Welcome to the April 2024 ransomware update, highlighting the latest trends, threat actors, and significant developments shaping the ransomware landscape. The Black Kite Research & Intelligence Team (BRITE) tracked 346 ransomware incidents this month, reflecting the continued threat posed by well-organized cybercriminal groups.
Unlike previous months, ransomware activity was more evenly distributed, with no single group dominating the scene. Hunters led with the highest number of victims, while LockBit 3.0, Play, RansomHub, Black Basta, Medusa, and 8Base followed closely behind.
Geographically, the United States remained the primary target with 181 attacks, followed by the United Kingdom, Germany, Canada, Brazil, and Italy. The increasing number of emerging ransomware groups signals a shifting landscape, demanding continued vigilance from organizations worldwide.
Our data showcases a diverse range of ransomware groups, each with their own unique tactics, techniques, and procedures.
The top three dominating the landscape are Hunters, Play, and LockBit 3.0. Each of these groups has a distinct modus operandi and target preference, painting a picture of a highly specialized and segmented market.
It’s important to remember, however, that while these groups grab the headlines, countless other smaller, yet equally dangerous groups are operating under the radar. By understanding the tactics of these leading groups, organizations can better anticipate potential threats and adapt their defenses accordingly.
Ransomware attacks are a global epidemic, but they disproportionately affect certain regions. The United States consistently tops the chart with the highest number of ransomware victims.
Following the US, UK and Canada are next on the list this month. Wealthy countries are generally favored targets due to their lucrative digital environments. Despite their wealth, some nations see fewer tracks, due to a sense of nationalism from the cybercriminal groups. This suggests the motivations of criminals vary from group to group, with some seeking financial gain and others making political statements.
Not all industries are targeted equally by ransomware groups. Our data shows that Manufacturing, Professional, Construction, and Healthcare bear the brunt of these attacks. The high value of data and often weaker cybersecurity defenses make these sectors particularly attractive targets. However, no industry is immune, and the ever-evolving nature of ransomware means that staying ahead of the curve is vital for all sectors. By understanding which industries are most targeted, we can infer the sectors that ransomware groups perceive as the most vulnerable or lucrative, helping to direct focus and resources in the ongoing fight against this cyber menace.
Each ransomware group has a unique footprint in terms of their geographical targets. The data shows that groups like Play, LockBit 3.0, and Black Basta predominantly target specific regions.
Understanding these patterns can help nations and organizations to better anticipate and prepare for potential threats.
However, it’s critical to remember that cybercrime knows no borders, and organizations in all countries should remain vigilant against these rapidly evolving threats. The diversity in targeting underscores the global nature of the ransomware problem and the need for international cooperation in addressing it.
Each ransomware group has a unique pattern of target selection, but some industries find themselves more frequently caught in the crosshairs. Based on our data, Manufacturing, Professional, Scientific and Technical Services, and Healthcare often emerge as primary targets for ransomware attacks. For instance, one particular ransomware group, Play, shows a discernible preference for Manufacturing. It’s critical for these industries to understand and anticipate these patterns, preparing robust defenses against potential threats. Remember, forewarned is indeed forearmed.
Leveraging the data-rich platform of Black Kite, we analyze ransomware indicators to identify common vulnerabilities that ransomware groups exploit. These indicators, including IP addresses, domains, or hashes, have been associated with our list of victims this month.
By shedding light on MX and DNS Misconfiguration, at least one credential leaked in the last 90 days, and at least one possible phishing domain, we highlight the cyber vulnerabilities ransomware groups actively exploit. Recognizing these indicators and taking prompt preventive measures can significantly strengthen an organization’s defenses against ransomware attacks.
0
At least one record found in stealer logs
0
Open RDP or SMB ports publicly visible
0
Use of out-of-date services/products with possible vulnerabilities of high exploitability
0
At least one possible phishing domain
0
At least one credential leaked in the last 90 days
0
MX and DNS misconfiguration that may allow spoofing and phishing attacks
In our continuous monitoring of hundreds of thousands of companies, we’ve computed the average RSI (Ransomware Susceptibility Index values for each industry. These values paint a comprehensive picture of the industry-specific cyber risks that organizations face. In this month’s analysis, Manufacturing, Professional, Scientific, and Technical Services, and Healthcare show the highest average RSI values. The data suggests that these industries may have heightened exposure to ransomware threats and need to be especially proactive in bolstering their cybersecurity defenses.
Share the report data
