Q2 Cyber Threat Report: Ransomware Season Arrives Early
In this report, our threat intel team highlights our critical cyber threat and ransomware findings from Q2 2024 and what it means for the threat landscape.
This February, our Threat Intel team reported 2023 as a record-breaking year for ransomware, with active ransomware groups growing by one-third last year and the number of ransomware leak site victims in Q4 up 69% year-over-year.
The Corvus team also predicted an increase in threat actors exploiting back-end systems through exposed keys. Unfortunately, they were right.
Amid these bleak statistics, there’s a bright side: Law enforcement’s tangible impact in thwarting threat actors on the dark web. Last August, international law enforcement took down the Qakbot malware network and seized approximately $8.6 million in cryptocurrency in illicit profits. Also known as QBot, this network uses malicious code to gain initial access to victim networks.
Although threat actors wasted little time pivoting to new malware, the takedown appears to have been a setback, evidenced by lower-than-expected attacks last October. Then, in Q4 2023, law enforcement disrupted one of the most prolific ransomware gangs, ALPHV/BlackCat, which accounted for nearly a quarter of all ransomware victims in Q3 2023.
As encouraging as last year’s news was, the game of Whack-A-Mole continues apace. Law enforcement throws a wrench in threat actors’ plans, affiliates become wary of working with the targeted group, and some groups dissipate. Other groups like BlackCat bounce back, attack, make headlines — and claw in piles of money. In the “new normal” for ransomware, threat actors continue to inflate year-over-year numbers by relying on new and old ways to exploit vulnerable organizations.
The macro ransomware landscape painted by our Threat Intel team recently got micro when the FBI assisted our in-house claims team with a significant ransomware claim.
A ransomware gang successfully targeted our insured — a wholesale distributor with locations throughout the U.S., gaining access to the company’s encrypted systems and exfiltrating data. Most concerningly, the gang had encrypted the company’s business-critical ERP system, halting operations across the U.S.
The distributor immediately reported the incident so we could connect them with counsel, forensics, and a ransom negotiator. We also liaised with the FBI, who provided a free decryption tool that allowed the insured to decrypt all business-critical systems. As a result, the distributor was back up and running with minimal business disruption and without paying a dime to the ransomware gang.
The encryption process corrupted a small portion of the data (in our experience, the data recovery process is rarely perfect). Luckily, the distributor had backups that filled the gaps, resulting in virtually zero data loss.
Meanwhile, their ransom negotiator was on the phone with the threat actor group, attempting to delay posting the exfiltrated data to the gang’s dark web leak site. Again, just in time, the FBI sprang into action. They seized the leak site and took it down, preventing any sensitive information from being posted to the dark web.
While the FBI was able to swoop in and minimize impacts for this insured, law enforcement can’t save the day with every single claim. Yes, actions from law enforcement have a significant impact on the ransomware ecosystem, but it doesn't discount the importance of laying a strong security foundation at your organization.
Data should be backed up 1) on-premise, 2) off-premise, and 3) in the cloud to ensure resilience when data is needed to fill any gaps. Backups and patching can literally save your business, so do it now and do it always.
We are here to assist you in navigating the ransomware “new normal” by helping you prioritize, prepare, and stand your ground, supported by our in-depth data and expertise. Watch Corvus experts dissect claims findings, explore trends from the dark web, and learn more about what your business can do to minimize the risks and impacts of ransomware.