RansomHub overtakes LockBit as the most prolific ransomware group

RansomHub is now the number one ransomware operation in terms of claimed successful attacks, according to new data from Symantec.

The latest security vendor threat intelligence report for Q3 2024, Ransomware: The threat level remains high in the third quarterit is based on the analysis of the leakage sites.

Overall, threat actors claimed 1,255 attacks during the quarter, down slightly from 1,325 in the second quarter. However, Symantec warned that the macro trend is that attacks are increasing.

RansomHub only went live in February of this year, but claimed the top spot in the third quarter with 191 victims posted on leak sites, up 155% from the second quarter.

“The group’s rapid rise can be explained by its success in recruiting experienced affiliates for its ransomware-as-a-service operation, reportedly offering more attractive terms than rival outfits,” Symantec said.

Read more about ransomware: Ransomware attack lawsuits to hit staggering $5.2 billion by 2024

RansomHub’s rise appears to have come at the expense of LockBit, which boasted three times more successful attacks than its nearest rival Qilin in the second quarter. According to Symantec, that number fell 88% quarter-over-quarter to 188 data breach publications in the third quarter.

“LockBit was the target of an international law enforcement operation in February 2024, which affected its level of activity in the first quarter of this year,” the report continued.

“In the second quarter, it appeared to be fully recovered, but the operation may have caused a loss of confidence among LockBit affiliates, especially as authorities indicated that they had collected information that could identify affiliates.”

Qilin’s fortunes are also on the up, after its death toll rose 44% to 140 in the third quarter.

Symantec noted the disparity between publicly claimed attacks and ransomware activity investigated by its own threat researchers. For example, LockBit accounted for just 7% of attacks investigated by Symantec in the third quarter, but claimed a 15% share, while for RansomHub the figures were 33% and 15%.

In RansomHub’s case, the disparity could be explained by the fact that not all victims end up on ransomware leak sites, if they pay their extortionists quickly, for example.

The most popular ransomware tools

Symantec revealed the four most commonly observed tools and techniques used by ransomware actors in the third quarter:

Living off the land: Native Windows utilities that allow lateral movement, command execution, and other actions without triggering any alarms.
Bring Your Own Vulnerable Driver (BYOD): Attackers deploy a signed vulnerable driver, which is given access to the kernel and can therefore be used to kill processes related to security software. These controllers are usually deployed with a malicious executable to issue commands.
Remote Desktop/Admin: RDP, AnyDesk, Splashtop, ScreenConnect, and other legitimate remote administration tools are abused to provide access to victims’ machines.
Data Exfiltration: Stealing data before encryption (double extortion) now accounts for the majority of ransomware attacks. Rclone is the most popular exfiltration tool, although remote administration software also has these capabilities.

Image credit: Sue Thatcher / Shutterstock.com

The most popular ransomware tools

Related Posts

Who is Michael Bloomberg’s girlfriend? Diana Taylor Work and Relationship History

‘Two to four years’ to live: Cycling champion Chris Hoy reveals cancer diagnosis

Opioid Addiction Market to Reach $2.4 Billion in 8MM by 2033