Keypoints
- October 2024 saw a small uptick in new ransomware samples compared with September.
- MEDUSALOCKER accounted for most of the month-over-month sample increase.
- Sample counts are reported using AhnLab detection names over a six-month window.
- Statistics about targeted companies come from ATIP collection of ransomware Dedicated Leak Sites (DLS).
- Lists of affected companies published by ransomware groups are included and visualized in the report.
- Some ransomware group information was collected late or remains unavailable, and will be covered in subsequent sections.
MITRE Techniques
- [T1071] Command and Control – Uses multiple command and control domains to maintain communication with compromised systems (‘Utilizes multiple command and control domains to maintain communication with compromised systems.’)
- [T1486] Data Encrypted for Impact – Ransomware encrypts data to deny access and demand payment (‘Ransomware encrypts data to render it inaccessible to users, demanding payment for decryption.’)
- [T1041] Exfiltration Over Command and Control Channel – Data is exfiltrated via the same channels used for command and control (‘Data is exfiltrated through the same channel used for command and control.’)
- [T1003] Credential Dumping – Techniques to harvest credentials from OS and software to facilitate access and lateral movement (‘Techniques used to obtain credentials from operating systems and software.’)
Indicators of Compromise
- [MD5 hashes] Sample file hashes reported in the IOC section – 09279c62da9aa6dd567cb260aa255849, 0b56f3ae6b262a6854bf370598bdd617, and 3 more hashes
The October report shows a modest rebound in newly observed ransomware samples, reversing a slight dip from September. This increase is primarily attributable to a jump in MEDUSALOCKER samples; otherwise, month-to-month changes were limited. AhnLab detection names were used to compile sample counts over the past six months, and ATIP collected data from ransomware Dedicated Leak Sites to identify targeted companies.
Visual charts in the report illustrate the six-month trend in new samples and the distribution of targeted businesses by ransomware group. The report notes that some groups’ postings were captured late or not at all, so the listed affected companies represent the data available to ATIP at the time of collection. The report includes examples of affected organizations published on DLS and provides MD5 hashes for specific samples observed.
Further sections of the report will dive deeper into the malware types contributing to October’s totals and provide more detailed breakdowns of companies impacted by different ransomware families. Stakeholders should review the full dataset and DLS listings for the most complete view of recent activity.
Read more: https://asec.ahnlab.com/en/84286/