Key Points
- In Q2 2024, ReliaQuest identified 1,237 organizations on ransomware data-leak sites, up 20% from Q1 2024. This quarter’s ransomware activity has been marked by month-on-month fluctuation. 43% of organizations named on data-leak sites were announced in May, followed by exceptionally low numbers in June. These figures mark a departure from previous growth rates and suggest that major disruptions to the ransomware-as-a-service ecosystem are affecting their numbers.
- Following a law enforcement operation targeting LockBit in February 2024 and the dissolution of ALPHV, newer groups like RansomHub, BlackSuit, and BlackBasta have attracted new affiliates and increased their activity. ReliaQuest expects a steady increase in ransomware activity from newer groups in the second half of 2024 as affiliates adjust to new operators.
- During Q2 2024, LockBit attempted to recover from a major law enforcement operation. Announcing 179 affected organizations in May alone, the group likely tried to regain notoriety and disprove law enforcement’s statements regarding the group’s takedown. We expect LockBit activity to significantly reduce in coming months as the group struggles to maintain trust among affiliates.
- The US and the manufacturing and professional, scientific, and technical services (PSTS) sectors remain the primary targets of ransomware groups. The increase in PSTS organizations targeted reflects increased targeting of technology companies in supply-chain attacks.
- In the coming quarter, we expect to see a steady increase in ransomware activity. However, the increased frequency of law enforcement operations targeting ransomware groups and the prevalence of free decryption keys may lead to an overall reduction in ransomware activity in the medium- to long-term.
- ReliaQuest predicts continued attacks resulting from supply-chain compromise and exposed credentials by ransomware groups in the coming quarter. It is crucial that organizations keep software up to date and implement digital risk protection (DRP) solutions to prevent initial access.
In Q2 2024, ReliaQuest identified 1,237 organizations posted to data-leak sites, marking a 20% increase from Q1 2024. While Q1 marked a significant downturn in ransomware activity caused by the dissolution of the “ALPHV” ransomware group and law enforcement’s takedown of the “LockBit” group’s data-leak site, ransomware activity in Q2 is still 13% lower than in Q2 2023. These activities, alongside only a 1% increase in affected organizations in H1 2024 compared with H1 of the previous year, suggest that the historical trend of rapid growth in ransomware activity has slowed. Numbers for each month within Q2 2024 fluctuated significantly, likely due to upheavals in the RaaS ecosystem that caused ransomware groups to compete for affiliates (independent contractors who compromise systems before handing them over to ransomware operators). We anticipate a more consistent rise in ransomware incidents in the second half of 2024 as affiliates resume normal operations, likely in collaboration with new operators.
In June 2024, we identified a rare single-extortion campaign, contrasting with the prevalent double- and triple- extortion methods observed previously. Around 165 customers of the cloud computing–based data cloud company Snowflake experienced data breaches due to exposed credentials that unknown threat actors offered for sale on cybercriminal forums as part of an extortion scheme. This incident underscored how the widespread use of information-stealing malware (infostealers) and the lack of multifactor authentication (MFA) can enable extortion without the data loss commonly linked to ransomware attacks.
Ransomware Activity in Q2 2024
Despite a 20% increase in organizations affected by ransomware in Q2 2024 compared with Q1 2024, the total count is a 13% decrease from the number recorded in the same quarter last year. Furthermore, the figures for April and June 2024 failed to reach the monthly average of 402 organizations posted to ransomware groups’ websites in 2023. This trend follows serious disruptions in the RaaS landscape. The notably high count of affected entities for May 2024 is a result of a spike in LockBit activity (accounting for 35.8% of the month’s targets) in reaction to law enforcement’s disruption of the group’s data-leak site in February 2024 as part of Operation Cronos. However, the number of organizations named on LockBit’s site dropped the following month, contributing to June 2024’s abnormally low count—the lowest since January, which is typically a slow month due to the holiday period.
