Ransomware attacks against organizations are escalating, with global threat actors looking for opportunities to disrupt critical services, lift data and extort victims.
In the latest example, the Black Basta ransomware group successfully compromised U.S. oil and fuel distributor Atlas Oil, making off with 730 GB of data including financial, human resources and executive records. In early May, an attack against Ascension disrupted services across 140 hospitals. And in April, retailer London Drugs experienced a ransomware attack that forced the company to close all its stores in Western Canada.
As these types of incidents continue to make headlines, business leaders are taking notice. In Arctic Wolf’s 2024 State of Cybersecurity Trends report, respondents listed ransomware as their top concern for the third consecutive year.
“This concern is not without merit when we consider that 45% of the organizations we spoke with admitted to being the victim of a ransomware attack within the last 12 months, a 3% increase over last year,” Arctic Wolf stated.
According to Arctic Wolf, roughly 94 percent of ransomware victims experienced a period of significant downtime and productivity delays, with 40 percent reporting a period of total work stoppage. Half of respondents said productivity was substantially impacted from four months to more than a year after an attack.
Arctic Wolf also found that the current median ransomware demand is now $600,000, with victim organizations paying some or all the ransom 83 percent of the time. Further research from Chainalysis shows that ransomware payments exceeded $1 billion in 2023, reaching a record high after falling in 2022.
A Changing Landscape
In its 2024 MSP Threat Report, ConnectWise reported a 94% YoY increase in ransomware sightings. ConnectWise also discovered that 56 percent of attacks occurred from leading groups, including:
- LockBit
- PLAY
- BlackCat
- 8base
- Cl0p
ThreatDown’s latest research suggests that PLAY is the current ransomware leader, following the disruption of LockBit by the U.K.’s National Crime Agency and the FBI.
This is just the tip of the iceberg for active ransomware strains. For a deeper dive into ransomware like BitPaymer, Cryptolocker DarkSide and others check out Crowdstrike’s recent post.
Interestingly, while ransomware attacks are increasing, the number of new ransomware strains in circulation appears to be declining. Rapid7 observed just 43 new ransomware families in 2023, down from 95 in 2022.
“The reduction in the number of ransomware families likely reflects a combination of matured and effective existing ransomware capabilities, stable and profitable attack strategies, and possibly improved but not foolproof defensive measures,” said Rapid7 senior director of threat analytics Christaan Beek.
Ransomware operation targets Windows system admins
According to BleepingComputer, an ongoing ransomware operation is targeting Windows system administrators using search engine ads that lead to fake download sites for the WinSCP and PuTTY utilities. The threat actor uses typosquatting to impersonate real sites and includes links that either redirect users to legitimate pages or download ZIP archives from the threat actor’s servers.
Black Basta breaches over 500 global organizations
In a recent joint report, CISA and the FBI said that Black Basta ransomware affiliates breached more than 500 private industry and critical infrastructure entities between April 2022 and May 2024. The gang stole data from 12 out of 16 critical infrastructure sectors.
LockBit group attacks the City of Wichita with ransomware
The LockBit ransomware group claimed responsibility for a successful attack against the City of Wichita that disrupted numerous areas including its water service, airport and public transit system. This attack is still under investigation, and it’s not clear whether the city paid the ransom to restore access to its services.
Ransomware: Bad and Getting Worse
For MSPs, the message is clear: The ransomware problem is intensifying, and there is no end in sight. Eventually, it’s just a matter of time before your customers get hit.
According to one study, 75 percent of customers are ready to shift to a competitor if a company suffers a ransomware attack. And 55 percent prefer working with companies that offer comprehensive data protection measures like reliable backup and recovery, identity and access management and password protection.
Considering this, ConnectWise lists ransomware as a main challenge for MSPs in 2024, citing “significant growth in the number and impact of ransomware attacks, which have doubled in the past year.”
During a recent keynote conversation on cybersecurity strategies for MSPs at N-able’s Empower Conference in Frisco, SentinelOne chief intelligence and public policy officer Chris Krebs spoke about ransomware’s place in the evolving threat landscape. Krebs believes that the ransomware problem is not going away, with the U.S. government and allies essentially unable to stop it. What’s more, threat actors are accelerating extortion efforts.
“The thing that you should be thinking about first thing in the morning when you get out of bed, and the last thing you think about before you go to bed is ransomware — the threat actor that doesn’t care who you are or what you are because they’re not trying to steal necessarily your sensitive data,” Krebs explains. “They’re trying to lock you up and take stuff from you that they know you want to get back.”
Arctic Wolf also discussed the shift to extortion in its 2024 threat report.
“Our results highlight the evolution of ransomware beyond the traditional approach of simple data encryption into what is often now a multifaceted attack that can include data exfiltration and potential extortion,” said Arctic Wolf. “Our results show 86% of ransomware attacks included successful data exfiltration with another 5% of security teams successful in preventing the attempt of data exfiltration during the attack.”
According to Arctic Wolf, only 57 percent of victims were notified about data exfiltration by the ransomware perpetrators.
“In their communications, these threat actors included data release prevention as part of the ransom demand,” the report continued. “The remaining 28% of victims who identified successful data exfiltration as part of their investigation into the event were not notified by the perpetrators. In these circumstances the threat actors would likely have been planning a secondary extortion attempt threatening the unauthorized release or other malicious usage of this stolen data.”
Closing the Ransomware Knowledge Gap
While there is no way to prevent ransomware attacks, MSPs can take active measures to protect SMB clients from sophisticated and evolving threats.
One of the best services that MSPs can provide is ongoing cybersecurity training and education. According to a new report from Veritas Technologies, overconfidence and other ransomware misperceptions may be putting organizations at risk.
Here are some key takeaways:
- Regardless of their confidence level, employees are still likely to open an email, even when it seems suspicious, if it appears to come from a friend (63 percent) or colleague (63 percent). Employees are also more likely to open questionable emails that appear related to employer benefits (60 percent), an online order (56 percent), or a bank or credit card issuer (54 percent).
- Employees typically look for signs like misspelled words (81 percent) or poor grammar (82 percent) to identify email phishing attempts. However, most IT professionals (81 percent) recognize that attackers now use AI to eliminate these giveaways.
- More than 80 percent of IT professionals say their company has invested more in technologies like AI to counter ransomware attacks. Two-thirds (66 percent) say their organization conducts security audits more frequently, while 62 percent have added stricter data access controls.
The research suggests that security leaders could do more to warn employees about the dangers of ransomware. For example, only 49 percent of employees are worried about opening the door to a ransomware attack through their work email. This comes despite roughly three-quarters (73 percent) of IT professionals reporting an increase in ransomware attacks against their organizations over the past six months.
While 73 percent of IT professionals have updated their employee security training, employees may not get better at spotting phishing attempts that could lead to ransomware. Nearly one-third (30 percent) of IT professionals say they have not observed an increase in employee-reported ransomware attempts.
