《Black Kite：2024年勒索軟件狀況報告：激增與洗牌之年（英文版）（50頁）.pdf》由會員分享，可在線閱讀，更多相關《Black Kite：2024年勒索軟件狀況報告：激增與洗牌之年（英文版）（50頁）.pdf（50頁珍藏版）》請在三個皮匠報告上搜索。

1、State of Ransomware 2024:A Year of Surges and ShufingTable of ContentsIntroduction .3Executive Summary.4Ransomware Reckoning:The Surge and Shuffle.5Ransomware Group Dynamics:The Shifting Power.8Case Studies:Operational Disruptions in the Ransomware Echelon.11The Affiliate Chess Game:Ransomwares Recr

2、uitment Rush.13Spotlight:Change Healthcare Incident.15The Alarming Trend of Quick Succession Ransomware Attacks.18Affiliate Dynamics:The Ransomware Crossover.19The Affiliate Marketplace.20Opinion:Dr.Ferhat Dikbiyik.21The Global Ransomware Marketplace:Victim Profiling and Strategic Targeting.22Manufa

3、cturing Sector:A Ransomware Hotspot.26Evaluating the Bounty:Ransomware Targets by Financial Footprint.31Crafting a Corporate Veil:The Dichotomy of Ransomware PR.37Case Study:A Look at Ransomwares Impact on US Essential Industries.38Rethinking Ransomware:From Reaction to Prevention.40Understanding Ra

4、nsomware Susceptibility.43How RSI Helps to Mitigate Ransomware Risk.45Prevention and Minimizing Ransomware Risk.46Mitigating Third-Party Ransomware Risk.47Conclusion.48Methodology .46Black Kite Research&Intelligence Team.50STATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING2Introduction In recen

5、t years,the digital landscape has been marred by a growing and pervasive threat:ransomware attacks.Once considered a sporadic nuisance,these malicious incursions have evolved into sophisticated operations,orchestrated by organized cybercrime syndicates with chilling efficiency.As businesses and indi

6、viduals increasingly rely on interconnected systems and digital infrastructure,the stakes of these attacks have never been higher.In our continued monitoring of ransomware activity by the Black Kite BRITE team,weve uncovered a startling observation:The sophistication of ransomware groups rivals that

7、 of any tech startup.A number of these criminal organizations offer services like customer support for victims to help streamline the process of payment.They have legions of employees,or affiliates,for whom they have recruitment strategies and the groups have go-to-market-like strategies where diffe

8、rent groups have preferential victim profiles.Each group has a preferred set of tactics or strategy for perpetrating their crimes.Our research also confirms that gone are the days when these groups would mostly target resource-rich organizations.Back then,there stood an unwritten code:Do not target

9、organizations that offer critical human services.This is no longer the case,and we are seeing a stark rise in the number of attacks against healthcare related organizations.This research report delves into the alarming rise of ransomware incidents,shedding light on the evolving tactics of cybercrimi

10、nals,how they operate and the profound impact these attacks have on victims worldwide.We hope you find the information in this report as enlightening(and fascinating)as we do.STATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING3Executive SummaryIn a digital landscape where threats constantly evol

11、ve and adversaries grow more cunning,understanding the dynamics of ransomware attacks is critical.By shedding light on the tactics,motivations,and consequences of these nefarious operations,this report aims to empower organizations with the knowledge and insights needed to bolster their cybersecurit

12、y defenses and mitigate the risk of falling victim to ransomware extortion.The last year saw a massive increase in ransomware attacks,increasing from 2,700+in the previous twelve months to almost 4,900 businesses in the last twelve months.This highlights the increased persistence of these groups as

13、well as the incredible effectiveness of their tactics.We saw the rise and fall of specific groups that left voids for newer or up-and-coming syndicates to fill.This year also saw more evidence that affiliates are moving between ransomware groups to maximize their own profits.Another alarming trend t

14、his report surfaces is the prevalence of repeat victims.Our data indicates that 104 companies were victimized by two groups while three companies were targeted by three groups.These repeat attacks come in rapid succession to the first,indicating the ransomware groups are monitoring other attacks so

15、they can strike while a victim is still weak.Geographic targeting remains a consistent way for ransomware syndicates to profile victims.47%of reported ransomware victim companies were located in the United States.Other countries with a large number of attacks are the United Kingdom,Canada,Germany an

16、d Italy all countries with prosperous economies,suggesting the attackers are looking to maximize profits.Industries most hurt by operational disruption topped the list in terms of number of ransomware attacks.Manufacturing leads the pack with professional services and healthcare close behind.Based o

17、n the ransomware groups most common motivation of maximizing profits,one would assume that larger organizations would bear the brunt of attacks.However,the data does not support this hypothesis.In fact,a significant 31%of ransomware victims,in our study,are organizations with less than$20 million in

18、 annual revenue.Overall,the data in this report highlights the importance of proactive measures rather than incident response when it comes to managing ransomware risk.Being able to recognize trends in how ransomware groups behave allows us to identify ransomware risk factors and create mitigation p

19、lans.Having this type of information and understanding a companys RSI value can mean the difference between business disruption and smooth business operations.For example,Black Kites Ransomware Susceptibility Index(RSI)can see that the companies with a value above 0.8 on a 0-1 scale are 27 times mor

20、e likely to experience a ransomware attack than the companies with a value STATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING4RANSOMWARE RECKONING:The Surge and ShufeWe are seeing an unrelenting rise in ransomware attacks in a world where cyber adversaries function like shadow enterprises.The n

21、umber of victims has doubled,marking an alarming climb from the previous year,from last years 2,700+to almost 4,900 businesses caught in the digital crosshairs.This years storyline sees ransomware as a service(RaaS)operators playing kingmaker,as former allies turn competitors.The stage is set:New ac

22、tors enter,old ones exit,and the game of digital dominance evolves.Its a relentless pursuit of power where only the adaptable survive.This section peels back the layers of the ransomware rampage,revealing the rise and fall of the infamous,silent takedowns and the new faces of cyber threats.Buckle up

23、 its a wild ride through the dramatic shifts and data that reshaped the ransomware realm.STATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING5From Gradual Increase to Exponential GrowthThe narrative of ransomware in the past year has transitioned from moderate increases to exponential growth.Data

24、 from early 2023 indicates victim numbers below the two-hundred mark per month.However,subsequent months witnessed a considerable surge,highlighting an expanding threat landscape.For a comprehensive analysis,the chart below includes figures from the first quarter of 2023,ensuring a full view of the

25、years progression.Number of Ransomware Victims AnnouncedAttacks Double Year Over YearFocusing on the same annual quarters in 2022,2023,and 2024,theres a remarkable trend:Victim counts have nearly doubled each year,with this years count reaching 4,893,up from 2,708 the previous year.This trend indica

26、tes not just an escalation but an acceleration of attacks,signaling an evolving and more aggressive ransomware environment.The data serves as a critical metric of cybersecurity challenges,calling for strategic responses in threat mitigation.Number of Ransomware Gangs that Announced at Least One Vict

27、imSTATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING6Notable Ransomware Operator ActivityThe ransomware landscape in the past year has been dynamic,characterized by significant incidents that have both escalated the threat level and signaled a shift in cybercriminal activities.Heres a closer lo

28、ok at the pivotal moments that stood out:Cl0ps aggressive campaigns in March 2023,exploiting GoAnywhere MFT servers,set off a cascade of activity.Cl0p continued to capitalize on vulnerabilities,moving to exploit MOVEit MFT servers in the mid-year.Malas,entering the fray in May 2023 and targeting Rus