Figure 1: Number of compromised organizations listed on data-leak sites, Q2 2024
Ransomware groups whose count increased this quarter—like “BlackSuit” or “RansomHub”—typically gained initial access by exploiting internet-facing applications like unpatched virtual private networks (VPNs), abusing vulnerabilities in Remote Desktop Protocol (RDP) tools, or conducting social engineering. We have observed forum users increasingly recommending these techniques, as shown in Figure 2. To thwart these methods, organizations should educate users on phishing techniques and prioritize patching VPNs and RDP tools. Threat actors’ abuse of legitimate tools highlights the need for allowlisting, endpoint visibility, and strong RDP policies.
Figure 2: Forum post recommending supply-chain attacks (aka watering hole attacks) and VPN brute-forcing
Targeted Geographies
As in previous quarters, Western countries like the US, UK, Canada, and Germany faced the highest risk of ransomware attacks, partly due to nationalistic motivations linked to geopolitical events or the common ransomware group ban on affiliates targeting former Soviet Union countries.
Figure 3: Ransomware targets by geography, Q2 2024
Financial motivations likely also play a role: The US is the leading market for cyber insurance due to strong government regulation and strict compliance requirements. As a result, US-based companies may be perceived by threat actors as more likely to afford ransom payments. This geographic preference is reflected in cybercriminal forum posts seeking affiliates. For instance, we observed a representative of the “Medusa” ransomware group on the prominent Russian-language cybercriminal forum XSS recruiting affiliates with network access to compromised organizations in the US, Canada, Australia, UK, Italy, and Germany (see Figure 4).
Figure 4: Medusa forum representative seeks network access to organizations based in named geographies
Targeted Sectors
In Q2 2024, the manufacturing sector’s lead over the professional, scientific, and technical services (PSTS) sector as the most targeted industry vertical narrowed to just 1%; although both were targeted more than in Q1 2024, the PSTS sector was targeted more heavily, closing the gap. Overall, the top five sectors remained consistent with previous quarters. Cybercriminals target the manufacturing and PSTS industries due to their high impact potential, which increases ransom demands and the likelihood of payment. In the manufacturing sector, the interdependence of IT and operational technology (OT) can cause significant productivity losses during an outage. The PSTS sector, which includes technology companies, is a particularly lucrative target base due to the potential for supply-chain compromise. When a technology vendor is compromised, all their customers could suffer targeted attacks. For instance, in April 2024, ReliaQuest observed multiple customers compromised by Medusa ransomware after threat actors exploited a vulnerability in the “XZ Utils” compression library. This demonstrates how a single compromise can impact multiple organizations.
Figure 5: Ransomware targets by sector, Q2 2024
Most Active Groups
The list of most active groups in Q2 2024 differs significantly from those of previous quarters. The crackdown on LockBit and the dissolution of ALPHV earlier this year spurred the emergence and growth of newer groups like RansomHub and BlackSuit. The “exit scam” that allegedly led to the dissolution of ALPHV induced affiliates to seek better conditions. RansomHub’s new payment model attracted many former ALPHV associates, who contributed to a 243% increase in organizations listed on RansomHub’s data-leak site in Q2 2024 compared with Q1. Blacksuit also saw an increased victim count after gaining new affiliates: from 17 in Q1 2024 to 51 in Q2 2024; we expect the group to continue to grow rapidly.
Black Basta fell from second to fourth place this quarter, but the drop does not correspond to a lower threat. In May 2024, Black Basta targeted several ReliaQuest customers with mass email spam, the first step in a social engineering campaign. These persistent social engineering attacks suggest Black Basta will continue to pose a high threat in the short-term future (within three months); the group may gain popularity as former ALPHV and LockBit affiliates seek new programs.
The threat from Medusa ransomware grew this quarter. The group named 68 organizations on its data-leak site this quarter, up 33% compared with Q1 2024. Additionally, in June 2024, ReliaQuest responded to the beginning of a Medusa ransomware attack that resulted in the encryption of various hosts in a customer environment. In this attack, Medusa relied on common TTPs, such as living-off-the-land (LoTL), PowerShell for credential dumping, and service installations for persistence.
The 79% drop in activity since Q2 2023 for BianLian, a China-based ransomware group that primarily targets North American entities, is likely due to the release of a decryptor in January 2023, which forced the group to change tactics. BianLian now primarily conducts extortion-only attacks, focusing on data exfiltration. ReliaQuest predicts the switch to single extortion, as observed during the June 2024 attacks on Snowflake customers, may begin partially replacing ransomware activity in the coming year as decryption keys become publicly available.
