Ransomware statistics for Q2 of 2024 reflect a transforming ransomware-as-a-service (RaaS) landscape following law enforcement shakeups earlier in the year.
ReliaQuest’s Ransomware and Cyber Extortion in Q2 2024 report identifies 1,237 organizations listed on ransomware leak sites, representing a 20% increase compared with Q1 2024.
However, the number of affected organizations saw only a miniscule increase of 1% between the first half of 2023 and first half of 2024, suggesting that recent events have put a damper on the overall growth trend of ransomware attacks.
“Numbers of each month within Q2 2024 fluctuated significantly, likely due to upheavals in the RaaS ecosystem that caused ransomware groups to compete for affiliates,” ReliaQuest researchers wrote in a blog post Monday. “We anticipate a more consistent rise in ransomware incidents in the second half of 2024 as affiliates resume normal operations.”
Change of guard between old and new ransomware groups
A major factor influencing the numbers revealed in ReliaQuest’s report is the influence of law enforcement activity on ransomware’s major players.
ALPHV/BlackCat’s withdrawal from the scene following FBI interference and a probable exit scam, paired with a weakening of LockBit after its own law enforcement disruption, cleared the way for newer ransomware gangs like RansomHub, BlackSuit and BlackBasta to recruit more affiliates and ramp up activities.
At the same time, LockBit’s attempt to rebound from its February takedown was attributed to a spike in claimed victims in the middle of Q2. The group claimed 179 victims on its leak site in May, representing more than a third of that month’s affected organizations, but these numbers fell off in June, leading to a relatively quiet month.
ReliaQuest said that, despite the attempted comeback, LockBit's reputation among fellow cybercriminals was sullied in the wake of its law enforcement disruption, with its likely false claim of breaching the U.S. Federal Reserve being the latest embarrassment for the former top dog.
“Dark web form users remarked that such ‘fake’ claims will likely undermine affiliates’ willingness to collaborate,” ReliaQuest researchers wrote.
Meanwhile, emerging players like RansomHub are taking advantage of the disillusionment of former ALPHV/BlackCat and LockBit affiliates, offering fresh, lucrative opportunities to cybercriminals. RansomHub’s rise to fame was kicked off after its recruitment of former ALPHV/BlackCat affiliate notchy, which led to a second extortion attempt against Change Healthcare.
Unlike ALPHV/BlackCat, which allegedly took off with a $22 million ransom paid by UnitedHealth Group without paying out notchy’s share, RansomHub allows affiliates to collect ransom payments themselves and only send a 10% cut back to the group.
This makes RansomHub an especially attractive partner for financially motivated cybercriminals, including former affiliates of ALPHV/BlackCat and LockBit, and encourages targeting of “big game” organizations that are likely to pay larger ransoms. These factors likely led to the 243% increase in claimed RansomHub victims between Q1 and Q2 of 2024, and the disproportionately high volume of U.S. organizations targeted due to the perception that U.S.-based companies are more likely to make high ransom payments.
BlackSuit was also noted as a rising contender in the ransomware ecosystem, seeing a 194% increase in victims claimed on its leak site between Q1 and Q2. ReliaQuest predicts that groups like RansomHub and BlackSuit will continue to see rising activity during the second half of the year as more affiliates are recruited, including those jumping ship from LockBit.
Initial access via stolen credentials, supply chain attacks expected to increase
ReliaQuest’s report also points to changing tactics among cyberattackers, pointing to a potential shift in initial access vectors. Researchers identified a 30% increase in cybercriminal marketplace listings for infostealer logs, suggesting that exposed credentials will become a more prominent source of initial access in future ransomware and extortion attacks.
The breach of credentials of approximately 165 customers of data cloud company Snowflake is one example of this rising attack vector, with signs that threat actors are leveraging the stolen credentials in extortion-only schemes. As more decryption keys for ransomware strains become available due to increased law enforcement activity, extortion-only attacks may gradually rise to displace double-extortion ransomware attacks, ReliaQuest predicts.
Software supply chain attacks are also a concern due to increased targeting of technology companies by ransomware groups, with the potential for secondary attacks against customers of the breached software providers. ReliaQuest noted a 35% increase in ransomware victims from the professional, scientific and technical services (PSTS) sector, which includes software companies.
