2024 Q1 Top Ransomware Trends

Ransomware

April 4, 2024

The NJCCIC continues to receive reports of ransomware incidents impacting New Jersey private organizations and the public sector. Threat actors primarily targeted critical infrastructure and educational institutions, likely due to budgetary restraints, limited resources, and reliance on third-party vendors. These incidents resulted in financial losses, operational disruptions, and the loss of confidentiality, integrity, and availability of data and information systems. For the first quarter of 2024, we review the top ransomware variants reported to the NJCCIC, highlight ransomware trends, and provide recommendations to educate users and organizations to reduce the likelihood of victimization.

For the first quarter of 2024, ransomware incidents reported to the NJCCIC consisted of Akira, LockBit, and Play ransomware. There was a sharp increase in Akira ransomware attacks, particularly after the LockBit ransomware group’s takedown. Akira ransomware operators are known for their sophisticated attacks, especially against US healthcare organizations. However, after the takedown, LockBit quickly relaunched operations to stay active and focused on targeting government agencies and critical infrastructure organizations, including healthcare. Also, cyberattacks targeting ConnectWise ScreenConnect vulnerabilities were linked to both LockBit and Play ransomware. Although existing ransomware groups continue their efforts, new ransomware gangs have initiated operations in 2024.

The top attack vectors for ransomware are phishing, compromising valid accounts, and external remote services. Threat actors are using artificial intelligence at an increased rate to generate targeted and sophisticated phishing campaigns and launch successful, profitable ransomware attacks. They also exploited vulnerabilities to infiltrate systems and networks, as predicted in the mass exploitation of technologies supporting hybrid and remote work and enterprise third-party file transfer solutions, such as virtual private networks (VPNs), cloud-based storage, and multi-factor authentication (MFA) tools.

An example of an initial attack vector in ransomware incidents reported to the NJCCIC was unauthorized remote login access via a VPN service. One of the tactics used was MFA prompt bombing , in which threat actors obtained account credentials and attempted to log in multiple times. They sent an overwhelming number of MFA authentication requests, hoping that the target would be distracted and unintentionally provide access or eventually give in due to fatigue and approve the request. The target could refrain from resisting temptation and approving the multiple notifications. This observed tactic has recently evolved into the threat actors calling the target from a spoofed support number to convince them to initiate a password reset and divulge the one-time password reset code. Once threat actors gained unauthorized access, they infiltrated the target organization, gained access to internal systems, and moved laterally to other critical systems. Once data was exfiltrated, they encrypted systems and servers, shutting down access to critical services and files containing personally identifiable information (PII) and financial information. Additionally, the ransomware incidents affected onsite backups; therefore, victim organizations had to resort to offsite backups, if available and viable for restoration.

Ransomware remains a prevalent threat as extortion tactics continue and evolve to pressure victim organizations to pay the ransom. Threat actors used extortion tactics, such as denying access to encrypted files, stealing data, and threatening a data breach by posting on public ransomware leak sites or releasing the stolen data to regulators, clients, or patients. The additional tactic of swatting to pressure the victim organization into paying the ransom and gaining media coverage raises public safety concerns.

The NJCCIC recommends users and organizations educate themselves and others on these continuing threats and tactics to reduce victimization. Remain vigilant, keep systems up to date, apply patches as they become available, enable strong endpoint security, and enforce cyber hygiene. Additionally, implement a defense-in-depth strategy, segment networks, apply the Principle of Least Privilege, enable MFA where available, encrypt sensitive data at rest and in transit, use a VPN, create and test continuity of operations plans and incident response plans, and establish a comprehensive data backup plan that includes performing scheduled backups regularly, keeping an updated copy offline in a separate and secure location, and testing regularly. Organizations are advised to develop and enforce robust data protection policies, conduct cybersecurity training for employees, provide transparency about data collection practices, engage in pre-emptive threat hunting, conduct vulnerability scanning and ransomware readiness assessments, and adhere to cybersecurity best practices.

The NJCCIC provides further information and recommendations in the Ransomware: The Current Threat Landscape and the Ransomware: Risk Mitigation Strategies NJCCIC products. We recommend recipients of extortion calls notify their local police department immediately if they are threatened with arrest or a law enforcement response by the caller. Cyber incidents can be reported to the FBI’s IC3 and the NJCCIC.

For any further questions, contact us here at Cyber Command.