Figure 6: Most active ransomware groups, Q2 2024
Major Events in Q2 2024
LockBit’s Persisting Ransomware Amid Attempted Comeback
Figure 7: Organizations named on LockBit data-leak site since January 2024
While the February 19, 2024, law enforcement takedown of LockBit’s site led researchers to forecast a decline in LockBit’s activity, the group has shown remarkable resilience. By maintaining a comprehensive set of data backups, LockBit managed to continue operations. Q2 2024 saw a 3% increase in LockBit attacks compared with Q1 2024, with 179 organizations announced on LockBit’s data-leak site in May 2024 alone. Surges in named organizations, as seen on May 6, 2024, when the group posted details of 57 newly affected companies, may represent a last-ditch attempt to raise revenue from ongoing attacks before law enforcement permanently dismantles the group’s operations.
On June 23, 2024, LockBit announced the theft of 33TB of data from the US Federal Reserve. This sensationalist claim was likely an attempt to restore relevance, regain reputation among affiliates, and retaliate against US law enforcement’s attempts to take down the ransomware group. However, dark web forum users remarked that such “fake” claims will likely undermine affiliates’ willingness to collaborate.
Figure 8: RAMP forum users discuss LockBit 3.0’s supposed attack on the US Federal Reserve
Nevertheless, the LockBit 3.0 builder, a ransomware builder reportedly leaked by a disgruntled LockBit developer in September 2022, remains popular among threat actors. In June 2024, a new ransomware gang called “Brain Cipher” targeted the Indonesian National Data Center using a modified version of LockBit 3.0 ransomware containing minor changes to the encryptor, demanding an $8 million ransom and disrupting services of over 200 Indonesian government agencies. The continued use of the LockBit 3.0 variant means the group’s legacy will live on in future ransomware operations, regardless of the group’s ability to recover. Therefore, organizations should continue to monitor for indicators of compromise (IoCs) and tactics, techniques, and procedures (TTPs) associated with LockBit 3.0 regardless of the ransomware group’s activity levels.
ReliaQuest offers customers GreyMatter detection rules to detect LockBit ransomware TTPs, in addition to automated containment and respond plays.
RansomHub Attracts New Affiliates
Figure 9: Organizations named on RansomHub data-leak site since February 2024
First observed in February 2024, RansomHub has listed 79 organizations on its data-leak site this quarter, primarily in the PSTS and manufacturing sectors. Most of its attacks have targeted US-based organizations, followed by those in Brazil and Spain. RansomHub’s focus on “high-value” targets indicates affiliates are engaging in “big game hunting.” It is possible to infer that the group is successfully attracting more seasoned cybercriminals who are capable of successfully conducting high-impact attacks. RansomHub positions its affiliate program as a progressive alternative to most ransomware groups, which typically pay their affiliates commission after receiving the ransom payment. RansomHub’s generous prepayment model allows affiliates to receive the ransom payment directly and then demands 10% commission. This novel approach has attracted experienced cybercriminals, including those affected by the shake-up of the RaaS ecosystem caused by the LockBit disruption and the ALPHV exit scam, in which the group failed to pay its affiliates their share of the Change Healthcare ransom. The timing of ALPHV’s disappearance and RansomHub’s emergence has led to speculation that RansomHub may be a rebrand of ALPHV—a common occurrence in the ransomware world.
Figure 10: RansomHub operator “koley” advertises the group’s affiliate program
Security researchers have also identified collaboration between RansomHub and the notorious hacking group “Scattered Spider”, based on known Scattered Spider tools, TTPs, and infrastructure found on compromised systems. This alliance has contributed to the 243% rise in organizations names on RansomHub’s data-leak site quarter-over-quarter. In addition, RansomHub’s payload closely resembles that of the “Knight” ransomware group, whose source code was sold on cybercriminal forums in February 2024 (possibly to RansomHub developers). Both payloads are written in Golang and C++, obfuscated with Gobfuscate, and include a Linux encryptor designed for VMware ESXi environments, in addition to existing Windows and Linux encryptors.
