Full Report
This report provides statistics on the number of new ransomware samples, number of targeted systems, and targeted companies collected in November 2024, as well as major Korean and international ransomware issues worth noting. Below are the summarized details. The number of ransomware samples and number of damaged systems is based on the detection names assigned […] 게시물 November 2024 Threat Trend Report on Ransomware이 ASEC에 처음 등장했습니다.
Analysis Summary
# Incident Report: November 2024 Ransomware Activity Snapshot
## Executive Summary
This report summarizes the general ransomware landscape observed in November 2024, focusing on new sample detection rates and publicly listed victims on Dedicated Leak Sites (DLS). While the number of new ransomware samples slightly decreased compared to October, likely due to the temporary absence of the MedusaLocker variant, ongoing activity across various ransomware groups continued to target organizations globally. Specific response actions or detailed timelines for individual compromises are not available in this statistical overview.
## Incident Details
- Discovery Date: Statistical aggregation covering November 2024
- Incident Date: Primarily based on detections and public listings throughout November 2024
- Affected Organization: Various organizations globally (based on DLS postings)
- Sector: Not specified (Implied broad targeting across sectors)
- Geography: Global
## Timeline of Events
*Note: This summary is based on monthly statistics, not a single incident timeline.*
### Initial Access
- Date/Time: Throughout November 2024 (Continuous activity observed)
- Vector: Statistics do not detail specific initial access vectors but rely on malware detection and DLS listing confirmations.
- Details: Targeting remains ongoing across multiple ransomware groups.
### Lateral Movement
- Details: Not detailed in statistical overview.
### Data Exfiltration/Impact
- Details: Organizations were listed on DLS, indicating successful exfiltration or encryption leading to public disclosure threats.
### Detection & Response
- Details: Threat intelligence infrastructure (ATIP) collected data on new samples and victim listings throughout the month. Specific organizational response actions are not documented.
## Attack Methodology
*Note: As this is a statistical overview of samples and victims, specific TTPs for individual campaigns are generalized.*
- Initial Access: Not explicitly detailed; likely relies on common vectors such as phishing, exploitation of public-facing applications, or RDP compromise.
- Persistence: Not detailed.
- Privilege Escalation: Not detailed.
- Defense Evasion: Not detailed.
- Credential Access: Not detailed.
- Discovery: Not detailed.
- Lateral Movement: Not detailed.
- Collection: Organizations listed on DLS suggest successful data collection occurred prior to listing/extortion.
- Exfiltration: Implied activity via DLS listings.
- Impact: Encryption and/or data theft, leading to extortion attempts.
## Impact Assessment
- Financial: Not specified, but implied costs related to remediation and potential ransoms.
- Data Breach: Data exposure or encryption impacting various global organizations.
- Operational: Implied disruption for listed victims.
- Reputational: Potential reputational damage for organizations listed on DLS.
## Indicators of Compromise
*Note: The provided text only lists several raw MD5 hashes related to detected samples.*
- Network indicators: None provided (defanged).
- File indicators:
- MD5: `146d350fd6271b4411714c630d8cda87`
- MD5: `14a0ecf45aa72adb2b1f2ccca99f6faa`
- MD5: `30656c737338818bee8cc3591e3f3dcc`
- MD5: `31a77e0d1c1b91eebec1f7cdcc1ab8b8`
- MD5: `571684f28ce1cf4d8236dbd46ef6f7f0`
- Behavioral indicators: Observation of new ransomware samples (relative decline from October, excluding MedusaLocker statistics).
## Response Actions
*Note: Statistics cover detection by security vendors (AhnLab) rather than confirmed organizational incident response steps.*
- Containment: Not detailed.
- Eradication: Not detailed.
- Recovery: Not detailed.
## Lessons Learned
- Ransomware groups actively profile victims and maintain public-facing DLS pages to exert pressure.
- The threat landscape remains dynamic, with sample volumes fluctuating based on the prominence of specific ransomware variants (e.g., MedusaLocker's absence in the ranking).
## Recommendations
- Enhance threat intelligence consumption focusing on emerging ransomware samples and actively monitored DLS pages globally.
- Review and continuously test incident response plans specifically tailored for ransomware scenarios, focusing on rapid containment and recovery.