Introduction
Since 2015, ransomware attacks have become a significant threat that organizations and enterprises cannot afford to ignore, especially as critical infrastructure sectors (CI) increasingly embrace digitalization. Due to IT and OT convergence, even OT environments have become targets for ransomware groups. In 2023, ransomware attacks were the most frequent incidents faced by OT environments, followed by issues related to lack of security updates and APT attacks.[1] As ransomware groups continue to evolve, they’ve also recently taken to developing triple and quadruple extortion tactics for their attack strategies.
In response to these escalating threats, the threat team at TXOne Networks has conducted an extensive investigation into the current ransomware landscape, employing open-source intelligence and ransom blogs commonly utilized by ransomware groups as key sources of insight. [2] [3] [4] [5] [6] This investigation has culminated in the compilation of a list identifying the most active ransomware groups in the first half of 2024. By understanding the methods and strategies of these ransomware groups, industries can use this analysis to better fortify their defenses and mitigate the risks associated with the digital transformation of essential services.
Ransomware Overview in H1 2024
Figure 1 shows the ransomware groups that have been active for the first half of 2024, according to the statistics reported by ransomware groups’ ransom blogs. Many well-known groups have retained their high rankings. However, to maximize financial gains, ransomware groups are continually evolving their tactics. Research into the attack strategies and techniques employed by active groups such as LockBit, Play, Black Basta, 8base, and Akira over the past year has revealed the following trends:
- Ransomware groups are increasingly using Initial Access Brokers (IAB) to gain access to organizational networks, enhancing their attack efficiency.
- Once ransomware groups obtain local administrator privileges on a compromised computer, they often deploy techniques such as LSASS dump or domain cached credential dump to enable lateral movement.
- To make it more difficult for victim organizations to defend themselves, ransomware groups may attempt to disable antivirus software and shadow copy services on compromised devices.
- To escalate from double extortion strategies to triple extortion, some ransomware groups may use tools such as Rclone or MEGA to steal data on top of their ransom demands.
Note: These statistics are based on claims made by the ransomware groups themselves, which may not always align perfectly with real incidents.
Initial Access Brokers (IABs) are threat actors who specialize in infiltrating organizational computer systems and networks. Rather than carrying out attacks themselves, IABs profit by selling unauthorized access to other malicious actors. The pricing for these different types of access is determined based on the size of the target and the category of access being sold.
Recent cases have shown that ransomware groups frequently obtain victim credentials through IABs, which can include access to cloud or VPN service accounts. Unfortunately, these technologies have already been adopted in the modern CI sectors:
- In the automotive manufacturing industry, Volkswagen Group employs AWS solutions for digitalizing production and logistics environments.[8]
- In the pharmaceutical industry, MERCK uses Azure-integrated Augmented Reality devices to optimize research operations.
- Even in the semiconductor industry, traditionally seen as isolated environments, II-VI has deployed Cadence cloud environments to swiftly configure and optimize automation processes and productivity tools.[9]
Ransomware groups often acquire computers already compromised by initial access brokers, which are pre-equipped with legitimate remote services that can be exploited to facilitate lateral movement attacks. Once they obtain local administrator privileges on a compromised computer, they often use techniques such as LSASS dump or domain cached credential dump to steal valid accounts and connect directly to other devices through services like RDP or SMB, enabling the spread of ransomware throughout an organization’s network.
As mentioned earlier, ransomware groups are escalating the pressure on victims by not only encrypting files but also stealing data so that they can use triple extortion tactics. They may threaten to leak data, harass customers, and threaten upstream and downstream suppliers. Sometimes, tools like Rclone and MEGA are used to steal the data of victim organizations. Worryingly, legitimate cloud storage solutions like Rclone and MEGA are often used to steal the data of victim organization, making it difficult to detect their activities.
Further Analysis of Techniques
The threat research team has compiled a summary of the recent attack techniques employed by active ransomware groups in the first half of 2024, as detailed in Table 1. This summary includes data on LockBit, Play, Black Basta, 8base, and Akira. Each number in the box indicates the frequency with which these techniques were employed by ransomware groups. Techniques commonly adopted by ransomware groups are highlighted in orange. The findings reveal that ransomware attacks are predominantly driven by financial gain. These attacks typically utilize widespread and well-known strategies to maximize their impact and profitability. With the growing trend of mutual learning, these groups are increasingly using common tactics, learning from each other as they share knowledge and techniques. Below, we elaborate on several observed techniques:
Table 1. Techniques Used by Active Ransomware Groups in MITRE ATT&CK v15.1
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
Exploit Public-Facing Application (4) | Command and Scripting Interpreter (3) | Boot or Logon Autostart Execution (2) | Abuse Elevation Control Mechanism (1) | Execution Guardrails (1) | Brute Force (2) | Network Service Discovery (1) | Remote Services (1) | Archive Collected Data (4) | Application Layer Protocol (2) | Exfiltration Over Web Service (3) | Data Encrypted for Impact (5) |
External Remote Services (4) | Software Deployment Tools (1) | Valid Accounts (1) | Boot or Logon Autostart Execution (2) | Impair Defenses (5) | OS Credential Dumping (4) | System Information Discovery (3) | Lateral Tool Transfer (1) | Protocol Tunneling (1) | Exfiltration Over Alternative Protocol (3) | Inhibit System Recovery (4) | |
Phishing (4) | System Services (1) | Create Account (1) | Domain or Tenant Policy Modification (2) | Indicator Removal (2) | Unsecured Credentials (1) | System Location Discovery (1) | Remote Access Software (3) | Transfer Data to Cloud Account (1) | Service Stop (1) | ||
Valid Accounts (4) | Native API (1) | Valid Accounts (1) | Obfuscated Files or Information (2) | Credentials from Password Stores (2) | System Network Configuration Discovery (2) | Non-Application Layer Protocol (1) | Data Destruction (1) | ||||
Drive-by Compromise (1) | Windows Management Instrumentation (1) | Exploitation for Privilege Escalation (1) | Domain or Tenant Policy Modification (1) | Software Discovery (1) | Domain Policy Modification (1) | Defacement (1) | |||||
User Execution (1) | Access Token Manipulation (1) | Masquerading (1) | Account Discovery (1) | Data Obfuscation (1) | Financial Theft (3) | ||||||
Process Injection (1) | Deobfuscate/Decode Files or Information (1) | Process Discovery (2) | Ingress Tool Transfer (1) | ||||||||
System Binary Proxy Execution (1) | File and Directory Discovery (1) | Proxy (1) | |||||||||
Domain Trust Discovery (1) | |||||||||||
Permission Groups Discovery (1) | |||||||||||
Remote System Discovery (1) |
As previously mentioned, ransomware groups use Initial Access Brokers to obtain access permissions to organizational networks. Consequently, during the Initial Access phase, ransomware groups often already possess valid accounts for remote services on compromised computers. Upon entering a victim’s computer during the Execution phase, the Command and Scripting Interpreter sub-technique is where these groups commonly utilize system-native tools such as PowerShell and Windows Command Shell to reduce the likelihood of detection by security personnel.
Furthermore, in the Defense Evasion phase, different ransomware groups employ a diverse toolbox of techniques. Among the most common are sub-techniques specifically used to Disable or Modify System Firewall and Disable or Modify Tools. Ransomware groups employ these to disable or alter antivirus software and security tools on compromised devices. This not only bypasses network restrictions but also reduces the likelihood of their malicious activities being detected.
Once attackers gain local administrator privileges on a victim’s computer, they will use OS Credential Dump techniques to extract valid accounts from other devices. They then login using familiar services such as RDP or SMB. Within OS Credential Dumping, nearly every ransomware group attempts to access LSASS Memory. This technique works as follows: once a user logs into a computer, the system generates various credential data and stores it in LSASS Memory. These credentials can then be accessed by attackers and used to move laterally within the network.
Lastly, to reap the benefits of extortion that goes beyond double extortion, ransomware groups proceed to steal internal data from victim organizations. They employ techniques like Archive Collected Data to obfuscate collected information and minimize the volume of data sent over the network, making it less likely for defenses to detect their actions.
