The CyberMaxx team of cyber researchers conduct routine threat research independent of client engagements. The purpose of our research is to help foster collective intelligence among the cybersecurity community.

While conducting their research, the team discovers and analyzes ongoing ransomware attacks occurring in the wild.

Review Q2’s research here.

Video Transcript

Intro

Hi everyone, I’m Connor Jackson, the security research manager at CyberMaxx.

Ransomware Quarterly Review

The number of ransomware and extortion attacks in the second quarter of 2024 continues to grow, up 37% from Q1 and sitting at 1755 attacks between the 1st of April and the end of June. – for context, that’s up from 1283 in the first quarter across all industries.

The top three groups combined accounted for almost 40% of all ransomware attacks this quarter, the full report provides an overview of each group, as two of the three are new to the stage.

Lockbit were surprisingly not the threat group with the highest volume this quarter, having fallen to second place; however they are the only group in the top three that produce their own unique ransomware strain, providing something the others do not.

The top performing group this quarter is Dispossessor, with 329 attacks. Followed by Lockbit with 215 and finally Ransomhub with 148 successful attacks.

Dispossessor

Dispossessor have very recently emerged onto the ransomware landscape and immediately made a name for themselves, beating out Lockbit in the process. However, following the Lockbit crackdown by law enforcement during Operation Cronos; Dispossessor emerged, mimicking Lockbits tradecraft, and offering RaaS with a large payment split.

It has been noted however that this group has allegedly not done the attacks themselves, but rather using data that other groups had originally exfiltrated.

Ransomhub

Allegedly, the ALPHV group following the attack on Change Healthcare failed to pay their affiliates and instead took down much of their infrastructure. Change paid the initial ransom of $22million, however the unpaid affiliates then worked with RansomHub and extorted Change a second. It is currently unknown if a second payment was made, however, the data that was previously listed has been taken down recently.

A copy of the second extortion note is available in this quarters report.

Lockbit

In spite of Operation Cronos that took place on February 19th, 2024 – Lockbit appear to still be maintaining operations. Several of their release pages and mirrors are also still live and being updated with new victims almost daily, however the majority of sites have been seized by law enforcement and have been updated to reflect this.

Lockbit later claimed to have exfiltrated 33TB of data related to the Federal Reserve, threatening to release the data in late June. Upon release, it appears that this claim was, in fact, false – with the data being related to an Arkanas-based bank instead.

Interestingly, the Federal Reserve have issued an enforcement action again the victim, citing deficiencies in “risk management” and “consumer compliance” as grounds for the action. The full action is available on the Federal Reserves Press release page

Wrapping up

The takeaway here is the prevalence of repeat extortions for data has increased. This tactic appears to be related to unpaid affiliates going after the victim organization to get their share rather than through the original threat actor, however this will lower confidence that the threat actor will actually purge the stolen data and will likely result in organizations not paying at all.

Understanding your organizations threat landscape, reducing your attack surface and ensuring patches are applied are all crucial steps to ensuring you do not fall victim to the increasing number of ransomware and data extortion attacks.

Download the full report