2024: The four most dangerous ransomware groups 

22 December 2023
| No comments
2024: The four most dangerous ransomware groups

Share post

Ransomware will continue to be one of the greatest threats to German companies in 2024. RaaS (Ransomware-as-a-Service) in particular is inspiring threat actors worldwide because it allows them to use state-of-the-art technology without deep technical understanding. Here are the four ransomware families that, based on current threat analyses, will pose a particular threat in 2024.

The world of ransomware is constantly changing. Research by Trend Micro shows that many ransomware-as-a-service groups are no longer just targeting “big targets”. Instead, they focus on smaller companies that are less well protected. This worrying trend towards smaller and “softer” targets is likely to continue into next year. The current threat analysis suggests that the well-known ransomware families LockBit, BlackCat and Clop in particular will continue to be very active in 2024. In addition, newcomers like the group “Akira” are on the rise. The latter only recently managed to paralyze many municipalities in North Rhine-Westphalia with a ransomware attack on the South Westphalia IT and thus came into the spotlight.

4 particularly dangerous ransomware groups

In the first half of the year, LockBit accounted for over a quarter of all RaaS attacks recorded by Trend Micro, while BlackCat and Clop were each responsible for around 10 percent of all attacks. In order for organizations to avoid falling victim to these highly active cybercriminals in the future, a better understanding of the threat actors' modus operandi is needed.

So here's a profile of four ransomware groups that companies should keep an eye on in the next year:

1. LockBit Group

🔎 LockBit is one of the most dangerous groups - here is the attack on dena (Image: B2B-C-S).

LockBit has been active since 2019 and, according to the Federal Office for Information Security, is “currently the largest ransomware threat in Germany and worldwide”. Trend Micro reported a whopping 1.844 LockBit detections in the first half of 2023, making it the most detected ransomware. A variety of different malware versions and affiliates that use them make it difficult for companies to protect themselves. The most current version, which has been in circulation since January 2023, is called “Lockbit Green”.

In April, Trend Micro revealed how malicious actors used LockBit as a malicious payload to exploit two vulnerabilities in the widely used print management solution PaperCut. In June 2023, LockBit gang targeted a supplier to the world's largest contract chip manufacturer TSMC and accessed the company's data. The LockBit actors demanded a $70 million ransom from TSMC or threatened to publish the stolen data. The group most recently made headlines with the successful attack on US aircraft manufacturer Boeing, as a result of which they published gigabytes of allegedly stolen data.

2. BlackCat aka ALPHV

🔎 BlackCat and its ALPHV ransomware are responsible for many attacks - such as at Meyer & Meyer many months ago (Image: B2B-C-S).

BlackCat (also ALPHV) initially became known because it was the first professional ransomware family to be developed in the Rust programming language. The language is considered particularly secure and supports parallel processing.

BlackCat are most notorious for their triple blackmail technique. Ransomware actors using the triple extortion technique not only threaten to expose exfiltrated data, but also combine data theft with distributed denial of service (DDos) attacks on their victims' infrastructure. This immensely increases the pressure to pay the ransom.

In mid-November, the criminals took a new approach for the first time to get a victim to pay: They filed a complaint with the US financial regulator SEC against the financial technology provider they had attacked, MeridianLink, because the company had not complied with its obligation to report the attack. No legal consequences are to be expected for MeridianLink, as the reporting requirement in question only comes into force on December 15th of this year. Unfortunately, it is to be expected that this approach will set a precedent and will be observed more frequently in the future in order to put even greater pressure on companies under attack.

In addition to the hotel chains MotelOne and MGM Resorts, other prominent victims of BlackCat include the Carinthian state government and the online platform Reddit.

3. Clop or Cl0p group

Clop, sometimes referred to as Cl0p, first gained notoriety because the group used multi-level extortion techniques to compromise high-level organizations in various industries. More recently, it has increasingly focused on data theft and associated extortion schemes.

The threat actors behind the ransomware claim to have compromised 130 organizations by exploiting a vulnerability in Fortra's GoAnywhere file transfer software. The city of Toronto is said to be among the victims of the mass attack.

