In the first quarter of 2024, there was a slight decrease in ransomware activity. This can be attributed to the successful efforts of law enforcement in cracking down on major ransomware groups.
However, there has been an increase in ransomware activity, with more attacks being reported compared to the same period in 2023. LockBit, specifically, continues to pose a significant threat despite the capture of key individuals.
According to recent findings by Symantec, ransomware leak sites have provided evidence of ransomware actors taking credit for a total of 962 attacks during the first quarter of 2024.
Although the number of attacks has decreased compared to the fourth quarter of 2023, it is still higher than the number of attacks in the first quarter of 2023.
The temporary decrease in activity can be attributed to the challenges experienced by LockBit and other groups like Noberus.
Despite the international law enforcement operation in February 2024, LockBit's operations have shown remarkable resilience, continuing without interruption.
In the first quarter of 2024, LockBit emerged as the leading ransomware threat, responsible for more than 20% of all reported attacks.
Other groups quickly joined in, such as Play, who recently started a ransomware-as-a-service (RaaS) operation (7%), Phobos affiliate 8Base (6%), and the up-and-coming Qilin ransomware (6%).
LockBit was found to be responsible for the majority of ransomware attacks investigated by Symantec in Q1 2024.
It is worth noting that Akira and Blacksuit, while not as widely known for their public attacks, played a significant role in the attacks that Symantec investigated.
This difference indicates that these groups have a higher likelihood of successfully advancing their attacks to the stage of deploying the payload.
LockBit often takes advantage of vulnerabilities in public-facing applications. As an example, Symantec recently discovered a campaign that focused on web servers by exploiting a PHP vulnerability (CVE-2024-4577).
This vulnerability affects all versions of PHP on Windows and the XAMPP development environment.
In addition, it has been noted that LockBit affiliates employ Bring-Your-Own-Vulnerable-Driver (BYOVD) tactics to effectively disable security solutions.
Drivers that are vulnerable, such as the Avira anti-rootkit driver that was exploited by LockBit, can be utilized as means for privilege escalation and security bypassing.
The newest addition to this category, Warp AV Killer, perfectly demonstrates LockBit's ongoing advancements in its techniques.
Despite the considerable challenges faced in early 2024, LockBit's operations have demonstrated impressive longevity.