report, this time from BlackFog, zooms into the map for the month of August. A month that “witnessed the third highest number of attacks for the year with 63 publicly disclosed attacks, already surpassing the total number of attacks in 2020, 2021 and 2022,” said BlackFog CEO Darren Williams.

Maybe even more worrying is that August saw the second-highest number of undisclosed attacks of the year, with 464. This gives us a ratio of 737% undisclosed to disclosed attacks.

But the biggest all-round increase award goes to Healthcare, which saw a 20% rise in verified attacks. Evidence that the new breed of attackers really don’t care who they attack anymore; the most vulnerable people are firmly in the crosshairs.

The public-sector targets also appear to demand a different approach from cybercriminals in that they are less interested in stolen data and more in disruption at the core.

Following an August attack against the French Réunion des Musées Nationaux by a gang called Brain Cipher, which claimed it stole 300GB of data, Rebecca Moody, Head of Data Research at Comparitech, warned that “ultimately, attacks on the public sector are done to carry out maximum disruption through encrypted systems and downtime”.

This can be seen by the lower numbers of records affected in these types of attacks when compared to other industries. “This would suggest,” Moody concludes, “[that] hackers aren’t necessarily going after data but are focusing on crippling key systems instead.”

Final ransomware twist

And finally, there’s another new twist in attack methodology as seen by attacks carried out by the Qilin ransomware group. This uses a custom stealer to access account credentials stored on endpoints in the Google Chrome web browser.

“Beyond the ransomware tactics, this would give the attackers broad access to any application where credentials have been stored,” said Glenn Chisholm, Chief Product Officer at Obsidian Security.

To mitigate this type of risk, Chisholm recommends ensuring all SaaS applications are served by an identity provider and prevent local logins.

“Organisations can also ensure the use of password managers and prevent the storage of credentials in the browser,” Chisholm concludes, “moving to phishless MFA methods like passkeys or hardware tokens can prevent the risk of session token theft via infostealers.”

Read next: LockBit ransomware: its history, its present and why you must be ready for it