The number of ransomware double-extortion groups posting to leak sites hit an all-time high in May, with 40 groups actively listing victims that month, according to Secureworks’ State of the Threat 8th Edition report published Tuesday.
The Secureworks report outlines the ongoing results of law enforcement disruption of ALPHV/BlackCat and LockBit between the end of the 2023 and mid-2024, namely fragmentation of the ransomware-as-a-service (RaaS) ecosystem and spreading out of affiliates to various double extortion groups both old and new.
“Ransomware is a business that is nothing without its affiliate model. In the last year, law enforcement activity has shattered old allegiances, reshaping the business of cybercrime,” Don Smith, vice president of Threat Intelligence at Secureworks’ Counter Threat Unit (CTU), said in a statement. “Originally chaotic in their response, threat actors have refined their business operations and how they work. The result is a larger number of groups, underpinned by substantial affiliate migration.”
Overall, between July 2023 and the end of June 2024, the Secureworks CTU saw a 30% year-over-year increase in active ransomware groups using double extortion tactics, in which victim data is both encrypted and exfiltrated to potentially be exposed on leak sites if a ransom is not paid. A total of 31 new groups emerged during this time period, while a number of older groups either shuttered or rebranded, bringing the total number of active groups to just under 40 by the end of June.
Law enforcement action sends affiliates scattering
The State of the Threat report noted significant movement surrounding the multi-part disruption of LockBit, which commenced in February 2024 when a multinational law enforcement operation seized control of key LockBit infrastructure and continued in May 2024 with exposure of much of the gang’s inner workings, including the identity of its lead administrator.
In the three months prior to the May 2024 exposure, 45 double-extortion groups were active, while 55 were active in the three months following the disruption, potentially indicating a spreading out and redistribution of affiliates due to the hit to LockBit’s capabilities and reputation. This second disruption also revealed that LockBit’s affiliate count dropped from 194 prior to February 2024 to just 69 by May 2024, with many affiliates likely jumping ship to join a different RaaS operation.
One of the groups suspected to have taken on affiliates from the LockBit takedown is Qilin, which went from posting fewer than nine victims per month on its leak site prior to February 2024 to consistently posting 10 or more afterward, peaking at 19 listed victims in May 2024, according to Secureworks.
In addition to seeing the highest number of active double-extortion groups in May, the Secureworks team noted a record number of victims listed in one month in March 2024, when 730 victims were listed online. However, a large number of these listings – 330 – came from a threat actor known as Dispossessor, which appeared to mainly post victims that had previously been claimed by other ransomware groups, namely LockBit. Dispossessor was ultimately taken down by law enforcement as well in August 2024.
Vulnerabilities, credentials remain key initial access targets
Despite the shakeup in the ransomware world, and the shifting distribution of affiliates only making attribution more confusing for cybersecurity researchers, key tactics leveraged by ransomware actors remain largely the same, and ransomware remains the most pressing cybersecurity threat for most organizations.
Unpatched vulnerabilities continue to be the top initial access vector for ransomware groups, with attackers exploiting these vulnerabilities in nearly 50% of ransomware cases. Secureworks noted the most common vulnerability targeted in all of the attacks they responded to, not just ransomware, was Citrix Netscaler CVE-2023-4966 (Citrix Bleed), followed by Citrix Netscaler CVE-2023-3519 and Ivanti Pulse Connect CVE-2024-21887.
Vulnerabilities in Fortinet, Progress Software, F5 and Cisco products were also noted as being commonly exploited, and use of stolen credentials on systems without multi-factor authentication was the second most common initial access vector leveraged by ransomware threat actors.
Ransomware dwell times were also outlined in the report, with a third of attacks having a dwell time of less than one day between initial intrusion and deployment of the ransomware payload. The shortest dwell time observed in a ransomware attack was just seven hours, the researchers noted.
Another third of ransomware attacks saw a dwell time of more than a day but less than a week, while the remaining third had longer dwell times of more than 10 days. The longest dwell time noted was 135 days between initial access and ransomware deployment.
The targeting of vulnerabilities and credentials and speed of attacks demonstrate the importance of swift remediation of severe security bugs and use of phishing-resistant MFA on sensitive accounts.