With new affiliates likely joining RansomHub, enhancing overall ransomware defense is crucial. Key strategies include rigorous phishing training, regular software updates, and a comprehensive data backup policy to reduce the risk of initial access and impact. While affiliates with experience in Scattered Spider campaigns will be highly adept at social engineering, RansomHub affiliates are also known to exploit vulnerabilities such as CVE-2020-1472, a vulnerability in Microsoft Netlogon. Network administrators should enforce appropriate patching and update policies for public-facing applications.
RansomHub affiliates are also known to use dual-use tools like Atera and Splashtop for remote access. In a recent RansomHub attack targeting a ReliaQuest customer, the threat actor used ngrok for RDP tunneling, installed Impacket, and used cURL for data exchange. We recommend blocking ngrok domains, restricting unwanted tools through application control, and setting EDR tools to prevent/block mode instead of detect-only mode.
We expect RansomHub activity to increase rapidly in Q3 and Q4 attacks by new affiliates are announced. We also anticipate other ransomware groups will match or attempt to improve on the employment conditions offered by RansomHub. ReliaQuest also offers customer detection rules and respond plays to detect and contain RansomHub attacks.
BlackSuit: Rising Contender
Figure 11: Organizations named on BlackSuit data-leak site since January 2024
First observed in May 2023, activity from the double-extortion ransomware group BlackSuit peaked this quarter, with a 194% increase in organizations named to its data-leak site compared with Q1 2024. This growth suggests that BlackSuit is attracting affiliates despite a lack of advertisements on ransomware-focused dark web forums. BlackSuit’s varied malware deployment methods and advanced encryption and system recovery processes indicate that the group’s operators are likely experienced and technically proficient. Like other ransomware gangs, the group primarily targets US-based companies in the manufacturing and PSTS sectors.
In April 2024, ReliaQuest detected Kerberoasting in a customer’s environment that marked the start of a BlackSuit ransomware attack, culminating in the encryption of critical systems and the exfiltration of sensitive data. Our analysis identified initial access via brute-forcing, lateral movement facilitated by tools like PsExec, and successful exfiltration through File Transfer Protocol (FTP). These techniques are not novel, and their continued success highlights the efficacy of the techniques and the difficulty of appropriate mitigation. In this case—although successfully remediated—correctly configuring the VPN, more complete endpoint visibility, and implementing automated response or containment plays could have prevented impact earlier in the attack chain.
ReliaQuest also offers detection rules and respond plays to detect and contain BlackSuit attacks.
2024 Ransomware Forecast
While Q2 2024 has seen an overall increase in ransomware activity—as we predicted in Q1—it has not kept pace with the growth rate we’ve seen in the last five years. Nevertheless, in the short term, we expect ransomware activity to rise steadily, returning to peak levels around Q4 of this year. Disruptions to the RaaS ecosystem have noticeably impacted activity and will likely continue to do so in the short term; for example, it’s likely that LockBit’s activity will continue to fall. We may see the emergence of more groups to compete with new, growing players like RansomHub and BlackSuit.
In the medium term (between three months and one year), we expect law enforcement operations and the availability of decryption keys to negatively impact ransomware activity. Following Operation Cronos, the FBI released 7,000 decryption keys for past LockBit victims to use to retrieve encrypted data files. As law enforcement and cybersecurity companies continue to target ransomware groups and release decryption tools, affiliates may face an increased risk of ransom non-payment. The impact of this approach has already been felt in BianLian’s shift toward extortion-only attacks. We may therefore see new extortion methods in response to law enforcement efforts to undermine current tactics.
Increased Use of Exposed Credentials for Initial Access
The targeting of exposed Snowflake accounts this quarter highlighted the significant risk that exposed credentials pose to organizations. ReliaQuest recently noted a 30% increase in cybercriminal forums’ marketplace listings for “stealer logs,” or data harvested by infostealers. Credentials obtained by infostealer malware, which covertly infiltrates systems and collects sensitive information, serve as an initial point of entry and can affect software ranging from authentication applications to cloud data services like Snowflake. We predict that, as the use of infostealers continues to grow, so will the use of exposed credentials in ransomware attacks. Given the widespread availability of stealer logs and the low barrier of entry for initial access, less experienced threat actors are more likely to gain access to larger organizations’ systems. We recommend enabling digital risk protection (DRP) services to detect asset exposure on dark web forums, as well as creating network policies or Group Policy Objects (GPOs) where applicable to disable users from saving passwords in their browsers.
