The year 2024’s ransomware shake-up, fueled by law enforcement crackdowns on giants like LockBit, has shifted focus to critical operations, with major attacks this year hitting targets like Halliburton, TfL, and Arkansas water plant.A Dragos study for the third quarter of 2024 highlighted a surge in activity from new groups like RansomHub, Play, and Fog, all exploiting VPN flaws and stolen credentials to gain footholds in critical systems using various living-of-the-land (LOTL) techniques.”The shift from traditional financial extortion to operational sabotage, particularly by hacktivist personas, compounds ransomware risks,” said Dragos in a report. “This convergence of motivations further blurs the line between cybercrime and cyberwarfare, requiring enhanced defenses for ICS and OT environments.”Geopolitical tensions during the period added to the twist, with hacktivists using attacks to target industrial operations, the report added. The report pointed out a surge in new ransomware groups targeting industrial organizations, using a mix of techniques to exploit weak remote and virtual network applications. Newcomers like Fog, Helldown, Elderado, Play, and RansomHub were among the top abusers of VPN vulnerabilities.While Fog took advantage of unpatched systems hit by the infamous SonicWall bug, Elderado and Play zeroed in on buggy VMware ESXi environments. Meanwhile, Helldown moved to exploit the Zyxel VPN flaw to break into corporate networks and lock up sensitive data.Conventionally used only for occasional initial access, VPN flaws have become quite integral in mainstream ransomware attacks, the report noted.”VPN exploitation was (from 2021-2023) predominantly associated with opportunistic attacks, with actors focusing on unpatched vulnerabilities in devices like Pulse Secure and Fortinet,” Dragos said. “(Now) Ransomware operators have advanced their tactics by combining (these) vulnerability exploitation with credential-based attacks to bypass multi-factor authentication (MFA) protections.”Other key ransomware entrants observed during the period include KillSec, and APT73 (presumed LockBit offshoot).
The new regime disrupted critical industries
Ransomware attacks kept causing major disruptions for industrial organizations, resulting in halted operations, financial hits, and compromised data, Dragos highlighted.A breakdown of incidents in the Industrial Control Systems (ICS) sector showed that “Manufacturing,” led by hard-hitter Schneider Electric, took the brunt of the damage, with 394 incidents making up 71% of all ransomware attacks. The most impacted manufacturing subsections included construction (30%), food and beverage (11%), and electronics (7%).ICS equipment and Transport and Communication were distant followers observing 10% (56), 7% (38), and 5% (17) incidents respectively.
RansomHub, Play, and DragonForce ruled the new deck
According to Dragos, RansomHub led the quarter with 90 incidents, making up 16% of all ransomware attacks, fueled by a strong RaaS model and attracting LockBit affiliates like Velvet Tempest for their use of advanced malvertising and VPN exploits. Since May 2024, the group has been tied to 168 incidents, mostly in North America and Europe, with a focus on industrial targets. A notable attack on Halliburton disrupted key operations, including invoice processing. LockBit3.0 accounted for 78 incidents, 14% of the total for Q3 2024. However, Dragos found that two-thirds of new victim announcements since February were likely fake, a move to inflate activity after Operation Cronos disruptions. Play was behind 52 incidents (9%), mainly targeting critical infrastructure, while DragonForce had 35 incidents (6%) and Qilin 23 (4%).
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3627361/a-new-ransomware-regime-is-now-targeting-critical-systems-with-weaker-networks.html
