The ransomware landscape in the first half of 2024 saw a slight increase in claimed attacks year-over-year, a shakeup in the top six most prolific ransomware gangs and a new list of vulnerabilities most commonly exploited for ransomware intrusion.
The Ransomware Review for the first half of 2024 (H1 2024) from Palo Alto Networks Unit 42 involved an analysis of breach announcements from 53 ransomware leak sites, which totaled 1,762 new announcements so far this year. This represents a 4.3% increase in posts compared with H1 2023, although February 2024 saw a 49% increase in posts compared to February 2023.
The top six most prolific ransomware threat actors accounted for slightly more than half of the claimed compromises in H1 2024, with two of last year’s top dogs slipping out of the ranking. ALPHV/BlackCat (tracked by Palo Alto as Ambitious Scorpius) and Cl0p (Chubby Scorpius) fell from second and third place, respectively, making way for BlackBasta (Dark Scorpius) and Medusa (Transforming Scorpius) to join the top six in fifth and sixth place.
The other gangs recorded in the top six were LockBit (Flighty Scorpius), Play (Fiddling Scorpius), 8Base (Squalid Scorpius) and Akira (Howling Scorpius), although Unit 42 noted that LockBit posted “misleading information and old data” to its leak site while maintaining its top spot despite disruption by law enforcement in February.
“Since most ransomware groups now commonly use leak sites to pressure victims, researchers often use this data to identify trends and levels of ransomware activity for threat actors. However, defenders and researchers should use leak site data with caution as it might not always provide an accurate picture,” the Palo Alto report stated.
ScreenConnect, TeamCity, PHP, Windows flaws exploited in ransomware attacks
Security vulnerability exploits became the most common entry point for ransomware intrusion in 2023, a trend that continued in the first half of 2024. According to Palo Alto, new vulnerabilities in ConnectWise ScreenConnect, JetBrains TeamCity, the PHP Common Gateway Interface (CGI) script engine and Microsoft Windows Error Reporting Service were among the most commonly exploited by ransomware gangs in H1 2024.
Two ScreenConnect flaws, tracked as CVE-2024-1709 (CVSS 10.0) and CVE-2024-1708 (CVSS 8.4), can enable authentication bypass and remote code execution, and have been used in ransomware attacks by Play and BlackBasta. These vulnerabilities were patched and disclosed by ConnectWise in February 2024.
The TeamCity authentication bypass flaw tracked as CVE-2024-27198 (CVSS 9.8), patched in March 2024, has been targeted by the BianLian ransomware gang and with an open-source ransomware known as Jasmin. The critical PHP CGI flaw tracked as CVE-2024-4577 (CVSS 9.8) was exploited in a campaign spreading TellYouThePass ransomware in June just a day or two after the flaw was patched.
A privilege escalation flaw in Windows Error Reporting Service tracked as CVE-2024-26169 (CVSS 7.8), which was patched in March 2024, has likely been exploited by BlackBasta, Symantec researchers reported in June. Palo Alto also noted that the Fortinet SSL VPN flaw tracked as CVE-2018-13379 (CVSS 9.8) and the Netlogon Remote Protocol vulnerability tracked as CVE-2020-1472 (CVSS 10.0) remain popular targets for initial access by ransomware groups.
New ransomware gangs step into the spotlight
Unit 42’s report also includes data on some of the latest ransomware groups to emerge in 2024, including RansomHub (Spoiled Scorpius), DragonForce (Slippery Scorpius) and LukaLocker (Burning Scorpius).
RansomHub, which first began recruiting affiliates on the Russian Anonymous Market Place (RAMP) forum in February 2024, is believed to potentially have ties to a previous ransomware-as-a-service (RaaS) group known as Knight, or Cyclops, according to Palo Alto. The gang also appears to have recruited affiliates from ALPHV/BlackCat following the latter’s withdrawal from the scene in March 2024, including the affiliate behind the massive Change Healthcare breach.
DragonForce, which first emerged in November 2023, is believed to use the leaked LockBit 3.0 source code as the basis for its ransomware and is known for extortion tactics including leaking recordings of phone calls with its victims. DragonForce was behind a ransomware attack against the Ohio Lottery in December, which led to the compromise of 538,000 lottery players’ data.
LukaLocker ransomware was first detected in June 2024, targeting both Windows and Linux machines. LukaLocker threat actors extort victims directly through repeated threatening phone calls and messages instead of maintaining a leak site, Palo Alto notes.
Meanwhile, along with ALPHV/BlackCat, some other ransomware groups have apparently bowed out, with no new breaches claimed on their sites in 2024. These threat actors include Nokoyawa, KelvinSecurity, Losttrust, Karakurt, AvosLocker and NoEscape. Additionally, Cl0p has dramatically decreased its activity, going from third-most prolific group of 2023 to less than 1% of ransomware posts analyzed by Palo Alto.
