Forecasting ransomware attack trends in 2024

Ransomware is malicious software that encrypts user data and demands a ransom. A user or organization's important data is encrypted so that they cannot access files, databases, or applications. Hackers then demand a ransom to restore access to the user.

Ransomware is often designed to spread across networks and target databases and servers, which can quickly cripple an entire organization. The threat posed by ransomware is growing, causing significant damage and costs to businesses and government organizations.

A third-quarter 2023 ransomware report by Cyble, a company that collects and analyzes information on current and potential US cyberattacks, shows that more and more security vulnerabilities have been exploited by hackers to spread ransomware and other malware in recent months.

Here are some ransomware attack trends predicted to take place in the near future, announced by Cyble's Cyber ​​Security Research Center Cyble Research & Intelligence Labs (CRIL):

1. Healthcare is in the crosshairs of ransomware

While the first half of the year saw an increase in ransomware attacks on the manufacturing sector, recent trends show a shift in focus towards healthcare. This has pushed healthcare into the top five sectors targeted by ransomware groups, accounting for nearly a quarter of all ransomware attacks.

These attacks are specifically motivated by the desire to collect data on Protected Health Information (PHI) and other sensitive data that healthcare providers and organizations have access to, and once this data is collected, the hackers will sell it on the dark web.

According to Cyble’s Ransomware Report, the healthcare sector is particularly vulnerable to ransomware attacks because it has an extremely large attack surface spanning multiple websites, portals, billions of healthcare internet of things (IoT) devices, and a large network of partners and suppliers in the supply chain. Therefore, a standardized cybersecurity plan for the sector is imperative to secure this critical data and ensure the smooth operation of critical healthcare functions.

Along with healthcare, the most targeted sectors in Q3 2023 according to Cyble's report are professional services, information technology, and construction.

2. High-income organizations are the focus of ransomware

Ransomware operators often target high-income organizations that manage sensitive data sources. This not only helps to raise the ransomware operator’s reputation as a serious threat, but also ensures a higher chance of collecting a ransom.

Because high-income organizations have the financial means to pay the large ransoms demanded by hackers, they are also more vulnerable to having their image tarnished by cyber attacks.

3. The US is the country most targeted by ransomware

Cyble’s report found that the United States is the most targeted country by ransomware operators, with the U.S. facing more ransomware attacks in Q3 2023 alone than the next 10 countries combined.

Cyble experts explain this by saying that the reason is the special role of the US in becoming a highly digitalized country with a huge level of global engagement and reach. Due to geopolitical factors, the US is also a prime target for hacktivist groups that use ransomware to achieve their goals due to perceived social injustice or to protest domestic and foreign policies.

The countries with the highest number of ransomware attacks after the US in Q3 2023 are the UK, Italy and Germany.

4. LockBit Ransomware is Still a Potential Threat

Although the LockBit ransomware started as a single ransomware family, it has since evolved several times, with the latest version being called “LockBit 3.0”. LockBit comprises a family of ransomware programs, operating using the ransomware-as-a-service (RaaS) model.

RaaS is a business model that involves users paying for access to a particular type of ransomware so they can use it for their own attacks. Through this, that user becomes an affiliate and their payment can consist of a flat fee or a subscription-based service. In short, the creators of LockBit have found a way to make additional profit from its use by using this RaaS model and may even receive a ransom paid by the victim.

While the total number of LockBit ransomware attacks was slightly lower than the previous quarter, down 5%, they still targeted the highest number of victims, with 240 confirmed victims in Q3 2023.

Q3 2023 saw an increase in attacks from newer ransomware groups such as Cactus, INC Ransom, Metaencryptor, ThreeAM, Knight Ransomware, Cyclop Group, and MedusaLocker, suggesting that while these groups do not have the same profile and global presence as larger groups like LockBit, they are still potential threats.

5. Growing adoption of Rust and GoLang programming languages ​​in newer ransomware variants

Ransomware groups are constantly trying to make their operations more difficult or even impossible to detect or analyze. This makes it difficult for victims, cybersecurity experts, and governments to analyze and study ransomware, its infection methods, and its operations in order to come up with corresponding solutions.

However, recent patterns observed by Cyble show the growing popularity of the two programming languages ​​Rust and GoLang among well-known ransomware groups such as Hive, Agenda, Luna, and RansomExx.

The reason why hackers use Rust and GoLang programming languages ​​is because using these programming languages ​​makes it more difficult to analyze the ransomware's activity on the victim system and makes it easier to customize to target multiple operating systems while increasing the infection rate.

How have organizations responded to the rise in ransomware attacks?

The recent rise in ransomware attacks has caught the attention of governments and regulatory bodies around the world, who have introduced measures to help reduce the impact and incidence of ransomware attacks. Companies have also taken matters into their own hands by implementing measures to prevent the risk and mitigate the impact of ransomware attacks.

1. Focus on employee training

An organization’s workforce is often the first line of defense against any attack, and ransomware is no exception. Accordingly, companies have stepped up cybersecurity awareness and training programs, implemented mandatory cybersecurity training sessions, and promoted a culture of cyber awareness. Typical examples of this include training on how to identify phishing attempts, handle suspicious attachments, and identify phishing attempts.

2. Incident response planning

Despite prevention efforts, ransomware attacks can still occur due to a variety of factors. Organizations have taken this into account and have increased their focus on developing comprehensive response capabilities to such incidents. This includes establishing communication channels to promptly notify authorities, enhancing internal security, evaluating the response of the information security team, and isolating any affected systems/products.

3. Advanced Backup and Restore

Ransomware attacks have two main goals: to gain access to sensitive data and to encrypt that data so that it cannot be used by the targeted organization. To address this risk, organizations have begun to focus more on backing up sensitive data and creating comprehensive recovery processes for data in the event of a cyberattack.

4. Implement zero-trust security and multi-factor authentication

Previous ransomware groups have exploited the human element to trigger or enhance ransomware attacks through threat actors and phishing attacks, etc. In response, companies have implemented zero-trust security models and multi-factor authentication across all critical platforms and data, requiring multiple levels of verified authentication to grant access to sensitive data.

5. Share information and cooperate with law enforcement

Industry organizations have created intelligence and analysis hubs to help pool their resources and information to help combat future ransomware attempts. They are also working closely with law enforcement and regulatory agencies to report ransomware attempts and help diagnose security gaps.

6. Increase adoption/use of threat intelligence platforms

By applying new technologies such as artificial intelligence (AI) and machine learning to threat intelligence platforms, organizations can leverage expertise, anomaly detection, and behavioral analytics to gather real-time threat intelligence that can help mitigate ransomware attacks.

7. Focus on vulnerability management

In recent years, many security vulnerabilities have been discovered, notably a vulnerability related to the MOVEit Transfer file transfer solution that could allow attackers to steal customer database information or a vulnerability related to the popular print management software PaperCut - this is a print management software with about 100 million users from more than 70,000 companies worldwide. Therefore, organizations have implemented security protocols and vulnerability management to ensure that all critical software is updated and patched regularly.

8. Supply chain assurance and supplier risk management

In cases where ransomware criminals are unable to breach an organization, it is common for them to target that organization’s supply chain through suppliers, partners, and third parties. As such, organizations have implemented vendor risk assessments to ensure that their entire supply chain is secure and consistently protected against potential ransomware attacks.