Ransomware Organizations Opt for Repeated Access Strategies Instead of Multiple Vulnerability Attacks
Ransomware activity saw a significant increase in the fourth quarter of 2024, with a record number of attacks and victims posted on leak sites. According to the latest Cyber Threat Report from insurance firm Travelers, this surge in activity was driven by a shift towards "reliable and repeatable" methods used by ransomware groups to gain access to victim networks.
The activity began to take hold in the second half of 2023 and spread widely among ransomware operators and initial access brokers (IAB) throughout 2024. Notably, RansomHub accounted for the highest number of attacks in Q4 2024 at 238, making up 14% of the total. Akira and Play were responsible for 133 and 95 attacks, respectively, in Q4 2024.
However, there was not a single vulnerability that led to mass ransomware exploits in 2024. Instead, ransomware actors are advised to deploy tools to look for default usernames like "admin" or "test" and to try combinations of common passwords to uncover weak credentials to target.
This shift towards targeting weak credentials was highlighted in a ransomware training playbook written by an IAB that was leaked in the Summer of 2023. The playbook emphasised the importance of targeting VPN and gateway accounts that are not protected by multifactor authentication (MFA).
The rapid proliferation of smaller, more agile actors in the ransomware ecosystem followed the disruption of leading ransomware-as-a-service (RaaS) operators such as LockBit and Clop by law enforcement. Despite the disruption of these leading groups, ransomware remains a significant threat with repeated attacks on one-third of victims.
Groups like UNC5174 (an APT group) were active in 2024, but no clear leader in attack volume was identified for Q4 2024. The ransomware group that caused the most attacks in Q4 2024 is not explicitly named in the provided search results.
The report recorded a 67% increase in new ransomware groups formed in 2024 compared to 2023, with 55 new groups observed last year. The pattern of increased activity in the early holiday season, followed by a later decrease going into the new year, aligns with historical trends. November saw the highest number of ransomware leak site victims of the quarter, at 629, while there was a relative decline to 516 in December.
In light of these findings, Jason Rebholz, Vice President and Cyber Risk Officer at Travelers, emphasised the importance of businesses implementing proven security controls, such as MFA, to make it more challenging for malicious actors to carry out an attack on their organization. Rebholz stated that basic attack techniques are still highly effective for ransomware groups and that businesses must take steps to protect themselves from these threats.
In 2023, a significant portion of ransomware leak site activity was attributed to exploits in common software products such as MOVEit and GoAnywhere file transfer software. However, in 2024, the focus shifted away from discovering the next zero-day vulnerability and towards deploying tools to uncover weak credentials to target.
Overall, the report highlights the importance of businesses taking steps to protect themselves from ransomware attacks, particularly by implementing security controls such as MFA to protect against attacks on weak credentials. As ransomware activity continues to evolve, it is crucial for businesses to stay vigilant and take proactive measures to protect their networks and data.
