The scourge of ransomware continues to grow and show success for attackers, according to Rapid7’s Ransomware Radar Report 2024. This report highlights a significant increase in attacks and data leaks, along with a greater sophistication in the tactics used by cybercriminals.
Increase in Groups and Attacks
In 2024, the threat of ransomware has reached an even more severe level compared to 2023. During the first half of the year, Rapid7 tracked over 2,500 ransomware attacks, which equates to more than 14 publicly reported incidents per day. This number could be much higher when considering unreported attacks and cases where ransom was paid without data leakage.
The report shows an increase in the number of posts on leak sites, rising from an average of 24 per month in the first half of 2023 to 40 per month in the same period of 2024. This reflects the ongoing shift of attackers towards double extortion, combining data encryption with exfiltration and data leakage.
Active Ransomware Groups
In the first six months of 2024, Rapid7 observed 21 new ransomware groups. A notable case is the RansomHub group, which quickly established itself as a prominent extortion group by making 181 posts on its leak site between February and June 2024.
Research also revealed that small and medium-sized businesses are the most common targets, especially those with annual revenues around $5 million, as they are large enough to possess valuable data but not as well protected as large corporations.
Encryption Algorithm Trends
Cybercriminals continue to prefer certain encryption algorithms for their efficiency and security evasion capabilities. The three most common algorithms are AES (Advanced Encryption Standard), ChaCha, and RC4. AES is widely recognized for its security and efficiency, while ChaCha is valued for its high performance in software, especially on platforms without specialized cryptographic hardware. RC4, though considered insecure, is still used in less sophisticated environments due to its simplicity and speed.
Initial Access and Brokers
Initial access remains a critical part of the ransomware attack chain. Access brokers play a vital role by selling credentials and access to corporate networks in underground forums. Remote Desktop Protocol (RDP) and VPN are the most common access methods, underscoring the need to secure these entry points with robust security measures.
Implications for Security
The report emphasizes the need for organizations to strengthen their cybersecurity defenses. Implementing multifactor authentication (MFA), rigorously applying security patches, and proactively managing the attack surface are essential to mitigate the risk of initial access and subsequent ransomware deployment.
Rapid7 continues to research and develop ransomware prevention technologies to protect its customers against the latest threats. As the ransomware threat evolves, so must cybersecurity defense strategies, requiring continuous surveillance and adaptation.
Conclusion
Ransomware in 2024 has proven to be a persistent and evolving threat, with an increase in the number of attacks and a greater sophistication in the tactics used. Organizations must maintain a proactive and adaptive defensive posture to guard against this growing threat.