29、sian companies,made a short but impactful appearance.AlphV,previously second in infamy,suffered an operational shutdown by the FBI in late 2023,an event that saw their online presence dismantled.LockBits foothold wavered following law enforcement interventions in early 2024,leading to an exodus of t

30、heir affiliates.The disruption of AlphV and LockBit has not cooled the ransomware arena but instead ignited a frenzy of activity as groups vie for dominance and attempt to fill the void left behind.The cybercrime ecosystem is currently in a state of rapid flux.Following significant disruptions to ma

31、jor ransomware operators,were seeing a competitive scramble as groups vie to recruit top-tier affiliates.STATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING7RANSOMWARE GROUP DYNAMICS:The Shifting PowerThe past year has witnessed a dramatic shift within the ransomware ecosystem.As key players hav

32、e been disrupted by law enforcement actions,a power vacuum has emerged,prompting rapid movement within the rankings.The chart below offers a visual narrative of these changes.Changes of Leadership Table in TimeNumber of Victims AnnouncedSTATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING8Here ar

33、e the pivotal shifts:The Rise and Reformation of AlphV and LockBitAlphV,known for high-profile attacks,suffered an FBI-led shutdown in December 2023.They rebounded temporarily with LockBits aid but later executed an exit scam.LockBit faced its disruption in February 2024,causing a significant number

34、 of their affiliates to defect.The group attempted a comeback but could not reclaim its former dominance.Shufing of the LeaderboardThe leaderboard saw newcomers rise as established players fell.Groups like Play made rapid ascents,now ranked#3 overall,topping March 2024s list.Other groups such as Cl0

35、p have maintained consistent yet less aggressive activity,indicating a strategic shift in operations.The Decline and Silence of Former PlayersNotably,Royal and Vice Society,active in early 2023,have since retreated into inactivity.Karakurt and AvosLocker,once prominent names,have ceased victim annou

36、ncements post-mid-2023,indicating potential operational ceases or strategic reclusions.Emerging and Ascending GroupsNew entrants like Akira,which debuted in March 2023,have quickly climbed to rank#6.8Base,initially outside the top ten,has now surged to rank#5,suggesting successful recruitment and op

37、erations.Watchlist for New EntrantsFresh faces such as Cactus,Rhysida,Hunter,and INC Ransom are carving their niches,indicating a diversifying threat landscape.A plethora of small groups,including Trigona,Knight,and RansomHub,have entered the arena,with RansomHub gaining notoriety after announcing C

38、hange Healthcare as a victim.This rapid realignment within the ransomware hierarchy signals not a cooling period but a bustling bidding war for affiliates.The data suggests that the ecosystem is more dynamic than ever,with power balances shifting quickly as groups jockey for position in the post-Alp

39、hV and LockBit era.STATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING9Ransomware GroupPrevious RankCurrent RankKey NotesLockBit#1Losing leadership rapidlyOnce the clear leader,now dethroned following law enforcement actions and loss of affiliates.AlphV#2N/AOperations disrupted by the FBI,exit s

40、cam executed,no longer active.Cl0p#4MaintainedKnown for hit-and-run tactics,less active but still consistent.MalasN/ADisappearedShort-lived,targeted Russian entities,no longer active.Royal#5#19Backed by Conti,ceased activities after the first half of 2023.Vice Society#7#48Focused on European organiz

41、ations,especially in education,now inactive.Karakurt#9#34Previously linked to Conti and Diavol,stopped announcing victims since Q3 2023.AvosLocker#11#54Warned by FBI for targeting U.S.infrastructure,no victims announced post-Q2 2023.WereWolvesEntered Top 3in the month of DecemberN/AEmerged late 2023

42、,silent after announcing a single 2024 victim.NokoyawaN/ASilentSmall group,became inactive since Q3 2023.Declining Ransomware Groups:Table 1Rising and Newcomer Ransomware Groups:Table 2Ransomware GroupPrevious RankCurrent RankKey NotesPlay#10#3Rapid ascension,potential to lead the ransomware space,m

43、ost victims in March 2024.8BaseNot in Top 10#5Significant activity increase,noteworthy rise in the ranks.AkiraNew Entrant#6Debuted in March 2023,quickly attracting affiliates and climbing ranks.MedusaN/A#10Transitioned from MedusaLocker variant to a full-fledged RaaS in 2023.CactusNew Entrant#12Part

44、 of the 2023 wave of new ransomware groups,making a mark.Attacked Schneider Electric in mid-January.RhysidaNew Entrant#13Another 2023 debutant showing active operations.Predominantly deployed against the education,healthcare,manufacturing,information technology,and government sectors according to CI

45、SA.HuntersNew Entrant#14Entered the scene in 2023,rapidly rising through the ranks.INC RansomNew Entrant#15Newcomer in 2023,part of the diversifying ransomware ecosystem.RansomHubNew EntrantNot RankedGained attention with the announcement of Change Healthcare as a victim.STATE OF RANSOMWARE 2024:A Y

46、EAR OF SURGES AND SHUFFLING10CASE STUDIES:Operational Disruptions in the Ransomware EchelonThe Strategic Dismantling of AlphVAlphV,once a notorious entity within the cybercrime landscape for targeting heavyweights like MGM Resorts,found its empire compromised by a decisive FBI operation in December

47、2023.The takedown not only shattered their operational front but also spotlighted the groups vulnerabilities.In a bid for revival,AlphV aligned with LockBit but soon staged an exit scam,leaving their affiliates in disarray and abruptly severing their revenue stream.The aftermath saw AlphVs scattered

48、 affiliates seeking refuge with other rising ransomware groups,catalyzing a realignment in the power dynamics of the cybercrime ecosystem.This migration underscored the volatility within these illicit networks and highlighted the impact of law enforcement interventions in disrupting established rans

49、omware operations.The broad impact of AlphVs operation and subsequent fallout provides an intricate case study of the vulnerabilities within cybercriminal syndicates.It also highlights the effective outcomes of concerted law enforcement initiatives to disrupt cybercrime operations.The detailed accou

50、nt of AlphVs exit scam has been meticulously chronicled by Black Kites cybersecurity experts,offering an in-depth perspective into the operations unraveling and the subsequent realignment within the cybercrime underworld.This comprehensive case study serves as a significant entry in the annals of cy

51、bercrime and is detailed further in Black Kites report.AlphVs story is a testament to the transient nature of cybercrime dominion,where todays leaders can swiftly become tomorrows fallen,reshaping the threat landscape and compelling a dynamic cyber defense posture.Operational Disruptions in the Rans

52、omware EchelonOperational Disruptions Operational Disruptions where todays leaders can swiftly become tomorrows fallen,reshaping the threat landscape and compelling a dynamic cyber defense posture.STATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING11LockBits Operational Setback and Market ShiftL

53、ockBits reign as a formidable force in ransomware was upended in February 2024 when law enforcement agencies successfully infiltrated and disrupted their operations.Known for their aggressive and widespread attacks,LockBits infrastructure faced a significant blow that extended beyond the digital rea

54、lm,leading to the doxxing of affiliate nicknames and a loss of anonymity crucial for their operations.The exposure not only dismantled the trust within the group but also precipitated the disbanding of its affiliate network.The confidence shake-up caused by the expos led many affiliates to defect to

55、 other groups,leaving LockBit in a state of disarray and struggling to maintain its status quo.In a landscape where reputation is currency,LockBits was deeply devalued.Attempting to reclaim their influence,LockBit initiated a rebranding effort with the launch of a new dark web presence,posting a lis

