Keypoints
- Ransomware attacks increased in 2024, driven by profitable ransom payments.
- Attackers hide behind cryptocurrency payments, hindering law enforcement tracking.
- Adversaries use internet-wide scanners like Shodan to locate exposed IoT devices and weak credentials.
- Threat actors secure persistence via backdoors and privilege escalation to maintain access.
- Ransomware spreads laterally across networks to maximize data exfiltration and impact.
- Attackers encrypt data, remove recovery options, and often adopt double-extortion by threatening data leaks.
- The Ransomware-as-a-Service model lowers the skill barrier, enabling more actors to deploy ransomware.
MITRE Techniques
- [T1087] Reconnaissance – Used to map victim environments and find weaknesses. Quote: ‘Threat actors collect information about the victim system, including network structure and vulnerabilities.’
- [T1078] Initial Access – Methods to gain entry, including scanning and exploiting exposed IoT devices. Quote: ‘Gaining access to the victim system through various means, including exploiting IoT devices.’
- [T1543] Persistence – Installing components to retain access after initial compromise. Quote: ‘Installing backdoor malware to maintain continuous access after the initial breach.’
- [T1021] Lateral Movement – Moving within the network to reach more systems and data. Quote: ‘Spreading ransomware to other systems within the network to access more confidential data.’
- [T1486] Data Encryption – Encrypting files and disabling recovery to force ransom payments. Quote: ‘Encrypting important data and deleting recovery options to hinder system recovery.’
- [T1040] Data Breach – Threatening or carrying out data leakage as part of extortion. Quote: ‘Threatening to leak sensitive information as part of a double-extortion strategy.’
Indicators of Compromise
- [IP addresses] reconnaissance targets – “randomly generated IPv4 addresses” used for Shodan port scanning, publicly exposed IoT device addresses
- [Device types] exposed hardware – webcams, medical devices (examples of IoT devices indexed by Shodan)
- [File types] encryption targets – databases, documents, images
- [Tools/drivers] detection-bypass artifacts – legitimate tools and drivers abused to bypass security (no specific names provided)
- [Backup artifacts] recovery targets – system restore points and backup files disabled or damaged during execution
Ransomware activity in 2024 has become more aggressive and pragmatic: attackers combine automated reconnaissance with opportunistic exploitation to find easy targets, then monetize access through encryption and extortion. Cryptocurrency payments and the rise of Ransomware-as-a-Service (RaaS) have made attacks both harder to trace and easier to launch, widening the pool of potential perpetrators.
Adversaries frequently use tools like Shodan to scan the internet for exposed IoT devices and services running with default credentials or outdated firmware. After initial access, threat actors establish persistence—often via backdoors or elevated privileges—and perform lateral movement to reach critical systems and collect valuable data.
When deploying ransomware, attackers focus on encrypting key file types (databases, documents, images), destroying recovery points, and damaging backups to increase pressure on victims. The playbook increasingly includes double-extortion: stealing data for potential public release if ransom demands aren’t met, further raising the stakes for affected organizations.