The Clop Group was also responsible for a widespread data theft attack that exploited a zero-day vulnerability in MOVEit Transfer, a secure data transfer platform. The attack affected over 2.000 companies and more than 62 million customers. According to reports from July, the criminals have now stolen over $100 million in this series of attacks.

4. Akira Group

🔎 Akira ransomware attacked the South Westphalia IT in October and paralyzed over 70 municipalities in North Rhine-Westphalia (Image: B2B-C-S)

With the devastating attack on the service provider Südwestfalen-IT, which has paralyzed over 70 municipalities in North Rhine-Westphalia since the end of October, Akira came into the spotlight of the cybersecurity industry. The cyber attack brought the administration of the affected authorities to a standstill, and some citizens' offices had to be closed completely. Reconstruction work is ongoing, but progress is slow, which is why many government services are still limited in the affected communities.

The threat actors behind the new name, however, appear to be well-known people from the scene. Process analyzes of the malicious code that has been circulating since March 2023 suggest Conti's previous masterminds. The similarities with Conti include the obfuscation of strings, the way data is encrypted and the avoidance of certain file extensions. So far, Akira has mostly targeted targets in France (53 percent) or the USA, with a particular focus on small and medium-sized companies. With 508 detections per month, the attack rate increased significantly in June 2023. Like most other groups, Akira relies on double extortion tactics, with ransom demands ranging from $200.000 to several million dollars.

Conclusion: More attacks on softer targets

Cybercriminals worldwide are becoming more professional and offering their services as RaaS to threat actors with less technical expertise. This, combined with a shift in concentration on “soft” targets, means that ransomware will continue to be one of the biggest economic threats to German medium-sized businesses next year.

Well-known players such as LockBit and Co now have a highly networked and professional infrastructure, the destruction of which is still up in the air. And even if ransomware groups are eliminated, they can easily regroup some time later, as the Conti similarities in the Akira code suggest. Companies should therefore prepare well and urgently check their current security architecture for vulnerabilities and make improvements where possible. Because the threat actors are certainly already planning their next coups.

More at TrendMicro.com

 

About Trend Micro

As one of the world's leading providers of IT security, Trend Micro helps create a secure world for digital data exchange. With over 30 years of security expertise, global threat research, and constant innovation, Trend Micro offers protection for businesses, government agencies, and consumers. Thanks to our XGen™ security strategy, our solutions benefit from a cross-generational combination of defense techniques optimized for leading-edge environments. Networked threat information enables better and faster protection. Optimized for cloud workloads, endpoints, email, the IIoT and networks, our connected solutions provide centralized visibility across the entire enterprise for faster threat detection and response.

 

Matching articles on the topic

IT security: NIS-2 makes it a top priority

Only in a quarter of German companies do management take responsibility for IT security. Especially in smaller companies ➡ Read more

Cyber ​​attacks increase by 104 percent in 2023

A cybersecurity company has taken a look at last year's threat landscape. The results provide crucial insights into ➡ Read more

IT security: Basis for LockBit 4.0 defused

Trend Micro, working with the UK's National Crime Agency (NCA), analyzed the unpublished version that was in development ➡ Read more

MDR and XDR via Google Workspace

Whether in a cafe, airport terminal or home office – employees work in many places. However, this development also brings challenges ➡ Read more

Mobile spyware poses a threat to businesses

More and more people are using mobile devices both in everyday life and in companies. This also reduces the risk of “mobile ➡ Read more

Crowdsourced security pinpoints many vulnerabilities

Crowdsourced security has increased significantly in the last year. In the public sector, 151 percent more vulnerabilities were reported than in the previous year. ➡ Read more

AI on Enterprise Storage fights ransomware in real time

NetApp is one of the first to integrate artificial intelligence (AI) and machine learning (ML) directly into primary storage to combat ransomware ➡ Read more

FBI: Internet Crime Report counts $12,5 billion in damage 

The FBI's Internet Crime Complaint Center (IC3) has released its 2023 Internet Crime Report, which includes information from over 880.000 ➡ Read more

Stories, TrendMicro
, , , , , ,