56、t of alleged victims.This move,however,was met with skepticism as claims of victimization included potentially fabricated entries or ex-victims,reflecting a desperate bid to portray dominance where influence had waned.The detailed story of LockBits decline from a cyber titan to a compromised entity

57、is thoroughly documented by Black Kite,providing valuable insights into the groups fall and the consequent shifts in the cybercrime market.The full account,shedding light on the strategic implications for cybersecurity defenses,can be found in Black Kites detailed analysis.LockBits case underscores

58、the dynamic nature of cyber threats and the effectiveness of collaborative law enforcement efforts.As the ransomware scene continues to evolve,the LockBit narrative serves as a reminder of the continuous need for adaptive security strategies in the digital age.LockBits Operational Setback LockBits r

59、eign as a formidable force in ransomware was upended in February 2024 when law enforcement agencies successfully infiltrated and disrupted their operations.Known for their aggressive and widespread attacks,LockBits infrastructure faced a significant blow that extended beyond the digital realm,leadin

60、g to the doxxing of affiliate nicknames and a loss of anonymity crucial for The exposure not only dismantled the trust within the group but also precipitated the disbanding of its affiliate network.The confidence shake-up caused by the expos led many affiliates to defect to other groups,leaving Lock

61、Bit in a state of disarray and struggling to maintain its status quo.In a landscape where reputation STATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING12THE AFFILIATE CHESS GAME:Ransomwares Recruitment RushThe ransomware ecosystem is undergoing a significant transformation,propelled by the stra

62、tegic recruitment of affiliates.This shift focuses on how ransomware operators innovate to attract and retain the best cybercriminal talent,especially in the wake of disruptions to groups like AlphV and LockBit.The Battle for Talent in the UnderworldIn the shadowy realm of ransomware,the battle line

63、s are drawn not just around technology and targets but in a high-stakes game of affiliate recruitment.Ransomwares Recruitment ModelsThe Standard Cut:Historically,ransomware operators have adhered to a revenue-sharing model,offering affiliates a significant percentage of the ransom payments.This mode

64、l has been the backbone of ransomware operations,incentivizing affiliates to launch successful attacks.Typically,operators retain a share(often around 20-30%)of the ransom,while the executing affiliate takes the lions share.Innovative Incentives:However,the landscape is evolving.Operators now offer

65、more than just a share of the ransomtheyre crafting unique propositions to lure top-tier talent.RansomHub,for example,disrupts the traditional model by offering a staggering 90%cut to affiliates,with the added twist of requiring payment upfront.This approach not only attracts affiliates but also ens

66、ures their loyalty and commitment to the success of each attack.STATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING13The Shift in Afliate AllegiancesIn the aftermath of AlphV and LockBits operational disruptions,a noticeable migration of affiliates has occurred.Many of AlphVs former affiliates,l

67、eft adrift by the groups exit scam,have found new homes among rising stars like Play,Akira,and Hunters.Play,in particular,has seen a meteoric rise,bolstered by an influx of experienced affiliates seeking refuge and opportunity.Their ascent highlights a broader trend:The ability to attract and retain

68、 skilled affiliates is now a critical determinant of a ransomware operators success.RansomHub also succeded to attract AlphVs affiliates.The migration of affiliates underscores a dynamic shift within the ransomware ecosystem,where the ability to attract and retain skilled operators can dictate the r

69、ise and fall of these digital syndicates.As the landscape continues to evolve,the strategies employed to woo affiliates will undoubtedly become more sophisticated,further intensifying the competition among ransomware operators.STATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING14Black Kites Proa

70、ctive Response:Change Healthcare Client FocusTagsTMIn the aftermath of the Change Healthcare ransomware incident,Black Kite swiftly mobilized to assist its clients through the innovative use of Change Healthcare Client FocusTags.This strategic initiative exemplifies Black Kites commitment to providi

71、ng timely,actionable intelligence in response to emergent cybersecurity threats.SPOTLIGHT:Change Healthcare IncidentThe ransomware attack on Change Healthcare has emerged as a defining moment in the realm of healthcare cybersecurity,drawing comparisons to the“Colonial Pipeline attack”due to its exte

72、nsive repercussions.Orchestrated by an affiliate of AlphV,a notorious ransomware group known for its sophisticated cyberattacks,this incident has cast a spotlight on the technical concentration risk in the vendor ecosystems.Change Healthcare,a cornerstone in the healthcare infrastructure,provides a

73、wide array of administrative,financial,and clinical information exchange services.This makes it a repository of vast amounts of sensitive patient data,financial information,and critical operational data for numerous healthcare providers.This meticulously planned ransomware attack paralyzed Change He

74、althcares critical services,echoing through the healthcare system by disrupting data exchange,billing,and clinical operations.ALPHVS EXIT SCAM:The Underlying ConnectionThe Change Healthcare ransomware incident unveils a deeper narrative tied to AlphVs notorious exit scam.Following the breach orchest

75、rated by an AlphV affiliate,the groups unexpected disappearance and theft of ransom payments marked a pivotal moment in ransomware criminal operations.This act not only disrupted the traditional affiliate-core group dynamics but also left affiliates,including those involved in the Change Healthcare

76、attack,in search of new harbors,such as emerging entities like RansomHub.AlphVs actions have rippled through the cybersecurity landscape,underscoring the complex and shifting threats posed by ransomware groups and their cascading impacts on industries and cybersecurity defenses.STATE OF RANSOMWARE 2

77、024:A YEAR OF SURGES AND SHUFFLING15RansomHubs Emergence and the Change Healthcare IncidentIn the evolving landscape of ransomware threats,RansomHub has quickly gained attention following its announcement that Change Healthcare fell victim to its operations.This declaration came in the wake of signi

78、ficant disruptions within the ransomware community,notably AlphVs exit scam.RansomHub,distinguishing itself with a unique affiliate payment system,allows affiliates to first receive the ransom payment from the victim and then forward the operators cut,offering an enticing 90%share to its affiliates.

79、This model has attracted former AlphV affiliates among others in the cybercriminal sphere.Notably,the incident with Change Healthcare is solely an extortion attempt based on previously stolen data,with no second deployment of ransomware involved.It is important to note that RansomHub did not provide

80、 any evidence(as of April 10,2024)about their claim of having the data and the statement is a copy-and-paste from the original announcement made by AlphV.STATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING16LEARN MOREBlack Kites deployment of Change Healthcare Client FocusTags not only underscor

81、es the importance of rapid response capabilities in the face of cyber threats but also highlights the value of tailored,data-driven insights in enhancing organizational resilience against ransomware attacks.STATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING17The Alarming Trend of Quick Successi

82、on Ransomware AttacksThe landscape of ransomware threats is evolving,as evidenced by a concerning trend:Companies are experiencing attacks in quicker succession by different operators.Our data indicates that 104 companies have fallen prey to two different ransomware operators,while a smaller number,

83、three to be exact,have been unfortunate enough to be targeted by three groups.Our analysis reveals that while its not uncommon for a company to face more than one ransomware attack,the shrinking time gap between such attacks is a relatively new and alarming development.The Diference Between Announce

84、ments of the Same Victim by Two Diferent GroupsSTATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING18AFFILIATE DYNAMICS:The Ransomware CrossoverThe ransomware ecosystem is often depicted as a rigid hierarchy of operators and their foot soldiers.However,the data tells a different story,one of a fl

85、uid network where affiliates freely transition between groups,taking their skills where they find the best fit or opportunity.Victims Transitions between Ransomeware GroupsThe graph illustrates afliates working for multiple groups.For instance,affiliates working with AlphV spread out to various rans

86、omware operations,like tendrils seeking new soil,notably enriching the ranks of up-and-coming groups such as Play and 8Base.We can also witness that LockBits affiliates also work with BianLian,Snatch,Hunters,Medusa,and so on.The affiliates do not believe in non-compete agreements.STATE OF RANSOMWARE

87、 2024:A YEAR OF SURGES AND SHUFFLING19The Afliate MarketplaceThis movement paints the ransomware scene not as a collection of isolated groups but as a thriving marketplace.Here,affiliates are the currency,and their movement among groups like Cactus and others demonstrates a vibrant p that rewards ve

88、rsatility and adaptability.Why do we see the same company victimized by multiple ransomware groups?There may be multiple reasons for the victimization by multiple ransomware groups:Ransomware affiliates may work with multiple RaaS providers,leading to multiple payloads from different groups in a sin

89、gle environment.Certain ransomware actors employ false claims to boost their influence,as seen in tactics by Snatch and RansomedVC.Collaboration among ransomware actors is common,partly due to the collectivist culture within Russian cybercrime circles,especially after the Ukraine invasion in 2022.Ac

90、cess to major ransomware programs like BlackCat is highly exclusive to guard against infiltration by adversaries of Russian state policies.LockBit has been known to support other groups like BlackMatter by sharing infrastructure,indicating a tradition of mutual aid among ransomware groups.Ransomware

91、 groups strategically target businesses with strong cyber insurance,exploiting knowledge of their policies to ensure payout.Technological convergence is occurring among ransomware groups,with shared platforms and tools leading to simultaneous exploitation of the same vulnerabilities.International sa

92、nctions and legal actions against cybercrime influence ransomware tactics,causing groups to rebrand,regroup,and then often launch high-profile attacks to establish their new identity quickly.STATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING20The Rise of Multi-Operator CollaborationAs we observ

93、e the ransomware landscape adapt to recent disruptions,particularly the exit scam of AlphV,a curious pattern of multi-affiliate attacks on the same targets within a short timeframe has emerged.In my view,this isnt merely a coincidence or a result of disorganization within the cybercriminal ranks;rat

94、her,it appears to be a strategic evolution of ransomware affiliates.Diversified Risk and Increased PayoutsPost-AlphV,theres a rationale for affiliates to diversify their operations across multiple ransomware groups.I suspect that this move is a hedge against the risk of any single operators downfall

95、,ensuring they arent left uncompensated.By spreading their efforts,theyre not just guaranteeing a commission but potentially increasing their overall take.This shift towards multi-operator collaboration is underscored by the trend of ransomware groups,both old and new,claiming the same victim.Such p

96、atterns are not merely haphazard;they are indicative of a more significant,possibly coordinated,strategic maneuver.These duplicated attacks could serve to maximize gains from entities that are insured and more likely to pay out.Chief Research and Intelligence OfcerA New Phase of Cybercrime Collabora

97、tionThe affiliates move to work with various groups could mark a new phase of cybercrime,one characterized by greater coordination and shared strategies amongst these threat actors.Its a sophisticated approach that pushes the boundaries of how ransomware groups operate,reflecting a quasi-industrial

98、level of collaboration and competition within this digital underworld.From my standpoint,this growing trend of ransomware groups targeting the same entities is a sophisticated mix of maximizing returns and mitigating risks.Affiliates are possibly taking a page from the business world,diversifying th

99、eir“investment portfolio”of attacks to assure their payouts in a tumultuous ecosystem where alliances and power centers are rapidly changing.The strategy of affiliates working with multiple ransomware groups is a significant development that could redefine the modus operandi within the ransomware co

100、mmunity.As we watch this trend evolve,its crucial for businesses to adapt their cybersecurity defenses,understanding that ransomware threats are becoming more complex and collaborative.OPINION:Dr.Ferhat DikbiyikSTATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING2112300#OF VICTIMSTHE GLOBAL RANSO

101、MWARE MARKETPLACE:Victim Profiling and Strategic TargetingIn aligning with our overall theme of the business of ransomware,we delve into the data-driven world of cybercriminal targeting.This analysis unpacks the strategic selection of victims by geography,industry,and revenue and illuminates the bus

102、iness-minded tactics at play behind the digital threats.Geographic Landscape of Ransomware VictimsThe geographical spread of ransomware victims tells a story of global impact,with certain regions bearing a heavier brunt.The United States sits at the epicenter,accounting for 47%of reported ransomware

103、 victims,indicative of the cybercriminals focus on lucrative targets within a nation deeply intertwined with global business networks.Number of Ransomware Victims:April 1,2023 to March 31,2024Concentration in Economic PowerhousesAn analysis of the victim distribution reveals a pattern aligning with

104、economic prominence.Following the United States,the United Kingdom,Canada,Germany,and Italy round out the top five nations affected.This concentration in economically developed nations mirrors the cybercriminals strategic targeting of entities within prosperous economies,where the potential returns

105、from ransom demands are higher.The geographical analysis paints a clear picture:Ransomware is a significant threat unconfined by borders,with its sights set squarely on countries that are keystones of the global economy.12300#of victimsSTATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING22Calcula

106、ted Industry StrikesRansomware trends indicate an ominous shift:Top sectors under siege are facing more pronounced attacks.Manufacturing,leading with 1,016 victims,notched up its share in total onslaughts,indicating the targeting of industries foundational to national economies.The Professional,Tech

107、nical,and Scientific Services sector,with 885 victims,echoes this trend,revealing that ransomware groups are zeroing in on knowledge-driven domains.STATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING23Percent Change of Compared to Previous YearSTATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFL

108、ING24IndustryRank(change)Manufacturing1Professional,Scientific,and Technical Services2Health Care and Social Assistance3 +2Finance and Insurance4 +3Educational Services5 -2Information6 +4Construction7 +2Retail Trade8 -4Transportation and Warehousing9 +2Administrative and Support and Waste Management

109、 and Remediation Services10 +2Wholesale Trade11 -5Public Administration12 -3Real Estate Rental and Leasing13 Accommodation and Food Services14 Arts,Entertainment,and Recreation15 +2Utilities16 -1Mining17 -1Management of Companies and Enterprises18 +1Agriculture,Forestry,Fishing and Hunting19 -1Healt

110、hcare and Finance,highly regulated and data-intensive industries,have climbed up the ranks to third and fourth with 273 and 266 victims respectively.This move is telling;major ransomware groups are strategizing,likely using intelligence tools to assess the lucrative nature of potential targets.The s

111、takes are higher,the play more sophisticated,and the payoffs potentially larger in these data-rich pools.The flip side?Not all attackers play this sophisticated game.Some,possibly less informed affiliates,hit softer targets like schools and nonprofits,entities less likely to yield financial rewards.

112、Yet,the overall trend suggests a deliberate pivot by the top players:Theyre refining their aim,investing time to understand the value of their victims,signaling a deepening of cybercrime business acumen.As we interpret these numbers,the narrative is clear:The gravity of attacks is intensifying where

113、 the data is dense and the regulations are tight.Its a telling sign that ransomware is not a random act of digital violence but a calculated business maneuver,with its crosshairs steadily trained on the most vital cogs of the industry wheel.Note that we use North American Industry Classification Sys

114、tem(NAICS)codes for industries.The industries shown here are high-level(2-digit NAICS code)classification.In the next section,we provide a lower-level(4-digit NAICS code)industry classification breakdown.STATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING25MANUFACTURING SECTOR:A Ransomware Hotsp

115、otThe manufacturing sectors rapid digital transformation post-COVID-19 has inadvertently turned it into a prime target for ransomware attacks.Cybersecurity defenses,often robust against operational technology(OT)threats,have not kept pace with the sectors expanded digital footprint,leaving a chink i

116、n the armor for cybercriminals to exploit.The industry,which leads with over a thousand ransomware victims,faces unique challenges due to the operational disruption that halts production lines,causing significant financial and reputational damage.The pressure exerted by halting a manufacturing line

117、is not lost on ransomware groups.They recognize the cascading effect of disrupting supply chains,as elucidated in our 2024 Third-Party Breach Report,which ranks ransomware as the second leading cause of third-party data breaches.Delving into the manufacturing sub-sectors,the spread of ransomware is

118、indiscriminate.Industrial Machinery Manufacturing tops the list with 76 victims,followed by Motor Vehicle Parts Manufacturing at 58,and Pharmaceutical and Medicine Manufacturing at 50.Electrical Equipment and Aerospace Product and Parts Manufacturing are not far behind,with 38 and 37 victims respect

119、ively,highlighting the cybercriminals calculated approach to inflict maximum disruption across various facets of the industry.385058763775738505876377570%10%20%30%40%50%60%70%80%90%100%Industrial Machinery ManufacturingMotor Vehicle Parts ManufacturingPharmaceutical and Medicine ManufacturingElectri

120、cal Equipment ManufacturingAerospace Product and Parts ManufacturingOthersManufacturingThis assault on manufacturing is a clarion call for the sector to fortify its cyber defenses,aligning its security posture with the evolving threat landscape to mitigate the risk of becoming the next ransomware st

121、atistic.NAICS Code:31-33STATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING26Targeting Knowledge:The Vulnerability of Professional ServicesThe Professional,Scientific,and Technical Services sector stands as the second-most targeted industry,maintaining this dubious honor over the past three year

122、s with nearly 900 victimized entities.This sector spans a diverse range of expertise,yet certain subindustries have been hit harder than others.23%of the incidents have been recorded against legal services alone,which isnt surprising given the sensitive nature of the data they handle.Law firms are a

123、ttractive targets for ransomware due to the high-value information they possess,which,if compromised,can have far-reaching consequences.Following close behind,the Computer Systems Design and Related Services subindustry has seen about 20%of the victims.These are the very entities that weave the digi

124、tal fabric of our businesses and infrastructures,making them critical nodes in the supply chain.Cybercriminals are astutely aware of the domino effect that can be triggered by compromising these firms,indicating a strategic,calculated approach to their attacks.As ransomware groups continue to refine

125、 their methods,it becomes increasingly clear that no sector is immune,and the custodians of our digital infrastructure must remain ever-vigilant.NAICS Code:54Professional,Scientific,and Technical Services921591722064561231270%10%20%30%40%50%60%70%80%90%100%Legal ServicesComputer Systems Design and R

126、elated ServicesArchitectural,Engineering,and Related ServicesManagement,Scientific,and Technical Consulting ServicesAccounting,Tax Preparation,Bookkeeping,and Payroll ServicesAdvertising,Public Relations,and Related ServicesScientific Research and Development ServicesOther Professional,Scientific,an

127、d Technical ServicesSTATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING27Healthcare Under Siege:The Escalating Ransomware ThreatThe health sectors battle with ransomware is intensifying.While hospitals are frequently spotlighted as prime targets,the scope of vulnerability extends far beyond thei

128、r walls.In fact,0.6%more healthcare entities were affected this year than last,with doctors offices and small clinics comprising a significant portion of the victims.These smaller practices,often lacking the robust cybersecurity defenses of larger hospitals,present a soft target for ransomware group

129、s.The impact of such attacks is profound:Healthcare services are disrupted,and the theft of sensitive patient health information(PHI)provides cybercriminals with considerable leverage.The ability to apply pressure on healthcare providers to meet ransom demands is compounded by the critical nature of

130、 the services they render.This vulnerability is not just a breach of data;its a direct threat to patient welfare and a stress test for the resilience of healthcare infrastructures against the rising tide of cybercrime.NAICS Code:62Health Care and Social Assistance14378820%10%20%30%40%50%60%70%80%90%

131、100%General Medical and Surgical HospitalsOffices of PhysiciansOthersSTATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING28Finance and Insurance on the Ransomware FrontlineWithin the financial battlegrounds,insurance carriers and commercial banks endure the brunt of ransomware attacks,comprising

132、20%and 18%respectively of the sectors breaches.Such institutions represent a tantalizing jackpot for cybercriminals due to the significant capital and sensitive data they harbor.The consequential 0.7%increase in attacks within the finance and insurance sector compared to the previous year echoes a p

133、ersistent cyber risk narrative:Monetary gain and data-rich targets yield a high return for threat actors.In the shadows of cyber threats,every percentage point reflects a multitude of disruptions,potentially spiraling into economic repercussions.Insurance carriers,with their expansive data pools and

134、 pivotal role in risk mitigation,present a problem when they fall victim to ransomware.Similarly,banks and credit unions serve as the lifeblood of cash flow;a cyber-attack impeding their operations sends ripples across the financial ecosystem.Ransomware groups,with their finger on the pulse of econo

135、mic vulnerabilities,have recalibrated their crosshairs,aiming with precision to exert maximum pressure where resilience seems the most robust yet vital.NAICS Code:52Finance&Insurance12573810%10%20%30%40%50%60%70%80%90%100%Insurance CarriersCommercial Banks&Credit UnionsOthersSTATE OF RANSOMWARE 2024

136、:A YEAR OF SURGES AND SHUFFLING29Ransomwares Educational Imprint:Disruptions in AcademiaIn the educational arena,higher education institutions form the nucleus of ransomware attacks,reflecting close to a third of all incidents within the sector.This trend not only spotlights the value of intellectua

137、l property and research data prevalent in universities but also underscores the vulnerability of their expansive networks.Cybercriminals,cognizant of the disruption potential,exploit these targets,fully aware of the institutions propensity to settle swiftly to safeguard their reputations and maintai

138、n operational continuity.The narrative diverges when scrutinizing K-12 schools.While they account for a substantial 26%of educational breaches,their limited financial resources often translate to negligible ransom payouts.This economic reality shapes the tactical approach of seasoned ransomware oper

139、ators,prompting a strategic pivot towards more lucrative educational echelons.Recent quarters illustrate this shift,with K-12 victim announcements halving from an average of 32 to a mere 15,a strategic retreat possibly indicating a newfound ransomware targeting ethos focused on return on investment.

140、NAICS Code:61Educational Services531021150%10%20%30%40%50%60%70%80%90%100%Higher EducationK-12Other Educational ServicesSTATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING30EVALUATING THE BOUNTY:Ransomware Targets by Financial FootprintRansomware attackers are not just easy-target opportunists;t

141、hey are methodical,sizing up their victims by their annual earnings.This section deciphers how attackers tailor their strategies based on the financial profiles of their targets.Its a high-stakes game where company revenues are weighed against the potential ransom payoff.Here,we dissect the correlat

142、ion between a companys revenue and its attractiveness to cyber criminals,shining a light on the financial tiers most frequented by ransomware campaigns.STATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING31Assessing Ransomware Targets:A Revenue PerspectiveIn the ransomware economy,victim companie

143、s annual revenues paint a target on their back,but not always the ones you might expect.We delve into the surprising sweet spots for ransomware attackers,based on our analysis of 3,870 victims identified via open-source intelligence.Ransomware attackers are casting their nets far and wide,yet their

144、choice of targets often defies expectations.A significant 31%of ransomware victims,within our scope of revenue-identified entities,are organizations with less than$20 million in annual revenue.This statistic challenges the narrative that only the richest are at risk,illuminating the vulnerability of

145、 small to medium-sized enterprises(SMEs)in the face of cyber extortion.Conversely,at the upper echelon,only 8.5%of victims boast annual revenues exceeding the$1 billion threshold.This data point underscores a tactical preference within the ransomware community:targeting the more modestly sized compa

146、nies that have enough liquidity to meet ransom demands but arent prominent enough to consistently trigger aggressive law enforcement pursuit.This nuanced approach to victim selection reveals a calculated balancing act by ransomware operators,aiming to maximize payouts while minimizing risk and expos

147、ure.Annual Revenue Distribution of Ransomware VictimsSTATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING32Revenue Brackets and Industry VulnerabilitiesAt the heart of ransomware target selection,annual revenue brackets offer a glimpse into the operational mindset of these digital marauders.We pi

148、cked three brackets:($5M-$10M to represent the small-to-medium size companies,$100M-$300M for medium-sized companies,and over one billion dollars for large companies.These brackets have enough victims to analyze the industry selection.Small-to-Medium Size$5M-$10MFor entities with revenues between$5M

149、 and$10M,the Professional,Scientific,and Technical Services sector endures the brunt of the onslaught,with legal services encountering heightened targeting due to the sensitive data they harbor.Manufacturing mirrors this sectors victim count,showcasing an expansive subindustry risk profile,while the

150、 construction sector holds a notable 7.4%victim share.profile,while the construction sector holds a notable 7.4%victim share.STATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING33Medium Size$100M-$300MClimbing the revenue ladder to the$100M to$300M bracket,Manufacturing secures the top spot with

151、23.6%of attacks,spanning a broad industrial gamut.IT services emerge as prime prey within the Professional,Scientific,and Technical Services arena,accounting for a significant victim percentage.Not far behind,the Finance and Insurance sector represents 7%of the targets,with ransomware groups exploit

152、ing the substantial financial assets and regulatory pressures at play.STATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING34Large/Enterprise Companies$1BIn the grander scale of companies exceeding$1 billion in annual revenue,the Manufacturing sector continues to reign as the primary quarry,drawin

153、g nearly 30%of ransomware incidents.Finance and Insurance trail this sectors prominence in the ransomware economy at 9.8%,and Professional,Scientific,and Technical Services at 9.1%.Remarkably,three-quarters of the victims in this elite revenue range fall between the$1 billion and$10 billion mark.Rem

154、arkably,three-quarters of the victims in this elite revenue range fall between the$1 billion and$10 billion mark.STATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING350246810121412001000200800600400ClopAlphaVM Black CatPlay8BaseBlack BastaAkiraBianLianMedusaQilinSnatchRhysidaBlack SuitMontiINC Ra

155、nsomCactusNoescapeHuntersCloakRansomHouseRA GroupTrigonaStormousBlack ByteThree AMMallox FargoEverestDunghill Leak Dark AngelsLockBit 3.0$500B$1T$1BFinancial Focal Points of Ransomware SyndicatesIn the cyber threat landscape,ransomware groups vary widely in their operational vigor and the financial

156、echelons they target.A granular look at the ransomware groups and the combined annual revenue of their victims reveals the depth and range of their reach into the corporate worlds coffers.InfomationManufacturingProfessional,Scientific,and Technical ServicesFinance and InsuranceConstructionEducationa

157、l ServicesSTATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING36Chief Research and Intelligence OfcerOPINION:Dr.Ferhat DikbiyikCrafting a Corporate Veil:The Dichotomy of Ransomware PRIn the dark webs underbelly,ransomware groups like LockBit are not mere hackers;theyre becoming corporate-like ent

158、ities,paradoxically striving for ethical optics in an unethical landscape.Their public relations maneuvers(issuing formal apologies,crafting rules against hospital attacks,and even providing decryptors for breaches against their policies)paint a picture of cybercriminals with a conscience.But what l

159、ies beneath is a calculated move to preserve a facade of professionalism and mitigate backlash,all while enabling their affiliates predatory activities.Ransomware groups,notably LockBit,are acutely aware of their image.They market their incursions as post-paid pen testing services and demonstrate a

160、level of organization and rules reminiscent of corporate entities.When LockBit affiliates violate these rules,as in the cases of healthcare institutions in Germany and Canada,the group swiftly swings into damage control mode,offering decryption keys and apologies.This isnt altruism;its image managem

161、ent.Its LockBit curating their brand in the digital underworld,walking a tightrope between appeasing law enforcements gaze and maintaining affiliate loyalty.The reality,however,is less polished than the PR spin.For each unauthorized hospital hack,for every statement distancing themselves from their

162、affiliates actions,the stark truth remains:LockBits operations cause real harm.These moves are mere band-aids on the systemic issue of cyberattacks that disrupt critical services and endanger sensitive data.We see a group caught between maintaining control over unruly affiliates and a constructed id

163、entity of reformed cyber outlaws.Its a precarious balance,a performance where each misstep could spell a PR disaster,revealing the true chaos behind their carefully curated veneer.As we analyze these cybercriminals public statements and internal communications,its clear they have adopted a twisted c

164、orporate speak,a dark mirror to the legitimate businesses they prey upon.These actions highlight a sophisticated understanding of perception management in the digital age,and theyre setting a concerning precedent.With ransomware groups acting as pseudo-corporate entities,complete with customer servi

165、ce and PR spin,the cybercrime ecosystem is evolving into a more complex and nuanced domain.It is crucial for us to discern the genuine from the facade and the remorse from the strategic posturing as we navigate this new terrain of cyber threats.STATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING

166、37CASE STUDY:A Look at Ransomwares Impact on US Essential IndustriesIn the realm of cyber threats,essential industries are the lifelines that keep society functioning.This section provides an analysis of how ransomware has permeated the vital sectors that underpin our day-to-day lives.By aligning vi

167、ctim profiles with the Critical Infrastructure Sectors as defined by CISA,we gain insight into the cyber vulnerabilities of our most crucial services.A Look at Ransomwares Impact on US Essential IndustriesMethodology:To map the ransomware threat across U.S.industries,weve aligned victim company data

168、 with the Essential Critical Infrastructure Workforce Guidance from CISA,using NAICS codes to categorize companies into essential industry sectors.Essential Industries designated by CISA in the guidance encapsulates the critical infrastructure sectors.This methodology allows us to pinpoint and under

169、stand the ransomware risk landscape within these vital areas of our national fabric.The infiltration of ransomware into Americas essential industries is a pressing concern,with recent trends highlighting a shift towards sectors that form the backbone of daily life and national stability.This analysi

170、s examines the prevalence of ransomware across these critical sectors,revealing which are most at risk and underscoring the need for fortified defenses.Food&Agriculture 5.22%Energy 4.77%Communications&Info Tech 4.43%Public Works and infrastructure 1.92%Chemical 0.44%Law Enforcement&First Resps.0.03%

171、Water&Waste 0.25%Hygiene Products&Service 0.05%Other Government-based func.13.78Healthcare/Public Health 13.29%Residential,Real Estate,etc.11.96%Critical Manufacturing 11.61%Financial Services 9.89%Education 8.22%Transportation&Logistics 7.48%Commercial Facilities 6.4%STATE OF RANSOMWARE 2024:A YEAR

172、 OF SURGES AND SHUFFLING38Drawing from a pool of 2,293 victims in the US,a staggering 88%are entities within essential critical infrastructure industries.Among the identified sectors,Healthcare/Public Health stands out,accounting for 13.29%of the affected entities.The sectors pivotal role in communi

