May 30 Webinar | SOC Talk: Automating Threat Response
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
May 14, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
Key Points
In Q1 2024, ReliaQuest identified 1,041 organizations posted to ransomware data-leak sites (DLS), representing an 18% decrease from Q4 2023. While Q1 2024’s figures indicate somewhat of a slowdown in ransomware activity, it likely only represents a temporary lull. We expect ransomware to rise in the second quarter of 2024, a trend we’ve seen in previous years.
A law enforcement crackdown on the LockBit ransomware group in February of this year likely contributed to a dip in overall ransomware activity. While LockBit, the most prolific ransomware group in recent years, showed resilience in the aftermath of this operation, it was short-lived: The group saw a 21% decrease in activity this quarter compared to Q4 2023.
Q1 2024 also saw an ALPHV exit scam, in which the group posted a potentially fake law enforcement takedown notification on its DLS. We suspect this was conducted to scam its affiliates out of a $22 million ransom payment allegedly taken from UnitedHealth’s Change Healthcare unit. Several ALPHV members have likely moved to other ransomware operations following this (including the RansomHub group, which emerged in February 2024).
These events contributed to a tumultuous first three months of 2024 for the ransomware ecosystem; however, the threat these groups pose remains. This report outlines some of the key takeaways from this period.
In Q1 2024, ransomware activity trended down, with monthly figures failing to reach 400 organizations posted to ransomware DLS pages, which is typically the average.
Compared to Q1 2023—which saw 860 victims posted to leak sites—Q1 2024 represented a 20% increase, highlighting that while this is a slow period for ransomware activity, the overall activity is trending upwards. This is likely due to the continued success for ransomware actors and a continuation of endemic security failings that facilitate these threats. A slow start to the year is likely due to the celebration of Orthodox Christmas in many Russian-speaking regions on January 7, 2024. It is also realistically possible that the start of the new year represents a planning phase for ransomware groups, identifying who they will target in the coming months and other operational changes. This is consistent with our findings for Q1 in previous years.
Figure 1: Number of compromised organizations listed on data leak sites, Q1 2024
In terms of delivery mechanisms, the tactics used by ransomware groups remained consistent. Phishing, exposed remote services, and exploitation of public facing vulnerabilities remain the most common methods of obtaining initial access to targeted organizations. The majority of this activity appears opportunistic, exploiting the many endemic security failings that are present across businesses.
In terms of target geography, unsurprisingly, the US remains the most targeted, followed by Canada and the UK. This is likely due to the perception that organizations in English-speaking countries are financially able to pay ransoms to restore their operations. There is also likely a nationalistic driver in targeting organizations in countries whose policies are perceived to be opposed to Russian interests—many ransomware operators are based in Russian-speaking parts of the world—however, this is likely secondary to the pure financial motivation behind their activity.
Manufacturing was the most common target for ransomware activity in Q1 2024, followed by the Professional, Scientific, and Technical Services (PSTS) sector; Construction; Healthcare; and Retail. The top five sectors remained almost identical to the previous quarter, consistent with earlier findings in Q4 2023. These sectors are not only more vulnerable to ransomware attacks, but also likely to experience the most significant impact from prolonged outages. In particular, manufacturing suffers from extended outages due to the correlation between impact on IT and operational technology (OT). Without working IT processes, manufacturing cannot continue operations, which may drive manufacturing companies to pay the ransom rather than continue to see downtime.
Figure 2: Ransomware targets by sector, Q1 2024
The most active groups can be seen on Figure 3. Despite the law enforcement operation targeting it in February 2024, LockBit was still the most active group. The next four most active were Black Basta, Play, ALPHV, and Akira.
This was similar to the previous quarter, which saw LockBit, Play, ALPHV, No Escape, and 8base as the most active groups. The biggest change since the last quarter was the shutdown of the NoEscape ransomware operation. The group’s DLS closed in December 2023, with affiliates of NoEscape alleging that the group conducted an exit scam to cheat affiliates out of millions of dollars in ransom payments. Reportedly, LockBit recruited several NoEscape and ALPHV affiliates, who conducted their own exit scam in February 2024.
