The CyberMaxx team of cyber researchers conduct routine threat research independent of client engagements. The purpose of our research is to help foster collective intelligence among the cybersecurity community.
While conducting their research, the team discovers and analyzes ongoing ransomware attacks occurring in the wild.
Review Q3’s research here.
Video Transcript
Intro
This is the Q3 Ransomware Report for 2024. I’m Connor Jackson, let’s get into it.
Ransomware Activity
The total number of observed ransomware and extortion attacks in Q3 2024 was 1720, compared to Q2’s volume at 1755 – this is a 2% deviation in total volume on one of the quarters with the highest numbers we’ve seen in the past 18 months.
These 1720 attacks were performed by 64 active groups – equating to roughly 27 attacks per group. Looking at the averages for each quarter we are seeing that this is staying steady in the 26-29 range for each quarter, but the total number of attacks is going up across the board. You’re probably asking yourself well… why is that?
The answer to that question is the number of attackers is increasing. Compared to 12 months ago in 2023s Q3 there were 52 observed attack groups, and 6 months before that in Q1 that number was 33 – this number has almost doubled in 18 months.
Branching off from this, IBM have been tracking the average cost of a data breach since 2020 – which has risen from $3.6M to $4.8M in 4 years. Let me get this out of this way first, its hard to quantify this figure due to different industry regulations, size and maturity of the organization, etc. etc. I know – this is just a generic average of the sample group. But it is growing as well.
So what we’re seeing is an increase in attacks every day, the number of groups is increasing, and the cost of at attack is going up. This tells us that ransomware is a continuously growing industry. Grab the full report if you want to review the complete number and trends that we’ve observed.
Top Five
The top five groups this quarter start with Ransomhub at number one with 247 attacks, Lockbit and Play both with 92 in second place, Qilin in number 4 with 80 attacks and Meow with 78. These five groups accounted for 35% of all activity this quarter.
Ransomhub are currently offering between an 80 and 90% profit split with affiliates, which may be what escalated them to the top this quarter. They have also been working with the unpaid AlphV affiliates from the Change healthcare attack earlier this year, and have attempted to get a second payment from the victim. It is unknown at this time if Change paid the second extortion as well, however this display may have lead to the group attracting customers with this show force. Unpaid affiliates has been a growing issue among ransomware gangs lately.
Operation Cronos Update
On October 1st, Law enforcement updated Lockbits original release page on the dark web with a countdown for posts titled “Lockbit linked UK arrests”, and “Arrest of a major Lockbit actor”.
Once the countdown had completed the posts were updated to inform readers that several major arrests had been made across Europe. In the UK, two individuals were arrested in August related to money laundering operations, in Spain the owner of the bullet-proof hosting provider used for Lockbits infrastructure was arrested at an airport in Madrid, and French authorities arrest a suspected lockbit developer which on vacation outside of Russia.
The major affiliate was named and added to justice.gov, and is wanted for their alleged involvement in ransomware attacks and money laundering activities.
Conclusion
This quarter saw no drop in the volume of activity, another increase in the number of threat actor groups, updates to law enforcements takedown of Lockbit, and a timeline of government agencies banning software made by Kaspersky. Full details are available in the full report.
Download the full report