Corvus released its 2024 Q3 Cyber Threat Report, which revealed that the number of ransomware attacks increased for Q3 of 2024 with 0.72% increase in the number of new victims added to data leak websites compared to the last quarter. In Q3 of 2024, Corvus found 1,257 new victims added to data leak sites, which is slightly lower by 1.64% compared to Q3 of 2023.
Corvus noted a far more distributed ransomware landscape compared to last year when only some high-profile threat groups carried out most of the attacks. The success of law enforcement operations against ALPHV and LockBit resulted in the decision of affiliates from both groups to join other groups or establish their own groups. This happened after the ransomware attack on Change Healthcare and the shutdown of the ALPHV operation.
In Q3 of 2024, Corvus identified 59 active ransomware groups that consist of mostly small-scale ransomware groups and a few very active ransomware groups. RansomHub was the most active ransomware group in quarter three with about 195 successful ransomware attacks, and increased activity by 160%. RansomHub quickly rose to prominence when it recruited seasoned ransomware affiliates from other ransomware groups. In March 2024, RansomHub carried out under 20 attacks, then conducted over 45 attacks in July, and from 70 to 80 attacks from August to September. The second most active group was Play ransomware with 93 victims. The third most active group was LockBit 3.0 with 91 victims, which is 50% less than the number of victims in Q2 of 2024. The fourth and fifth most active ransomware groups were the Medusa and Akira ransomware groups with 40 to 50 victims each.
The healthcare industry was the second most attacked sector following the construction industry. It encountered 12.8% more attacks compared to the last quarter with 53 new victims. There were only 47 victims in quarter 2. Although many ransomware groups do not attack healthcare organizations as a policy, the Play and Medusa ransomware groups actively attack healthcare providers. This suggests that healthcare organizations should ensure proper HIPAA training, especially on security awareness.
Virtual Private Networks (VPNs) were the most frequently exploited initial access vector in Q3. 28.7% of victims made it very easy for ransomware groups to attack them by not keeping their VPN software updated and having unsecured accounts. Oftentimes, ransomware groups can quickly brute force VPNs because of using default login details and weak passwords and lacking multi-factor authentication. Using MFA is very important to secure systems. Corvus reports that about 75% of policyholders filing a claim for a ransomware attack either have no MFA, did not apply MFA completely, or MFA coverage cannot be confirmed.