RansomHub becomes dominant ransomware group in Q3 2024

Ransomware activity increased by 2.3% in the third quarter of 2024 compared to the previous quarter, though levels remain 1.5% lower than in the same period of the previous year, according to a new report by ReliaQuest.

The report highlights significant developments in the ransomware landscape, led by a shift in the dominance among hacking groups. "RansomHub" has overtaken "LockBit" as the most active group during this period, experiencing an 800% increase in activity. This rise has been attributed to its attractive profit-sharing scheme, offering affiliates a 90/10 split.

Additionally, RansomHub has collaborated with the hacking collective "Scattered Spider." This partnership leverages native English speakers to conduct sophisticated social engineering campaigns, which has been pivotal in their increased activity.

Despite the uptick in certain activities, ransomware incidents showed an overall decline compared to the previous year—down by 1.5% from Q3 2023. The decrease is thought to result from the enhancement of detection capabilities through advanced endpoint detection and response (EDR) technologies and the disruption caused by law enforcement interventions, such as a crackdown on the former leader "LockBit."

The third quarter of 2024 also saw other groups like "Meow" rise in prominence, placing fourth in activity rankings. Diverging from traditional data encryption techniques, Meow has shifted its focus to selling stolen data online.

Meanwhile, the "Play" group transitioned its tactics from double extortion to more targeted approaches, such as attacking ESXi environments, broadening its scope across Linux platforms. These developments underscore a larger trend in the ransomware ecosystem, where groups are evolving and adapting quickly to maintain efficacy and impact.

Law enforcement actions against major ransomware groups have led to a more fragmented landscape, with smaller groups rising to challenge the dominance of long-established players like LockBit. Despite experiencing a slowdown in its activity, LockBit remains a significant threat due to its robust affiliate network.

Different sectors continue to bear the brunt of ransomware attacks, with the professional, scientific, and technical services sector identified as the most targeted due to its vulnerability to operational disruptions. Other sectors, including manufacturing, construction, healthcare, and social assistance, also face significant threats.

The report anticipates that ransomware activity will continue increasing in the short term, potentially peaking by the end of 2024. Emerging groups, particularly RansomHub and "Inc Ransom," are expected to be key drivers of this trend.

Looking ahead, there is an expectation of a rise in the use of large language models (LLMs) in ransomware negotiations, which would facilitate more effective interactions across different languages. There is also an anticipated increase in exfiltration-only attacks, shifting focus from encryption to data theft and extortion.

The splintering of larger syndicates like LockBit into smaller entities could allow these groups to operate under the radar, making them harder to track and counteract. This decentralization is expected to continue, posing ongoing challenges for cybersecurity professionals.

ReliaQuest's report emphasizes the need for organizations to implement effective cybersecurity strategies, including maintaining robust backup policies, enhancing endpoint detection, and improving training on social engineering tactics. Employing digital risk protection solutions and automating incident response measures are also advised to strengthen defences against the continuously evolving threats posed by ransomware activities.