Security Bite: Ransomware groups surge in Q3 2024, with shifting dominance

Arin Waichulis | Nov 21 2024 - 2:11 pm PT

9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.

Corvus, one of the leading cyber insurance providers, has published its quarterly Cyber Threat Report for Q3 2024, focused on the shifting ransomware landscape. While the rising number of ransomware attacks should be no surprise to anyone, the report outlines how cybercriminals are becoming more competitive and adopting more aggressive strategies rather than waiting for the next mass-exploit event.

About Security Bite: Security Bite is a weekly security-focused column on 9to5Mac. Every week, Arin Waichulis delivers insights on data privacy, uncovers vulnerabilities, or sheds light on emerging threats within Apple’s vast ecosystem of over 2 billion active devices to help you still safe.

Shifting dominance

Most interestingly, Corvus’s latest Cyber Threat Report claims the ransomware threat landscape is becoming increasingly distributed, with 59 active groups now operating worldwide. The findings reveal a shift away from the dominance of the major players (like LockBit 3.0 and ALPHV) toward a more fragmented ecosystem.

The shift could result from increased law enforcement activity toward big players. Earlier this year, the FBI, Europol, and the UK’s NCA successfully seized LockBit’s infrastructure. Authorities recovered over 1,000 decryption keys for victims. While arrests were made, the LockBit group has persisted and continues to operate even today–hence the “3.0” in LockBit 3.0. ALPHV also experienced a similar takedown.

As they exist today, Ransomware groups are primarily run as RaaS (Ransomware-as-a-Service) businesses. This means the malware developers (or operators) write the software, and affiliates, usually people with less technical knowledge, pay for the malicious package and direct it at whomever they like. The operators will handle the payment processing and even customer service for victims, often taking a cut of the ransom at the end.

Now that authorities are successfully taking down these significant operators, affiliated criminals are likely thinking twice about who to work with. Essentially picking the car with no accident history. When authorities successfully take down these major groups, they often gain access to internal systems, admin panels, and communication channels, creating significant risks for any affiliated criminals. An investigation can reveal operational details, cryptocurrency transaction records, and a trail of breadcrumbs that can lead back to the affiliate’s identity.

This new reality seemingly pushes affiliates toward smaller and more agile ransomware operations.

Newer groups like RansomHub, which saw a 160% increase in victims, according to Corvus, show how affiliate preferences are changing. These smaller groups can attract affiliates better by offering more competitive terms and better protection through more focused operations.

Other key highlights from the report: