New Report Highlights Surge in 2024 Ransomware Activity from Emerging Groups, Predicts Supply Chain Attacks as Major Vector

Emerging ransomware groups are the source of a surge in activity during the first two quarters of 2024, according to a new report from ReliaQuest. This marks an important shift in the ecosystem following the takedown of “cyber crime unicorn” Lockbit earlier this year, ending two years of unmitigated extortion estimated to be in excess of $1B+ dollars.

ReliaQuest has been analyzing the latest techniques, tactics, and procedures (TTPs) used by ransomware attackers for several years. In Q2, they identified 1,237 organizations on ransomware data-leak sites, up 20% from Q1 2024.

During this recent transition away from Lockbit and ALPHV, which previously claimed the lion’s share of attacks, ReliaQuest has seen a marked fluctuation in the first half of 2024 ransomware activity. They logged a 20% increase in affected organizations occurring alongside activity being 13% lower than Q2 2023. This trend suggests ransomware activity may be slowing due to recent disruptions in the RaaS landscape, where major players have been sidelined.

Emerging Ransomware Groups Ramp Up Activity in 2024#

Ransomware activity saw a spike in May, attributed to LockBit’s attempted comeback in reaction to law enforcement disruption, but the group’s activity has fallen since then and ReliaQuest doesn’t anticipate it will ramp back up again. Many of LockBit’s former affiliates have moved on to join emerging ransomware groups.

The report highlights newer groups like RansomHub and BlackSuit as two that are growing in the wake of recent RaaS disruption:

RansomHub’s new payment model attracted many former ALPHV associates, who contributed to a 243% increase in organizations listed on RansomHub’s data-leak site in Q2 2024 compared with Q1. Blacksuit also saw an increased victim count after gaining new affiliates: from 17 in Q1 2024 to 51 in Q2 2024; we expect the group to continue to grow rapidly.

These newcomers are responsible for recent high-profile exploits, and some of their victims have paid out millions of dollars.

BlackSuit Exploits CDK Global Systems

CDK Global systems, which supports the management systems of thousands of car dealers across the US, was attacked in June and reportedly forked over $25 million in cryptocurrency to a BlackSuit ransomware affiliate. CDK Global customers were knocked back to the pre-digital era for two weeks, forced to use pen and paper until the company restored its systems. AutoNation, one of CDK Global’s customers, informed the US Securities and Exchange Commission (SEC) that the attack impacted their earnings.

RansomHub Leaks Data from Florida Department of Health

In July, RansomHub published more than 100GB of data stole from the Florida Department of Health, which includes personally identifiable information and protected health information. Government entities in Florida are prohibited from making ransom payments, which sent the data straight to the leak site after the department missed the payment deadline. RansomHub was the third most active group in Q2.

Black Basta Targets Healthcare Industry and Critical Infrastructure

In May, US government agencies began warning that Black Basta is targeting the healthcare industry and critical infrastructure, including the attack on the Ascension healthcare system. The group has attacked more than 500 organizations since 2022. It is currently the fourth most active ransomware group, taking credit for attacks on the Dish Network, American Dental Association, Capita, ABB, and Rheinmetall.

Report Forecasts Increasing Supply Chain Attacks Targeting Technology Companies and Software Vendors

ReliaQuest reports that the manufacturing and PSTS (professional, scientific, and technical services) industries were both targeted heavily in Q2 and the top five sectors were consistent with previous quarters.

ReliaQuest saw a 35% increase in organizations in the PSTS sector being named on data-leak sites. The report noted that an uptick in PSTS organizations targeted correlates with an increase in ransomware attacks resulting from supply chain attacks and exposed credentials. This sector has become a lucrative target as supply chain attacks unlock many potential victims at once by compromising those using open source code:

As attacks on technology companies increase and exploits for vulnerabilities are revealed, ransomware affiliates are more likely to gain access to critical infrastructure. This trend highlights the importance of network segmentation and appropriate and timely patching. Software vendors are increasingly vulnerable to breaches due to the prevalence of open-source code repositories. For example, in late June 2024, it was revealed that the formerly legitimate Polyfill.io domain had been abused to serve malicious code. We predict that in the immediate to long-term future (beyond one year), ransomware attacks originating from supply-chain compromise will continue to rise alongside attacks on software vendors.

The Q2 2024 ransomware report highlights a concerning trend: the increasing adoption of software supply chain attacks by emerging ransomware groups and financially motivated actors. These attacks maximize the number of downstream targets with minimal effort, causing widespread disruption across various sectors that heavily rely on third-party software.

Industries such as telecommunications, healthcare, finance, retail, and manufacturing are particularly vulnerable due to their dependence on essential systems like network management, electronic health records, core banking, e-commerce platforms, and quality management software. These are the industries where it’s imperative for organizations to modernize aging infrastructure and be proactive about securing supply chains before an attack has the chance to land.