This turbulence emphasizes the boom-and-bust nature of ransomware activity, with groups shutting down as quickly as they start up. It also underscores the untrustworthy nature of cybercriminal activity, with members more than willing to scam their fellow members out of payments.
Most ransomware groups, including LockBit, Play, ALPHV, and Akira, all saw smaller numbers of victims than in Q4 2023. On the other hand, Black Basta saw a 41% growth in activity, posting 72 targeted organizations in Q4 2023 but 102 in Q1 2024.
Black Basta has been in operation since early 2022 and has consistently been one of the most active groups. The group is widely believed to be an offshoot of the prolific Conti group, which disbanded in 2022. It is likely that the group’s output at the end of 2023 was affected by the takedown of the Qakbot loader malware, which was targeted by law enforcement in August 2023 but resurfaced in December; Qakbot was one of the primary tools used by several ransomware groups, particularly Black Basta.
A newer version of Qakbot is now in operation, reportedly leveraging malicious versions of OneNote notebooks. In January 2024, Black Basta was observed using Pikabot malware as a replacement for Qakbot. The spike in activity in Q1 2024 indicates that the group has adapted to a new malware, either Pikabot or use of the new Qakbot variant. We predict that Black Basta will continue to be a ransomware frontrunner in the second quarter of this year.
Figure 3: Most active ransomware groups, Q1 2024
The biggest event affecting the ransomware ecosystem in Q1 2024 was the law enforcement operation targeting LockBit. This internationally coordinated operation—named Operation Chronos—took place on February 20, 2024, resulting in the takedown of significant sections of LockBit’s infrastructure, two arrests, and most importantly, the production of a decryption key to help previous LockBit victims restore their files.
LockBit quickly recovered its activity and began new attacks after the operation. The group’s overall activity numbers are significantly down for the quarter, however, from 275 in Q4 2023 to 216 in Q1 2024. This drop is likely attributable to LockBit having to renew its seized infrastructure but also the inevitable blow to its reputation among affiliates.
On February 19, 2024, cybercriminal forum chatter speculated that “LockBitSupp”—the LockBit forum representative on the prominent Russian-language cybercriminal forum XSS—was collaborating with law enforcement and would “deanon” (deanonymize) the forum administrator, raising concerns that the anonymity of the rest of the forum’s membership was also at risk.
Figure 4: Post on Russian-language cybercriminal forum related to Operation Chronos
The operation was a significant success for law enforcement because it not only produced the decryption key to help victims but also supplied a wealth of intelligence that will shape law enforcement efforts in the future.
The future for LockBit remains unclear. While the group may be able to recover its infrastructure to start operations again, many affiliates likely feel apprehensive about their involvement with a group that has seemingly been compromised by law enforcement. The most likely outcome is that LockBit will attempt a rebrand, potentially to the “DarkVault” group identified in early April 2024. On the launch of the new DarkVault DLS, researchers noted several similarities with LockBit’s branding, including the font, use of red and white, and even the format of the group’s ransom demand countdown clock. It is likely that these design similarities were not intentional, as they soon disappeared. Given these mistakes, it is likely that DarkVault’s developers have had previous involvement with LockBit, although it’s unclear to what extent. DarkVault has posted a limited number of organizations to its DLS; whether it can step into the void left by its alleged predecessor remains to be seen.
After ALPHV solicited a $22 million ransom payment from Change Healthcare, on March 3, 2024, one of the group’s affiliates made a public statement claiming that they had been cheated out of their cut. Two days after that, ALPHV’s public DLS displayed an FBI takedown notice. This turned out to be a fake taken from a previous law enforcement operation, likely the group’s attempt to keep the ransom rather than pay affiliates.
Figure 5: ALPHV affiliate claims the group scammed its affiliates out of their cut of a ransom payment
The exit scam indicates that, after receiving the $22 million payout, ALPHV chose to either retire or rebrand—a strategy frequently adopted by ransomware groups to evade law enforcement. ReliaQuest has not observed any activity from ALPHV since this incident.
