Comparitech recently shared a roundup of ransomware trends for the month of February. They found that:
- The number of ransomware attacks in February was nearly double that of the previous month.
- The ransomware group Clop, which gained heightened notoriety following the 2023 MOVEit hack, released the remainder of its Cleo secure managed file transform vulnerability victims. The group, which is believed to be based in Russia, has released data on approximately 70 victims since last fall as part of its pattern of multi-level extortion strategies. The malware distributor is believed to have received over $500 million in ransom payments since its inception in 2019.
- RansomHub and Qilin had the most confirmed attacks. RansomHub might be the fastest rising ransomware-as-a-service group targeting the industrial sector. The group, which is thought to be based out of either Russia or China, burst on the scene last February, most likely picking up the pieces after law enforcement hit the ALPHV and LockBit groups. Formerly known as Cyclops and Knight, the group is responsible for nearly 300 attacks over the last year, using phishing emails and password spraying tactics to target internet facing systems and user endpoints in the critical infrastructure and manufacturing sectors.
- The number of attacks instigated by the Medusa group also increased significantly in February. The Russian RaaS group uses initial access brokers to get into a system where their malware can be used to steal and encrypt data, holding it for ransom. Coming on the scene in 2022, the group is a leading user of live-off-the-land, or dwelling attacks, and counts Toyota in its collection of high-profile victims.
- The most targeted sector (for confirmed attacks) was the manufacturing sector. This included an attack on Italian furniture maker Alf DaFrè, which saw manufacturing come to a halt for eight days as a result of the hack.
- February also saw the emergence of some new groups, including Anubis and Run Some Wares. Anubis is another Russian ransomware-as-a-service group that was first identified later in 2024. The group employs a number of affiliate programs, which make sense given their relative level of experience and resources, but has been expanding the targets of their double extortion campaigns from healthcare to the industrial sector.
- Not much is know about the newcomer Run Some Wares, other than it seems to favor using its double extortion strategies on industrial and logistics companies.
More information on Comparitech and its recent findings can be found here.