Full Report
NCC Group observed 574 global ransomware attacks in December, the highest monthly volume it has recorded
Analysis Summary
# Incident Report: Record High Global Ransomware Attacks in December 2024
## Executive Summary
December 2024 saw the highest monthly volume of global ransomware attacks ever recorded, breaking the traditional holiday season downtrend with 574 detected incidents. The threat was drastically driven by the aggressive ransomware-as-a-service (RaaS) actor FunkSec Group, which accounted for 18% of all attacks. The attacks spanned multiple critical sectors globally, utilizing double extortion tactics (encryption and exfiltration), highlighting an increasingly aggressive threat landscape heading into 2025.
## Incident Details
- **Discovery Date:** January 2025 (Report published January 22, 2025, based on December 2024 data)
- **Incident Date:** December 2024 (Monthly volume aggregated)
- **Affected Organization:** Not specific organizations named; reporting covers global activity.
- **Sector:** Healthcare, Manufacturing (most targeted sector, 24%), Technology, Government, and Media.
- **Geography:** Global, with North America being the most targeted region (52%), followed by Europe (18%). Asia saw a significant 58% rise over November.
## Timeline of Events
### Initial Access
- **Date/Time:** Throughout December 2024
- **Vector:** Not explicitly detailed in the source, but implied via standard ransomware delivery methods, likely leveraged by FunkSec Group.
- **Details:** FunkSec Group, the most active actor (103 attacks), was observed targeting multiple countries.
### Lateral Movement
- **Details:** No specific details provided on lateral movement techniques, though the prevalence of attacks suggests successful internal network spread across targeted organizations.
### Data Exfiltration/Impact
- **Details:** The primary impact method utilized by the leading actor, FunkSec, was **double extortion**, involving both encrypting files and exfiltrating victim data via a Tor-based leak site.
### Detection & Response
- **How it was discovered:** Data gathered by NCC Group’s _Threat Pulse_ report.
- **Response actions taken:** No specific organizational response actions mentioned; the data reflects threat intelligence monitoring and reporting by NCC Group.
## Attack Methodology
| Category | Method Description |
| :--- | :--- |
| **Initial Access** | Not explicitly detailed. |
| **Persistence** | Not explicitly detailed. |
| **Privilege Escalation** | Not explicitly detailed. |
| **Defense Evasion** | FunkSec utilizes advanced tactics, including **AI-assisted malware development** (per Check Point report mention). |
| **Credential Access** | Not explicitly detailed. |
| **Discovery** | Attacks targeted a **wide range of sectors and geographies**, indicating broad reconnaissance efforts. |
| **Lateral Movement** | Implied necessary for encryption and data collection in double extortion schemes. |
| **Collection** | File exfiltration component of the double extortion model. |
| **Exfiltration** | Data exfiltrated and potentially published on FunkSec’s Tor-based data leak site. |
| **Impact** | **Encryption of files and data theft** (Double Extortion). |
## Impact Assessment
- **Financial:** Not quantified, but context suggests significant potential losses due to record attack volume and RaaS aggression.
- **Data Breach:** Data exfiltration confirmed via double extortion tactics across multiple sectors.
- **Operational:** Impact implicit across affected sectors (Healthcare, Manufacturing, etc.).
- **Reputational:** Ongoing risk associated with public data leak sites used by actors like FunkSec.
## Indicators of Compromise
*Note: As this report summarizes aggregate threat intelligence rather than a single incident, specific, defanged IoCs are not available.*
- **Network indicators:** FunkSec operates a **Tor-based data leak site**.
- **File indicators:** Implied presence of RaaS payloads capable of encryption.
- **Behavioral indicators:** Deployment of **double extortion** tactics (encrypt + steal).
## Response Actions
- **Containment measures:** Not detailed for specific organizational responses.
- **Eradication steps:** Not detailed for specific organizational responses.
- **Recovery actions:** Not detailed for specific organizational responses.
## Lessons Learned
- **Key takeaways:** Traditional low-activity periods like December are no longer reliable predictors of ransomware volume; a new wave of aggressive actors (e.g., FunkSec) is disrupting established threat patterns.
- **What could have been done better:** Organizations across all sectors, particularly Industrials, need to enhance defenses against increasingly bold and sophisticated RaaS operations, including those utilizing AI-enhanced tooling.
## Recommendations
- **Prevention measures for similar incidents:**
1. Implement robust backup and segmentation strategies to mitigate encryption impact.
2. Increase monitoring during traditionally low-alert periods (holidays).
3. Enhance detection capabilities specifically targeting reconnaissance and data staging activities associated with double extortion.
4. Monitor threat intelligence feeds for newly emerging, aggressive RaaS groups like FunkSec.