Ransomware 2024: Insights into LockBit, BlackCat, and More

Imagine waking up one morning to find the world at a standstill. Flights are grounded, hospitals are struggling to access patient records, banks are unable to process transactions, and businesses large and small can't operate. This nightmare scenario became a reality on Friday, July 19, 2024, when a botched software update by cybersecurity firm CrowdStrike triggered a massive IT outage that reverberated across the globe.

While the CrowdStrike incident was not a malicious ransomware attack, its impact mirrors the crippling effects of widespread ransomware campaigns that have become all too common. These attacks, introduced intentionally by bad actors, encrypt an organization's data and demand a ransom payment in exchange for the decryption key. In this article, we're going to take a deep dive into the current state of ransomware in 2024.

Ransomware Groups and Major Attacks

The ransomware ecosystem in 2024 is dominated by several highly organised groups that operate like businesses, complete with hierarchical structures and specialized roles. Among the most notorious are LockBit, BlackCat (ALPHV), and Rhysida.

LockBit has been particularly active, claiming responsibility for high-profile attacks on entities such as London Drugs and Fulton County, Georgia. In the case of London Drugs, the group threatened to publish stolen data after failed negotiations, highlighting their use of double extortion tactics. The attack on Fulton County disrupted critical IT systems, affecting phone, court, and tax services, demonstrating the far-reaching consequences of ransomware attacks on public infrastructure.

BlackCat (ALPHV) has also made headlines with its attack on Trans-Northern Pipelines, claiming to have stolen 183 GB of documents and causing significant operational disruptions. Perhaps their most impactful attack was the $872 million cyberattack on UnitedHealth Group, which targeted the ChangeHealthcare platform and resulted in the theft of 6 TB of data. This incident showcased the group's ability to target and severely impact large corporations and critical healthcare infrastructure.

Rhysida, responsible for the aforementioned Singing River Health System attack, has shown a propensity for targeting healthcare organizations. Their attack on Sony subsidiary Insomniac Games led to the theft and subsequent leak of 1.67 TB of sensitive employee data after ransom negotiations failed, highlighting the group's willingness to follow through on their threats.

Tactics, Techniques, and Procedures

Ransomware groups in 2024 employ a variety of tactics, techniques, and procedures to maximize their impact and evade detection. 

One of the most prevalent TTPs is the use of "living off the land" techniques, where attackers leverage legitimate tools and processes within the victim's environment to carry out their attacks. This approach makes it significantly more difficult for security systems to detect malicious activity, as the actions of the attackers blend in with normal system operations.

For example, attackers frequently use PowerShell, a legitimate Windows administration tool, to execute malicious scripts and move laterally within networks. They may also exploit built-in Windows features like remote desktop protocol (RDP) for access or to maintain persistence within compromised systems. By utilizing these native tools, attackers can often bypass traditional security measures that focus on detecting known malware signatures.

Another common TTP is the exploitation of vulnerabilities in public-facing applications. Attackers constantly scan for unpatched systems and known vulnerabilities, often targeting popular enterprise software or content management systems. Once a vulnerability is identified, they quickly move to exploit it before organizations have a chance to apply patches or implement mitigations.

Common Trends in Ransomware

One notable development is the increasing prevalence of ransomware-as-a-service (RaaS), which has democratized access to sophisticated ransomware tools. These platforms operate on a subscription model, providing cybercriminals with access to ransomware variants, distribution channels, and support services in exchange for a share of the profits. This model has led to a significant increase in the number of ransomware attacks, as it lowers the barrier to entry for potential attackers.

In addition, double extortion tactics have become standard practice for many ransomware groups. Alongside encrypting victims' data, attackers now routinely exfiltrate sensitive information before deploying the ransomware. This approach puts additional pressure on victims to pay the ransom, as they face not only the loss of access to their data but also the threat of public exposure of sensitive information.

Another growing concern is the rise of supply chain attacks. Cybercriminals are increasingly targeting software providers and managed service providers as a means of compromising multiple organisations simultaneously. By infiltrating a single point in the supply chain, attackers can potentially gain access to numerous downstream clients, amplifying the impact of their attacks.

Finally, hybrid ransomware attacks, which combine elements of traditional ransomware with other cyber threats, are becoming more common. These attacks may incorporate data manipulation, destructive malware, or other malicious activities alongside the typical encryption and extortion tactics. This approach aims to inflict maximum damage on victims and increase the likelihood of ransom payment.

Automation Helps Mitigate Ransomware

When a ransomware attack is detected, taking action right away is important. Automating incident response workflows can help to contain the damage and reduce the impact on your organization.

Create automated workflows to isolate infected systems, prevent ransomware spread, and notify key personnel. These workflows can also initiate data recovery processes, ensuring that essential information is available even in the event of an attack.

Blink simplifies the development and implementation of automated incident response workflows, allowing your team to respond to ransomware threats quickly and effectively. 

Schedule a demo by clicking here to learn how automation can help strengthen your ransomware protection.