A new study has found that threat actors are taking advantage of times when security professionals are off-duty to stage their ransomware attacks. Malwarebytes' ThreatDown 2024 State of Ransomware report has revealed that the majority of incidents over the past year occurred between 1 a.m. and 5 a.m.
The report’s authors used data from the ThreatDown Managed Detection and Response team to conduct their research. The report found that ransomware attacks globally increased by 33% over the past year, with the most affected countries seeing the largest increases. The UK saw a 67% increase in known attacks, and the US saw a 63% increase.
“The question I ask organizations is, ‘Do you have anyone prepared to stop an attack at 2 a.m. on a Sunday with your existing technology stack and staff resources?’” said Chris Kissel, research vice president of IDC’s Security and Trust Products group, in a press release.
“They may have a tool to detect the alert on Monday morning, but by then it will be too late. Threat actors are moving quickly to compromise networks, download data and deploy ransomware.”
Marcin Kleczynski, founder and CEO of Malwarebytes, added: “Ransomware gangs have time and motivation on their side. They are constantly evolving to respond to the latest technologies that come after them.
“We’ve seen this very clearly over the past year, as the widespread adoption of technologies like EDR has helped identify attackers before they launch malware, forcing ransomware gangs to work faster and work harder to hide. Organizations and MSPs need additional support and ongoing coverage to outpace today’s criminals.”
Smaller ransomware groups are becoming more prolific
The share of ransomware attacks carried out by small gangs outside the top 15 most active groups increased from 25% to 31% last year. This indicates that simulated ransomware attacks are becoming more accessible to less experienced attackers.
In January 2024, the UK’s National Cyber Security Centre warned that the threat of ransomware was expected to increase further due to the new availability of AI technologies that lower the barrier to entry. For example, Google Cloud analysts said generative AI could be used in call centres conducting ransomware negotiations.
Malwarebytes’ report also found that the share of ransomware attacks that dominant ransomware-as-a-service group LockBit claimed responsibility for decreased from 26% to 20% over the past year, despite carrying out more individual attacks.
SEE: 94% of ransomware victims have their backups attacked
LockBit’s domain may have been affected after the UK’s National Crime Agency’s Cyber Division, the FBI and international partners successfully cut off access to its website, which had been used as a large ransomware-as-a-service store, in February.
However, a few days later, the group resumed operations at a different Dark Web address and continues to claim responsibility for global ransomware attacks.
ALPHV, the second most prolific ransomware group, also created a vacancy after a carelessly executed cyberattack against Change Healthcare in February. The group failed to pay an affiliate its share of the $22 million ransom, so the affiliate exposed them, leading ALPHV to fake a police intervention and cease operations.
The authors wrote: “With ALPHV gone and LockBit’s future uncertain, it is certain that other gangs will attempt to lure its affiliates and supplant them as dominant forces in ransomware.”
SEE: Report: AI Impacts on the Cybersecurity Landscape
Top ransomware target sectors in the US and globally in 2024
Ransomware is a growing threat worldwide, with the number of businesses attacked increasing by 27% in 2023 and payouts exceeding $1 billion (£790m) for the first time. Globally, the costs of damages caused by ransomware are projected to exceed $265 billion by 2031.
According to Malwarebytes’ report, the services sector is the most affected, accounting for nearly a quarter of ransomware attacks globally. Compromising critical national infrastructure can lead to widespread disruption, making it a prime target for ransomware.
In May, the UK’s National Cyber Security Centre and other international cybersecurity authorities, including the FBI, warned of targeted cyberattacks against operational technology providers. The warning was issued in light of “continued malicious cyber activity” against water, energy, and food and agriculture companies between 2022 and April 2024.
WATCH: How hackers infiltrate critical infrastructure
The report also found that while the United States accounts for nearly half of all ransomware attacks worldwide, it receives 60% of global attacks on the education sector and 71% of them on the healthcare sector.
This could be related to their highly privatized and therefore wealthy healthcare system and higher education institutions, as well as strict regulations such as HIPAA and FERPA that pressure organizations to pay ransom to avoid fines.
The global manufacturing sector saw a 71% year-over-year increase in ransomware attacks, which is consistent with increased software spending in the sector.
“The most likely explanation, therefore, is that the number of targets available in the manufacturing sector has increased over the past two years, perhaps due to increasing digitalization within the sector,” the authors wrote.
Tactical changes for ransomware attackers in 2024
The ThreatDown MDR team observed an increase in “living off the land” techniques being used by ransomware gangs such as LockBit, Akira, and Medusa. Living off the land is the use of legitimate tools and software pre-installed within a target environment during an attack to help evade detection.
This can reduce the overall complexity of the malware by allowing the attacker to weaponize existing features that have already been tested by the organization, as well as making detection and prevention more difficult. The M-Trends 2024 report from Google subsidiary Mandiant also noted a rise in attacks on companies that live off the land in May.
The M-Trends report also found that the average dwell time (the amount of time attackers remain undetected within a targeted environment) of global organizations fell from 16 days in 2022 to 10 days in 2023.
Malwarebytes’ report also indicates this faster attack timeline, with data from ThreatDown Incident Response showing how the entire ransomware attack chain, from initial access to data encryption, has been reduced from weeks to hours.
