Full Report
Despite the takedowns of some well-known names, ransomware remains a major cybercrime threat.
Analysis Summary
# Incident Report: Ransomware Trend Analysis and RansomHub Emergence (2024)
## Executive Summary
Ransomware activity in 2024 showed resilience, increasing by 3% despite significant law enforcement disruptions against major operations like LockBit and Noberus early in the year. The second half saw a strong rebound, characterized by the rapid emergence of the RansomHub RaaS operation, which quickly became prominent. Attackers heavily relied on living-off-the-land binaries, dual-use tools, and increasingly employed Bring Your Own Vulnerable Driver (BYOVD) techniques to disable security software ahead of double extortion data exfiltration.
## Incident Details
- **Discovery Date:** Information covers trends observed throughout 2024.
- **Incident Date:** Trends observed throughout 2024.
- **Affected Organization:** General industry trend analysis (multiple victims implied).
- **Sector:** Cross-sector cybercrime analysis.
- **Geography:** Global scope implied by law enforcement actions and threat landscape analysis.
## Timeline of Events
### Initial Access
- **Date/Time:** Observed throughout 2024, notably by RansomHub affiliates starting Feb 2024.
- **Vector:** Exploitation of known public-facing vulnerabilities.
- **Details:** Exploitation of vulnerabilities including Zerologon (CVE-2020-1472), CitrixBleed (CVE-2023-3519), Fortinet FortiOS (CVE-2023-27997), Java OpenWire (CVE-2023-46604), and Confluence (CVE-2023-22515).
### Lateral Movement
- **Details:** Attackers leveraged dual-use tools such as Atera and Splashtop for remote access facilitator, and NetScan for network discovery.
### Data Exfiltration/Impact
- **Details:** Focus on "double extortion" attacks, involving data exfiltration prior to ransomware deployment.
### Detection & Response
- **Details:** Law enforcement successfully disrupted LockBit (Syrphid) operations in February and May 2024 through international operations, causing an initial dip in overall activity.
## Attack Methodology
- **Initial Access:** Exploiting publicly known vulnerabilities (e.g., Zerologon, CitrixBleed).
- **Persistence:** Not explicitly detailed, but use of RaaS groups suggests established affiliate infrastructure.
- **Privilege Escalation:** Not explicitly detailed.
- **Defense Evasion:** Heavy reliance on disabling security software using BYOVD techniques (e.g., TrueSightKiller, KillAV, Poortry) and abusing signed/vulnerable drivers.
- **Credential Access:** Not explicitly detailed.
- **Discovery:** Use of tools like NetScan for network reconnaissance.
- **Lateral Movement:** Use of dual-use legitimate tools (Atera, Splashtop) for remote access.
- **Collection:** Pre-deployment data exfiltration (double extortion).
- **Exfiltration:** Data exfiltration is a strong focus alongside encryption.
- **Impact:** Ransomware deployment following pre-deployment adversary activity.
## Impact Assessment
- **Financial:** Not quantified, but high due to the resilience of ransomware operations.
- **Data Breach:** Focus on data exfiltration via double extortion tactics.
- **Operational:** Implied significant operational disruption upon ransomware deployment.
- **Reputational:** High, as ransomware remains a major cybercrime issue.
## Indicators of Compromise
*Note: Specific IOCs are not provided in the text, only descriptions of techniques.*
- **Network indicators:** Use of Atera and Splashtop for remote communication (defanged).
- **File indicators:** Use of tools leveraging vulnerable drivers (e.g., TrueSightKiller, Warp AVKiller, Poortry).
- **Behavioral indicators:** Disabling security software pre-payload execution; affiliate power shift favoring higher payout structures.
## Response Actions
- **Containment measures:** Law enforcement disruption operations targeting core Ransomware-as-a-Service (RaaS) providers (LockBit).
- **Eradication steps:** Not detailed in the scope of this trend report.
- **Recovery actions:** Not detailed in the scope of this trend report.
## Lessons Learned
- Ransomware remains a highly resilient threat, capable of rebounding strongly even after major law enforcement actions (e.g., LockBit disruption).
- Adversaries increasingly focus on disabling security controls *before* encryption using kernel-level manipulation (BYOVD).
- The RaaS ecosystem is adapting, with operators offering better financial incentives (higher revenue share for affiliates) to stay competitive, as seen with RansomHub.
## Recommendations
- Prioritize patching vulnerabilities heavily exploited for initial access, especially those related to external-facing services (e.g., VPNs, collaboration platforms).
- Implement robust Endpoint Detection and Response (EDR) solutions capable of detecting kernel-level manipulation and monitoring legitimate tools being abused (Living Off The Land).
- Review security baselines specifically to prevent the loading or execution of known vulnerable drivers often used for EDR/AV termination.