Software Supply-Chain Compromise
As software supply-chain attacks increase, the attack surface exposed to ransomware also grows. Security researchers report that software supply-chain attacks have tripled since 2019. The ReliaQuest Threat Research team recently forecasted increased use of software-supply chain attacks by financially motivated threat actors. The data we collected for Q2 2024 noted a 35% increase in organizations in the PSTS sector being named on data-leak sites, which includes software vendors. As attacks on technology companies increase and exploits for vulnerabilities are revealed, ransomware affiliates are more likely to gain access to critical infrastructure. This trend highlights the importance of network segmentation and appropriate and timely patching. Software vendors are increasingly vulnerable to breaches due to the prevalence of open-source code repositories. For example, in late June 2024, it was revealed that the formerly legitimate Polyfill.io domain had been abused to serve malicious code. We predict that in the immediate to long-term future (beyond one year), ransomware attacks originating from supply-chain compromise will continue to rise alongside attacks on software vendors.
New RaaS Model
Figure 12: RansomHub operator “koley” shares updated affiliate program rules
RansomHub’s success this quarter can be attributed to its strategic marketing and competitive commission structure. By promoting its affiliate program as a progressive, low-risk alternative and offering a 10% commission, RansomHub stands out in a “candidate-driven” RaaS market where groups compete for affiliates.
This competition could drive other ransomware groups to increase their commission rates, potentially leading to a rise in “big game hunting” as affiliates seek higher ransom payments. Additionally, as groups vie for affiliates, they may lower entry barriers, a trend already visible in RansomHub’s recent rule change that no longer requires new affiliates to be vouched for by existing members. (See Figure 12 above.) This practice may lead to more ransomware attempts by less experienced threat actors.
What ReliaQuest Is Doing
The ReliaQuest Threat Research team has been analyzing emerging trends in ransomware TTPs for several years and continuously updates its detection rules accordingly. These detections, when deployed alongside respond plays, can reduce mean time to contain (MTTC) from several hours to a few minutes.
Recommendations and Best Practices
In addition to standard ransomware defense measures (e.g., maintaining rigorous backup policies, increasing endpoint visibility and detection, keeping all software up to date, monitoring external-facing assets, and using application controls), we recommend the following measures to protect your environment from the threats described in this report.
- Restrict PowerShell use: Use Group Policy Objects (GPOs) to restrict PowerShell use to only those users who need it for their role. This will prevent ransomware actors from abusing PowerShell to write malicious scripts that would otherwise go undetected by defense tools.
- Implement DRP solutions: Use services such as ReliaQuest GreyMatter Digital Risk Protection to detect exposed credentials on cybercriminal forums and thwart initial access by ransomware groups.
- Block JavaScript or Visual Basic Script (VBS) from launching downloaded executable content: Malware written in JavaScript or VBS often acts as a downloader to fetch and launch ransomware.
- Implement automated respond or containment plays: Automating responses to malicious activity significantly reduces MTTC and prevents ransomware groups from infiltrating an organization’s network further after gaining initial access.
- Block network relays for tunneling tools: Abusing legitimate remote tunneling tools allows threat actors to disguise themselves among legitimate activity, bypass network defenses, and exfiltrate data. Configure firewalls and forward proxies to block network relays for ngrok and Visual Script Code Tunnel, as these are tools which ransomware groups have abused this quarter, as well as to block outbound SSH traffic for network segments that do not need to make external SSH connections. For more information, see our Spotlight report on Protocol Tunneling.
- Block unwanted tools via application control: Software Restriction Policies (SRPs), a Group Policy–based feature in Active Directory, identify software and control its ability to run. This feature can be used to block certain applications from executing, thereby preventing threat actors from abusing legitimate tools.
- Set EDR to prevent mode: Set EDR tools to run in prevent/block mode instead of detect-only modes. The use of tunneling tools typically occurs after a system is compromised by malware. EDR technologies in block mode could prevent execution of common malware that provide initial access to ransomware affiliates.