173、ty well-being makes it a significant target,with attackers likely aiming to exploit the urgent need for functional health services.Critical Manufacturing,making up 11.61%,is also a prime target,reflecting the potential for massive operational disruptions that can extend far beyond the initial breach

174、.Residential/Shelter Facilities,Housing and Real Estate,and Related Services collectively bear 11.96%of ransomware incidents,a testament to the attractive disruption potential perceived by cyber adversaries within the places we live and work.Ratio Over Total Critical Infrastructure VictimsThe data r

175、eveals an unsettling trend over the past half year,pointing to a rise in ransomware incidents within specific sectors.The Food and Agriculture sector,embodying the sustenance of the nation,has seen a marked increase in attacks,reflecting cybercriminals awareness of the disruptive power they wield.Fi

176、nancial Services,the bloodstream of the economy,continues to face persistent threats,indicating an ongoing risk to economic stability.Meanwhile,Transportation and Logistics,Critical Manufacturing,and Residential/Shelter Facilities,including Housing and Real Estate,emerge as rising areas of concern.T

177、hese sectors,essential for the nations continuity and recovery in a crisis,are attracting more ransomware activity,a trend that merits close observation and swift protective action.STATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING39RETHINKING RANSOMWARE:From Reaction to PreventionThe narrative

178、 surrounding ransomware often centers on response strategies like data backups,insurance policies,and post-breach protocols.Yet,theres a pivotal shift towards proactive defense.Staying off the ransomware radar isnt just wishful thinking;its a strategic imperative.Identifying and diminishing the fact

179、ors that attract ransomware attackers can shift the odds in our favor.This section delves into the transformative approach of anticipating and undermining ransomware tactics,techniques,and procedures(TTPs)before they strike.Understanding the early indicators present in pre-attack victims,coupled wit

180、h the innovative Ransomware Susceptibility Index,we equip ourselves not just to withstand,but to evade the ransomware storm.Profiling Cyber Predator BehaviorA new hierarchy of attack vectors has emerged within the ransomware arena,pivoting towards the exploitation of vulnerabilities.The landscape of

181、 cyber threats has seen a surge in zero-day exploits,with threat actors keen on discovering the Achilles heel of systems before defenders can react.In the past year alone,a staggering tally of vulnerabilitiesnearly two hundredwere recognized in the CISAs KEV Catalog,a testament to the evolving threa

182、t landscape.Number of Vulnerabilities added to CIAS KEV:AApril 1,2023 to March 31,2024STATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING40Notably,groups like Cl0p have been exploiting the vulnerabilities in GoAnywhere and MOVEit en masse,while others,such as LockBit,take advantage of weaknesses

183、 like the CitrixBleed.Other frequent targets include vulnerabilities in Ivanti ICS,ScreenConnect,and Microsoft Exchange.Credential stuffing is also a hot strategy.Hackers buy or find lists of usernames and passwords,trying them on different systems to get in.They might buy these from Initial Access

184、Brokers,the middlemen of the cybercrime world,who dig up and sell these digital break-in tools from Stealer Logs.Phishing and social engineering tactics,although not as dominant as before,remain a threat.The MGM Resort incident serves as a stark reminder that a well-executed impersonation can still

185、lead to significant breaches.Open RDP/SMB ports are also highly utilized by the ransomware actors.Ransomware Indicators of Ransome Victims prior to AttacksRecognizing Ransomware Risk FactorsWithin the digital landscape,certain indicators elevate the risk of attracting ransomware hunters.Our analysis

186、 pinpoints these red flags that could potentially place an organization in the crosshairs.Exploitable Vulnerabilities:Almost half of the victims had a critical vulnerability that was discoverable using OSINT techniques.Leaked Credentials:3,064 victims had at least one credential leaked in the last 9

187、0 days prior to the attack.We also observed critical information exposed in Stealer Logs for 907 victims.Misconfiguration on MX Servers:More than 75%of the victims had a misconfiguration such as missing SPF or DMARC records before the ransomware attack was executed.Open Access Points:RDP/SMB ports w

188、ere left unprotected in 2,299 cases.The data showcases the prevalence of each indicator among past victims.Its crucial to note that while misconfiguration is the most observed issue,it doesnt necessarily serve as the primary entry point for attacks.STATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFF

189、LING41Ransomware doesnt strike at random;our analyses reveal distinct patterns in target selection.Its the convergence of technical vulnerabilities with strategic factorsindustry,location,revenuethat casts some in the harsh spotlight of cybercriminal attention.For instance,a manufacturing company in

190、 the US is more likely to experience a ransomware attack than an agriculture entity in another country.Yet its not just about what you make or where youre located;its also about the fiscal signals you send.Entities with substantive annual revenues invariably find themselves ensnared in the crosshair

191、s more frequently than their modest counterparts.Our comprehensive reports delineate these patterns,providing clarity amidst the complexity of cyber threats.This segment underscores the criticality of situational awareness in cybersecurity.By synthesizing the technical with the tangiblelike sector,l

192、ocation,and revenueorganizations can preemptively adjust their defense postures.Well explore how these insights fuel the Ransomware Susceptibility Index(RSI),marrying data with strategy to steer clear of ransomware radars.STATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING42Understanding Ransomw

193、are SusceptibilityIn the landscape of cyber threats,being on the radar of ransomware groups is akin to swimming in shark-infested waters;the longer youre there,the higher the chances of an attack.The Ransomware Susceptibility Index(RSI)serves as a beacon,guiding organizations away from these dangero

194、us waters.The RSI,a measure refined through comprehensive data analysis,quantifies the likelihood of becoming a target.In this index,a metric between 0.0 and 1.0,considers both technical indicators,such as software vulnerabilities and leaked credentials,and contextual details,such as industry type,c

195、ompany size,and geographical location.Black Kites Ransomware Susceptibility Index(RSI)stands as a cutting-edge tool,finely tuned to gauge the probability of organizations facing ransomware attacks.This tool is meticulously updated to mirror the latest state of cyber threats by integrating a vast arr

196、ay of ransomware incident data from a comprehensive database.The updated RSI leverages data analysis,pooled cybersecurity knowledge,and key factors such as the companys location,industry,and annual revenue,aligning them with the common attack vectors of ransomware to predict the risk more accurately

197、.When we analyze the RSI values of the victims right before the ransomware attack,we observe that most of them have an RSI value between 0.4 and 0.6 while the range of 0.8-1.0 has the least number of victims.To truly see the power of RSI,we need to compare the companies in the same ranges that were

198、not victimized by ransomware groups.For that purpose,we have added more than 120,000 non-victim companies to the analysis.Among the companies whose RSI value is between 0.8 and 1.0,46%experienced a ransomware attack.The ratio drops to 10%for the RSI values between 0.6 and 0.8,and 6%for the values be

199、tween 0.4 and 0.6.These figures show that the higher the RSI value is,the more likely to experience a ransomware attack.RSI Distrubution for Ransome Victims and Non-VictumsRansomware Susceptibilitydatabase.The updated RSI leverages data analysis,pooled cybersecurity knowledge,and key factors such as

200、 the companys location,industry,and annual revenue,aligning them with the common attack vectors of Victims are shown in solid colors,while the non-victims are shown in transparent colors.STATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING43When we did an analysis of the number from a comparative

201、 perspective,we can see that the companies with an RSI value above 0.8 are 27 times more likely to experience a ransomware attack than the companies with an RSI value below 0.2.The ratio becomes 5.8 times for the companies with an RSI value between 0.6 and 0.8,and it is 3.4 times for the RSI values

