Table of Contents
The CyberMaxx team of cyber researchers conduct routine threat research independent of client engagements. The purpose of our research is to help foster collective intelligence among the cybersecurity community.
While conducting their research, the team discovers and analyzes ongoing ransomware attacks occurring in the wild.
Review Q4’s research here.
Video Transcript
Intro
This is the ransomware report for Q4 2024. I’m Connor Jackson, Security Research Manager at CyberMaxx. Let’s get into it.
Ransomware
Ransomware and data extortion attacks continue to rise month over month. This quarter saw the highest spike in attacks that we have observed on record. Q4 had 4568 successful attacks, which means that there were almost as many attacks in the final 90 days of Q4 as there were in all of 2023 at 95% volume.
For comparison, this same timeframe in 2023 (October 1st to December 31st) had 1218 attacks. Making this a 275% increase over the same 90-day timeframe in 12 months.
2024 finished the year with 7041 attacks – the highest on record.
The highest number of successful attacks occurred in November, with the highest spike on November 18th. Leading up to this date we observed five CVEs being actively exploited in the wild, which may have contributed to this figure. The full details are in the downloadable report.
Another notable spike was on December 24th, when 80 successful attacks were witnessed. Threat actors know that security teams are finishing up for the year, taking unused PTO, and generally being slower to respond than other times in the year, and they capitalize on this, giving them an improved success rate of actions on objectives.
The most prominent group of the year was Ransomhub with 612 attacks, followed by Lockbit with 538, despite the continued takedowns. Ransomhub offer a 90% split with affiliates, making their ransomware as a service platform attractive for groups to work with.
Cloud
Threat actors continue to follow the industry adoption of cloud. We observed a 39% increase of attacks against cloud infrastructure over 2023, making this a growing initial access vector. Attacks were mainly targeted against identity management and exploiting misconfigurations in cloud infrastructure.
Notable Events
Other notable events this year include the Crowdstrike Outage, Operation Cronos takedown of Lockbit, OpenAI released report on how threat actors are using ChatGPT, and the Health Infrastructure Security and Accountability act was proposed in the US. Several of these are detailed in this quarters report.
Conclusion
2024 has been the both the year with the most attacks overall, as well as the year with the largest number of attacks in one quarter, rivalling the previous years in just 90 days. The spike in November can be attributed to several zero-days that were exploited in-the-wild, showing the need for a responsive patching process to avoid exploitation by opportunistic threat actors.
Attackers continue to follow the industry into the cloud, making this a common attack vector. Q4 saw a total of 66 active groups, 2 more than Q3s 64 and 20 more than Q4 in 2023. A growing number of attacks combined with an increased number of groups typically indicates increased success rates of successful exploitation. IBMs “cost of a data breach” shows that the average cost is now 4.8 million dollars US, making successful attacks both more common and more expensive than previous years.
Download the full report
