Cybersecurity agency Dragos has recognized 23 ransomware teams that impacted industrial organizations, in keeping with its Industrial Ransomware Evaluation: Q3 2024 report.
A few of these teams represented totally new entities, whereas others had been assessed to be rebranded variations of present teams.
This included APT73, which has been linked to remnants of LockBit associates as a consequence of its repurposing of the gang’s operational strategies. APT73 additionally launched new payloads to evade detection and preserve its foothold within the ecosystem.
Learn now: 5 Ransomware Teams Chargeable for 40% of Cyber-Assaults in 2024
These campaigns prioritized industries with a low tolerance for downtime, similar to healthcare, monetary companies and industrial operations. The attackers appeared to view sectors the place operational disruption can result in cascading impacts as being extra prone to pay ransom calls for.
The analysis highlighted a number of outstanding ransomware incidents affecting industrial organizations in Q3 which led to operational halts, monetary losses and compromised information integrity.
These included automobile automotive software program agency CDK which paid a $25m ransom to the BlackSuit gang after an assault led to 1000’s of automobile dealerships throughout the US and Canada being disrupted.
In one other incident, oilfield companies firm Halliburton noticed its operations disrupted by a ransomware assault attributed to RansomHub, monetary losses of roughly $35m had been recorded.
Ransomware Teams Evolve their Ways
The Dragos report highlighted quite a few ransomware gangs which have advanced their techniques within the latter half of 2024.
The Eldorado and Play ransomware operators had been noticed to have shifted their intrusion techniques, strategies and procedures (TTPs) to give attention to digital networking functions, in keeping with the Dragos report. These teams had been noticed concentrating on VMware ESXi environments.
One other notable development in 2024 has been attackers combining vulnerability exploitation with credential-based assaults to bypass multi-factor authentication (MFA) protections.
Moreover, VPN exploitation is growing regardless of this being predominantly related to opportunistic assaults, Dragos noticed.
A number of outstanding ransomware teams exploited vulnerabilities in VPNs and leveraged living-off-the-land strategies to realize traction in goal organizations throughout Q3.
These included Fog ransomware, Helldown and RansomHub, which have demonstrated refined encryption, exfiltration, persistence and disruptive capabilities in crucial industrial organizations, together with in power, water administration, transportation and manufacturing.
The researchers additionally noticed an expanded reliance on preliminary entry brokers (IABs) within the ransomware-as-a-service (RaaS) mannequin to facilitate entry into focused environments in Q3.
“These brokers acted as pressure multipliers, enabling ransomware teams to scale their operations by specializing in payload deployment and extortion methods,” Dragos famous.
Ransomware Teams Utilizing Superior Persistence Mechanisms
A number of ransomware teams expanded their post-compromise lateral motion capabilities by mixing conventional strategies with superior persistence mechanisms, in keeping with the report.
These strategies included:
- Residing-off-the-land. Ransomware operators had been capable of evade detection by mimicking authentic community exercise utilizing authentic administrative instruments like PowerShell, certutil.exe, and PsExec
- Abusing distant entry instruments. Attackers elevated their use of distant entry instruments similar to AnyDesk and Fast Help at the side of customized scripts designed to disable antivirus safety
- Focusing on digital environments. Teams like Eldorado and Play developed Linux lockers particularly to focus on VMware ESXi environments, which encrypt crucial digital machine information whereas disabling energetic digital machines
- Built-in superior malware. Teams similar to Black Basta shifted to customized malware, employed backdoor instruments like SilentNight, tunneling utilities like PortYard and memory-only droppers like DawnCry to keep up persistence and evade endpoint detection.
