Threat Research

Ransomware: Attacks Approaching Peak Levels Again

Symantec

Ransomware activity surged in Q2 2024, rising 36% to 1,310 incidents as the ecosystem recovered from disruptions and welcomed new operators like Qilin and RansomHub. The surge is driven by exploitation of known vulnerabilities and exposed remote services, signaling a return to aggressive tactics by groups such as LockBit (Syrphid). #LockBit #Syrphid #Qilin #RansomHub #Noberus #Cl0p #Snakefly #Play #CVE-2024-4040 #RDP

Keypoints

  • Ransomware attacks increased by 36% in Q2 2024, totaling 1,310 claims.
  • LockBit (operated by the Syrphid group) rose to 353 attacks.
  • Noberus operation closed in March 2024; new operators emerged (Qilin, RansomHub).
  • Qilin’s attacks up 47% to 97; Play’s attacks up 27% to 89.
  • RansomHub’s attacks tripled to 75, becoming one of the most prolific.
  • Attackers exploit known vulnerabilities in public-facing apps and target exposed RDP servers with weak credentials; MFA absence facilitates credential dumping.

MITRE Techniques

  • [T1190] Exploitation of Public-Facing Application – Attackers exploit known vulnerabilities in applications, such as CVE-2024-4040. ‘CVE-2024-4040 to run remote commands to download malware onto compromised machines.’
  • [T1210] Remote Services – Attackers target exposed RDP servers with weak credentials. ‘Attackers target exposed RDP servers with weak credentials.’
  • [T1003] Credential Dumping – Weak credentials are exploited due to the absence of multi-factor authentication (MFA). ‘Weak credentials are exploited due to the absence of multi-factor authentication (MFA).’
  • [T1071] Command and Control – Threat actors use remote commands to download malware onto compromised machines. ‘Threat actors use remote commands to download malware onto compromised machines.’

Indicators of Compromise

  • [Vulnerability] CVE-2024-4040 – Used to run remote commands to download malware onto compromised machines, and patched on Apr 19, 2024.
  • [Exposure] Exposed RDP servers with weak credentials – Attackers targeted exposed RDP servers with weak credentials.

Read more: https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomware-attacks-rebound

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint