The 2024 cyber landscape features a complex network of threat actors shaping attacks, scandals, and tactics, with a spotlight on the year’s top 10 actors and their impact on global cybersecurity. This piece highlights their notoriety, operations, and evolving techniques, from RaaS to attacks on critical infrastructure. #RansomHub #QilinRansomware
Keypoints
- RansomHub emerged as the most prolific ransomware operator in 2024, operating as a Ransomware-as-a-Service (RaaS) platform with a decentralized model and double-extortion tactics.
- Qilin Ransomware gained notoriety for attacks on critical infrastructure, including healthcare, with Synnovis attacks causing disruption to UK healthcare providers.
- Dark Angels conducted high-profile data leaks and set a new benchmark with a record ransom demand (e.g., $75 million).
- LockBit persisted despite setbacks by shifting focus to less secure targets and republishing old leaks amid counteroperations.
- Whitewarlock connected to the Snowflake data breach, exposing client data from major organizations.
- IntelBroker auctions stolen intelligence and has acquired ownership of the BreachForums, highlighting the growing underground ecosystem.
- The Cyber Army of Russia Reborn engaged in politically motivated cyberattacks and information warfare, leveraging hacktivism and geopolitical alignment.
MITRE Techniques
- [T1486] Ransomware as a Service – Brief description of how it was used. “RansomHub is a Ransomware-as-a-Service (RaaS) operation that surfaced in early 2024, swiftly gaining attention due to its unique business model. Unlike traditional ransomware groups, RaaS platforms like RansomHub function as decentralized hubs, providing customized ransomware services to various cybercriminals.”
- [T1486] Data Encrypted for Impact – Brief description of how it was used. “Data Encrypted for Impact – T1486 … Used by Qilin Ransomware and Dark Angels to encrypt data and demand ransom.”
- [T1003] Credential Dumping – Brief description of how it was used. “Credential Dumping – T1003 … Exploited by Scattered Spider to bypass Multi-Factor Authentication (MFA) systems.”
- [T1566] Phishing – Brief description of how it was used. “Phishing – T1566 … Employed by Sandworm for spear phishing attacks.”
- [T1190] Exploitation of Public-Facing Applications – Brief description of how it was used. “Exploitation of Public-Facing Applications – T1190 … Used by various threat actors to exploit vulnerabilities in critical infrastructure.”
Indicators of Compromise
- [IOC] None – No explicit IOCs (IP addresses, domains, file hashes, or filenames) are provided in the article
Read more: https://socradar.io/top-10-threat-actors-of-2024-beyond-the-numbers/