Since ransomware groups are adopting widespread attack strategies, even critical infrastructure (CI) sectors have found themselves in the crosshairs. This is particularly alarming because these are the sectors that can impact national security or society at large. Several CI-related incidents in the first half of 2024 include:
- Change Healthcare, a key player in the U.S. healthcare industry, experienced a ransomware attack in February that took hundreds of systems offline. Moreover, the company also faced criticism from the White House and Congress for its handling of the ransomware incident.[10]
- Although the ransomware group LockBit was successfully disrupted in February 2024 by authorities from the U.S. and U.K.,[11] they have been undeterred and are actively working to recover from the incident. Furthermore, LockBit added Crinetics Pharmaceuticals to its list of victims in March 2024, demonstrating their tenacity.[12]
- Hyundai Motor Europe was targeted by Black Basta ransomware in January, with threat actors claiming to have stolen three terabytes of corporate data.[13]
These incidents highlight the danger ransomware groups pose to CI sectors. As various ransomware variants developed by different ransomware groups continue to proliferate, defense measures have struggled to effectively mitigate threats using singular detection methods alone. This challenge is notable in CI sectors due to the nature of technological limitations in their environment, making it more difficult to fend off ransomware attacks.
In response to these challenges, it is important for us to implement comprehensive detection and protection mechanisms tailored to different environments. Fortunately, modern ransomware groups’ attack strategies are becoming clearer. OT environments, which often have minimal operational changes during runtime, are particularly able to benefit from leveraging Cyber-Physical System Detection and Response (CPSDR) technologies to prevent all unexpected system changes before they impact operations. Through CPSDR, even new ransomware variants can be preemptively mitigated. This proactive approach ensures that we are not waiting for a threat to be identified and analyzed before we are able to take action, enabling us to stay ahead of the spread of ransomware attacks effectively.
Conclusion
As self-reported by ransomware groups, the cumulative victims of the first half of 2024 included organizations targeted by highly active organizations such LockBit, Play, Black Basta, 8base, Medusa and Akira. Their attacks have targeted critical infrastructure (CI) industries, with some of the most impactful incidents affecting the healthcare, critical manufacturing, financial, and transportation sectors. The far-reaching impact of these attacks has even attracted the attention of Congress and the White House.
As noted in TXOne’s ICS/OT Threat Hunting Report, threat actors continue to specialize, and ransomware groups acquire access to organizational or enterprise networks through Initial Access Brokers to enhance their attack efficiency. As ransomware groups learn from each other, their attack strategies become clearer.
To decrease the possibility of detection and recovery by security personnel, ransomware groups employ diverse techniques under the Defense Evasion tactic. Despite this diversity, Disable or Modify System Firewall and Disable or Modify Tools sub-techniques remain indispensable as attack strategies.
As most ransomware attacks are financially motivated, CI sectors that can impact national security or societal wellbeing have become prime targets. This raises the stakes, pressuring victim organizations to pay out so as to avoid disrupting essential services. Moreover, due to the technological limitations commonly found in CI sectors, it’s hard to find a singular countermeasure that can effectively mitigate the various threats. To face known ransomware and unknown variants, we should not wait for a threat to be identified and analyzed before responding. Instead, we should employ a proactive approach, like CPSDR, to protect OT environments from the spread of ransomware.
Reference
[1] TXOne Networks, “The Crisis of Convergence: OT/ICS Cybersecurity 2023”, TXOne Networks, January 30, 2024.
[2] ransomware. Live, “Tracking ransomware’s victims since April 2022”, ransomware. Live, August 1, 2024.
[3] Ransomfeed, “Ransomfeed”, ransomfeed.it, 2024.
[4] Brenda Robb, “The State of Ransomware 2024”, July 1, 2024.
[5] Spin.AI., “Ransomware Tracker 2024”, Spin.AI., 2024.
[6] Cyber Management Alliance, 2024.
[7] Cybersecurity and Infrastructure Security Agency (CISA), “Newsroom – StopRansomware”, CISA, 2024.
[8] Amazon Web Services, “Volkswagen Works with AWS to Build Industrial Cloud”, Amazon, 2019.
[9] Amazon Web Services, “I-VI Accelerates Time to Market with Cadence Cloud Environment on AWS HPC”, Amazon, July 2021.
[10] Jonathan Greig, “Ransomware attack has cost UnitedHealth $872 million; total expected to surpass $1 billion”, The Record, April 16, 2024.
[11] Office of Public Affairs, “U.S. and U.K. disrupt LockBit ransomware variant”, U.S. Department of Justice, February 20, 2024.
[12] Jonathan Greig, “Pharmaceutical development company investigating cyber incident linked to LockBit”, The Record, March 20, 2024.
[13] Lawrence Abrams, “Hyundai Motor Europe hit by Black Basta ransomware attack”, BleepingComputer, February 8, 2024.