202、between 0.4 and 0.6.more likely to experience ransomware attacks than the companies with an RSI value below 0.2.STATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING44How RSI Helps to Mitigate Ransomware RiskUnderstanding how to use a companys RSI value can mean the difference between business dis

203、ruption and smooth business operations.The Black Kite Ransomware Susceptibility Index indicates the likelihood of a ransomware attack on your organization or on an organization in your supply chain.RSI follows a process of inspecting,transforming,and modeling collected from a variety of OSINT source

204、s(internet wide scanners,hacker forums,the deep/dark web and more).Using the data and machine learning,the correlation between control items is identified to provide approximations.With this tool you can understand which vendors are most prone to ransomware and create a mitigation strategy based on

205、which vendors are most susceptible and would have the greatest impact on your business operations.We recommend thinking about ransomware detection and response in three categories:prevention to minimize risk,mitigating risk in your third-parties and responding to an attack.We also offer some guidanc

206、e on how to recover from an attack.wide scanners,hacker forums,the deep/dark web and more).Using the data and machine learning,the correlation between control items is identified to provide approximations.With this tool you can understand which vendors are most prone to ransomware and create a mitig

207、ation strategy based on which vendors are most susceptible and would have the greatest impact on your business operations.We recommend thinking about ransomware detection and response in three categories:prevention to minimize risk,mitigating risk in your third-parties and responding to an attack.We

208、 also offer some guidance on how to recover from an attack.STATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING45below 0.2.Prevention and Minimizing Ransomware RiskInternal Security Measures for Ransomware PreventionTaking a proactive approach to internal security measures can greatly reduce the

209、likelihood of a ransomware attack.Implement the following best practices to minimize the chances of an attack and ensure your organization is not an attractive target for ransomware groups:1.Monitor Your Ransomware Indicators:Keep track of your ransomware indicators to avoid being on the radar of ra

210、nsomware groups.Regularly check for open critical ports,leaked credentials,email security configurations,and phishing/fraudulent domains.2.Patch Management:Ensure all systems,applications,and software are up to date with the latest patches,focusing on those with known remote code execution vulnerabi

211、lities.3.Endpoint Security:Implement strong endpoint security measures,including antivirus and anti-malware software,and consider deploying advanced solutions like micro VMs to prevent malware from spreading.4.Email Security:Strengthen your email security by implementing SPF,DKIM,and DMARC records,a

212、nd conduct regular security awareness training to educate employees on how to identify and report phishing attempts.5.Network Security:Restrict remote access to your network by closing unnecessary ports,using VPNs,and employing strong authentication methods like multi-factor authentication(MFA).6.Da

213、ta and System Backup:Regularly back up critical data and systems to allow for quick recovery in the event of an attack.Store backups both on-site and off-site,and consider using air-gapped storage for added protection.Test your backup and recovery processes periodically to ensure their effectiveness

214、.7.Incident Response Plan:Develop and maintain a comprehensive incident response plan to address potential ransomware attacks,including clear roles and responsibilities,communication protocols,and recovery strategies.By implementing these internal security measures,you can reduce the likelihood of f

215、alling victim to a ransomware attack and minimize the potential damage if an attack does occur.STATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING46Mitigating Third-Party Ransomware RiskTo mitigate the risk of ransomware attacks due to third-party vendors,organizations should:1.Evaluate the cybe

216、rsecurity posture of third-party vendors using tools like Black Kites Ransomware Susceptibility Index(RSI).2.Require vendors to adhere to industry best practices and implement robust cybersecurity measures.3.Perform regular audits of vendors security practices and provide guidance for improvement if

217、 necessary.4.Foster a culture of collaboration and information sharing among vendors to enhance overall cybersecurity.RESPONDING TO A RANSOMWARE ATTACKIn the event of a ransomware attack,taking immediate action is critical to mitigate the damage.Steps to take when hit by a ransomware attack include:

218、1.Isolate affected systems to prevent the spread of the ransomware.2.Notify relevant authorities and stakeholders.3.Engage with cybersecurity experts to assess the situation and explore potential remediation options.4.Preserve evidence and document the incident for future reference and potential leg

219、al actions.POST-ATTACK RECOVERYAfter a ransomware attack,it is crucial to learn from the experience and strengthen your organizations cybersecurity defenses.Post-attack steps include:1.Conduct a thorough analysis of the incident to identify root causes and vulnerabilities.2.Implement recommended sec

220、urity measures to prevent similar attacks in the future.3.Review and update your incident response plan based on the lessons learned.4.Share information about the attack with relevant parties and collaborate with industry peers to improve overall cybersecurity.By understanding the complex nature of

221、ransomware attacks and taking a proactive approach to prevention,response,and recovery,your organization can significantly reduce the likelihood of falling victim to ransomware and better protect its critical data and operations.STATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING47ConclusionThis

222、 report shed light on the pervasive threat of ransomware,highlighting its evolving tactics and the ripple effects these attacks can have on an organization or industry.The massive growth in the number of attacks and victims these past twelve months suggests we will only see attacks continue to incre

223、ase as ransomware groups become more embolden by past successes.As these shadow enterprises continue to refine their methods,it is imperative for organizations to prioritize robust proactive threat intelligence to better understand their own susceptibility to ransomware as well as the susceptibility

224、 of their supply chain to avoid business disruption.STATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING48MethodologyThe methodology employed by the Black Kite Research&Intelligence Team(BRITE)for this research report encompassed comprehensive monitoring and analysis of ransomware activities from

225、 April 1,2023,to March 31,2024.BRITE actively monitored a vast array of ransomware groups,totaling more than 130,to gain insights into their operations,tactics,and targets.Ransomware Group Monitoring:BRITEs monitoring process involves real-time tracking of over 130 ransomware groups,allowing for tim

226、ely identification of their activities and targets.Victim Analysis:Among the monitored ransomware groups,67 were identified to have published at least one victim within the last 12 months preceding the study period.For each victim,BRITE conducted a detailed analysis of their cybersecurity posture bo

227、th before and after the ransomware attack,leveraging the capabilities of the Black Kite platform.Dark Web Monitoring:In addition to monitoring ransomware groups activities,BRITE actively tracks dark web blogs,hacker forums,and Telegram channels to gather intelligence on the evolving tactics and narr

228、atives employed by these groups.This ensures a holistic understanding of the ransomware landscape and facilitates the identification of emerging threats.Victim Enumeration:Over the course of the study period,BRITE observed a total of 4,893 victims affected by ransomware attacks.For each victim,metic

229、ulous attention was given to fine-tune the identification of the victims country and industry,providing valuable context for further analysis.By employing this multifaceted approach,BRITE offers a comprehensive analysis of ransomware activities during the specified timeframe,shedding light on trends

230、,vulnerabilities,and mitigation strategies within the cybersecurity landscape.STATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING49Black Kite Research&Intelligence Team(BRITE)Ferhat DikbiyikChief Research&Intelligence OfficerGokcen TapkanDirector of Data ResearchOzcan AkdoraDirector of Data Engi

231、neeringBasri CiftciSenior Data EngineerSerkan Ekrem CengizSenior Data EngineerYunus DoganSenior Technical LeadFerdi GulSenior Cybersecurity ResearcherYavuz HanSenior Cybersecurity ResearcherGulsum Budakoglu Data AnalystEkrem Selcuk CelikJunior Cybersecurity ResearcherGizem ToprakJunior Data AnalystSTATE OF RANSOMWARE 2024:A YEAR OF SURGES AND SHUFFLING50