Despite reportedly paying a ransom, Change Healthcare soon faced another attack by RansomHub, a group that surfaced in February 2024 and is possibly a rebranded version or offshoot of ALPHV. ReliaQuest found forum posts indicating that several ALPHV affiliates have joined RansomHub, though it’s also possible that the two groups were once distinct entities.
Figure 6: Forum user claiming that RansomHub has former members of the ALPHV operation
RansomHub takes a unique approach to payment between the group’s developers and the affiliates who are carrying out attacks. RansomHub allows affiliates to receive 100% of the proceeds from attacks, but the affiliates must then send 10% of those earnings to RansomHub’s developers. This model reverses the strategy taken by most other ransomware groups, placing greater responsibility on the affiliates to provide profits.
Given that many of RansomHub’s members have reportedly moved over from ALPHV—and presumably, many who were affected by the exit scam—it is possible that this arrangement was a demand from membership, to avoid being similarly defrauded in the future. This move will likely be popular to new members, which could lead RansomHub to become a significant force within the ransomware ecosystem.
Figure 7: RansomHub ransomware-as-a-service (RaaS) program advertisement
The Change Healthcare attack—which some commentators suggested was the “Colonial Pipeline moment in healthcare”—will have ongoing implications. The attack has had a broad impact, since the company is connected with most hospitals in the United States and holds vast amounts of patient data. ALPHV, along with RansomHub, will probably have sold the data to other cybercriminals who might then use this information to commit further fraudulent activities— the social engineering attacks that have plagued healthcare companies in Q1 2024 are almost certainly related.
While Q1 2024 has seen a dip in overall activity, we expect numbers to trend upward for the rest of 2024. Here are a few more of our predictions for the remainder of the year.
The return of the Clop ransomware group was something we predicted in the previous quarter. Clop had enormous success in 2021, 2022, and 2023 in targeting commonly used file transfer software, exploiting zero-day bugs to facilitate data theft. This includes the MOVEit, GoAnywhere, and Accellion file transfer software.
In Q1 2024, the group only named eight organizations on its DLS, the same number it had posted in Q4 2023. However, Clop typically works in bursts, going quiet for several months before impacting thousands of organizations in one big campaign.
The last such campaign, which targeted MOVEit, began in July 2023 and ended around November 2023. It brought enormous success for Clop. Given the amount of time that has passed since this campaign, we believe the group will return soon, likely targeting other susceptible file transfer software.
As businesses continue to migrate to cloud services and software-as-a-service (SaaS) platforms, attackers are likely to follow. Expect ransomware to exploit vulnerabilities specific to these environments, possibly targeting misconfigurations and weak access controls to encrypt data stored on cloud services.
Generative artificial intelligence (AI) is set to revolutionize many aspects of our daily lives, including the world of security. Our recent Annual Threat Report identified that organizations using AI and automation in their incident response saw a 98.8% improvement in their mean time to resolve (MTTR) incidents.
While this technology is game-changing for defenders, generative AI is also likely to enhance the efficiency and timeliness of commodity threats, like ransomware. Attackers might leverage AI and machine learning (ML) to automate target selection, customize phishing messages, and optimize the encryption process. This could lead to more efficient and targeted attacks, increasing the success rate of ransomware campaigns.
In several recent law enforcement operations, including Operation Chronos and the ALPHV and Hive operations, law enforcement groups created a decryption tool by collating decryption keys shared within the groups’ infrastructure. To prevent this going forward, ransomware groups will probably change the way they share and store decryption keys, potentially moving them to offline infrastructure.
ReliaQuest comprehensively tracks the developments in the ransomware scene—profiling new groups, monitoring daily activity, and watching for changes in threat actor tactics, techniques, and procedures (TTPs). We use these findings to create custom detections that improve customers’ resilience to ransomware activity.
We recommend taking the following steps to minimize the risk from ransomware.
Get a live demo of our security operations platform, GreyMatter, and learn how you can improve visibility, reduce complexity, and manage risk in your organization.