Ransomware trends: what’s on the increase and what’s going down

The Kroll Cyber Threat Intelligence team report for the first quarter of the year, Cyber Threat Landscape – Insider Threat & Phishing Evolve Under AI Auspices, went live today. Among the findings: repeated CEO voice cloning attacks is on the up, as are intentional insider threats.

“From familiar security foes such as malware to the evolution of newer ones, like deepfakes, trends observed throughout the first quarter of 2024 prove diverse cyber threats are now very much the norm rather than the exception,” said Laurie Iacono, North American Threat Intel Lead in Kroll’s Cyber Risk Business.

Still very much the norm, despite a number of high-profile law enforcement ‘disruptions’ of leading cybercrime groups, is ransomware. Those disruptions have had some effect, with Kroll finding that LockBit attacks were down 15% in quarter one while the lesser-known Akira group took the lead, accounting for 27% of cases seen by the Kroll Cyber Threat Intelligence team.

Related: LockBit down but far from out

LockBit attacks slow

The latest NCC Threat Pulse report, also published this week, confirms the downward spiral for LockBit with fewer than half the observed attacks for April than March. It certainly looks like LockBit, at least as we know it, is coming to an end.

However, the NCC intelligence team have a different group rising to the top in the shape of Play. Using the now-standard double extortion tactics of data exfiltration and system encryption, Play accounted for 14% of attacks – which was enough for it to become a significant ransomware player, if you’ll pardon the pun.

As is often the way with these things, NCC note that the Hunters group moved up into second place on this table of shame by taking over the infrastructure and malware source code from the now defunct Hive group.

Everything and nothing changes

What all of this means is that everything and nothing changes. The names may be different, but the threat remains the same. And so does the mitigation.

“Despite the successful takedowns of major groups like LockBit, now is not the time to slow down efforts to protect against cyber threats,” said Matt Hull, Global Head of Threat Intelligence at NCC Group, “the continuous rise of new and equally menacing threat actors, alongside constant development of AI and emerging technologies, poses a unique risk to society that we must collaborate globally to mitigate.”

If proof of the everything and nothing mantra were needed, look no further than yet another new bit of research released this week: the Arctic Wolf Labs 2024 Trends Report found that 86% of successful ransomware attacks included data exfiltration.

It’s long been the case that data backups are no longer enough to mitigate ransomware attacks, with data publication or sale being the key leverage when it comes to ransom demands. Network separation, data encryption at rest and basic security hygiene now matter more than ever.

“While we are encouraged by the increased adoption of cyber insurance and incident response readiness programs, it is clear that there is still work to be done to overcome perennial challenges for cybersecurity leaders,” said Ian McShane, Vice President, Managed Detection and Response (MDR), Arctic Wolf. He added that this includes “the increased financial and productivity losses due to ransomware”.

Download Key Pillars for Protecting Sensitive Data from Thales

This whitepaper outlines the challenges of data security and provides strategies to discover and classify your critical data and apply data-centric security to it. Thales Group can help you set up data-centric security solutions in your organization.