Ransomware Update: The State of Ransomware Attacks in 2024
In the evolving landscape of cybersecurity, ransomware remains one of the most formidable threats to organizations worldwide. Data from the BlackBerry Cybersecurity Services team reveals that ransomware response is one of the most frequent reasons organizations reach out to them for incident response help.
And the BlackBerry Threat Research and Intelligence Team says ransomware attacks have not only increased in frequency but also in sophistication. This year, they have witnessed an array of high-profile ransomware incidents that underscore the growing menace these cyberthreats pose.
This blog will explore the current state of ransomware attacks, their impact on various sectors — particularly healthcare — and look at today’s key ransomware players.
The State of Ransomware Threats Right Now
According to our latest BlackBerry Global Threat Intelligence Report, ransomware is a universal cyberattack tool. Cybercriminals and organized syndicates alike use it to target victims in all industries around the globe. Most of these groups are financially motivated; they quickly adapt new tactics and techniques to evade traditional cybersecurity defenses and will rapidly exploit any new security vulnerabilities.
“Healthcare has a ransomware target on its back, and this is one of the concerning trends we’re tracking,” said Threat Researcher Claudia Preciado. “There is a higher likelihood that healthcare organizations will pay the ransom because there are detrimental consequences if they were to get attacked with ransomware.” An attack can disrupt healthcare services that doctors are providing to their patients, impact pharmacies and drug dispensaries and cause ambulances to be re-routed. “Time is of the essence in these scenarios.”
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) revealed earlier this year how serious the threat landscape has become in healthcare: “Ransomware and hacking are the primary cyber-threats in healthcare. Over the past five years, there has been a 256 percent increase in large breaches reported to OCR involving hacking and a 264 percent increase in ransomware. The large breaches reported in 2023 affected over 134 million individuals, a 141 percent increase from 2022.”
Just as industries are impacted by cybersecurity threats, individual companies also battle cyberattacks, especially ransomware, as they increasingly rely on digital infrastructure for finance, communications, sales, procurement and other business operations. Every type of organization, from start-ups to multinational conglomerates, is susceptible to ransomware.
Most Active Ransomware Groups
From January through March 2024, BlackBerry cybersecurity solutions prevented over three million cyberattacks, equating to an average of more than 37,000 cyberattacks a day. BlackBerry threat researchers then analyzed these attacks and together with other intelligence sources, uncovered the most active ransomware groups during the first quarter of the year.
JHunters International: Hunters International, a ransomware as a service (RaaS) crime syndicate that’s been in operation since late 2023, rose to prominence in early 2024. The group is possibly a spin-off of the Hive ransomware group, which was shuttered by law enforcement in early 2023.
This group employs a double extortion scheme that involves first encrypting the victim’s data for ransom, then demanding more money by threatening to publicly post the stolen data. Hunters International is currently active around the globe.
8Base: Initially observed in 2022, the 8Base ransomware group rose to prominence in late 2023. This prolific group uses a variety of tactics, techniques and procedures (TTP) and can be highly opportunistic. The group is often quick to exploit newly disclosed vulnerabilities and leverages various ransomware, including Phobos.
LockBit: LockBit, a Russia-based ransomware group, specializes in providing RaaS through its eponymous malware. Discovered in 2020, LockBit ransomware has become one of the most aggressive ransomware groups.
LockBit uses custom tooling to exfiltrate victim data prior to encryption and then hosts it via a leak site on the dark web. The group largely targets victims in North America and, secondarily, in Latin America, typically utilizing a double extortion strategy. In February 2024, Operation Cronos, an international law enforcement effort, disrupted LockBit’s operations. However, LockBit appears to have since bounced back, and remains a major player in the ransomware space.
Play: Observed initially in 2022, Play is a multi-extortion ransomware group that hosts stolen data on TOR-based sites that enable anonymous communication, threatening that the data will be leaked if the ransom payment isn’t made.
Play often targets small- and-medium businesses (SMBs), mainly in North America, but also in the EMEA region. The group largely leverages off-the-shelf tools like Cobalt Strike, Empire and Mimikatz for discovery and lateral movement TTPs. The group also utilizes Grixba, a custom recon and infostealing tool that is used prior to ransomware execution.
BianLian: BianLian is a GoLang-based ransomware that has been in the wild since 2022. The associated group has been active this year, heavily targeting victims based in North America. Like many ransomware groups, BianLian is highly exploitive of recently disclosed vulnerabilities, often targeting smaller companies across a number of industries. It uses various off-the-shelf tools including PingCastle, Advance Port Scanner and SharpShares to gain a foothold on a target system before exfiltrating sensitive data and executing ransomware. This stolen data is then leveraged as an extortion tactic until the ransom is paid.
ALPHV: Often referred to as BlackCat or Noberus, ALPHV is a Ransomware-as-a-Service (RaaS operation) that has been around since late 2021. The threat group behind ALPHV is highly sophisticated, leveraging the Rust programing language to target Windows, Linux and VMWare-based operating systems. ALPHV tends to target North American victims.
Reducing Ransomware Risk
Ismael Valenzuela, BlackBerry Vice President of Threat Research & Intelligence, said in a recent webinar that a key defense mechanism to thwart ransomware attacks is to use AI powered security tools to prevent ransomware deployment. “When we talk about malware, we talk about infostealers and we talk about ransomware — yet in many cases before the attacker can deploy ransomware, they must do certain things: discovery, defense evasion, and privilege escalation. So that's why it's very important we focus on (defending) those areas.”
The BlackBerry Incident Response Team offers additional tips on ransomware prevention, based on the scenarios it sees as it helps organizations with incident response.
- This patching can prevent a threat actor from accessing and further actioning on objectives, such as deploying ransomware, after gaining access to an enterprise network via a vulnerable device or system.
- Ensure the organization has two copies of all critical data stored in two different media formats from the original data source, with at least one copy off-site.
For more actionable threat intelligence, read the BlackBerry Global Threat Intelligence Report, published each quarter.