Cybercriminals// Malicious Actors//
Defending against doxing
In this Studio 471, Jacob Larsen discusses the effects of doxing, how sites like Doxbin take advantage of legal loopholes and how to defend against being doxed.
Ransomware and extortion-related data breaches continued to be one of the most dominant threats across all industries and geographies in 2024. The professionalization of ransomware — where organized ransomware-as-a-service (RaaS) groups provide a full-service offering of support, malware and infrastructure to affiliates who undertake the attacks — continued to drive the scale of ransomware. These programs offer their services in exchange for as little as 10% of the total ransom achieved, providing a strong incentive to modestly skilled cyber actors to undertake attacks. Ransomware affiliates also benefit from rich markets of stolen access credentials with which to choose targets that may pay a ransom either for decryption keys or to prevent data from being published on a data leak site.
These credentials are obtained by initial access brokers (IABs) through malware campaigns and phishing attacks, another profitable sector fueling not just ransomware but also fraud and data theft. While law enforcement actions in 2024 diminished the standing of the LockBit ransomware group, which had been the dominant one for two years, other groups such as RansomHub rose to take advantage of new market opportunities. The number of ransomware variants increased, indicating an influx of smaller-scale operations eager to take part in a lucrative cybercrime sector. This is also an indication that some actors may be less interested in joining prominent operations that tend to attract attention from law enforcement and threat researchers.
While ransomware remains highly profitable, there is anecdotal data that organizations are improving their cyber resilience by investing in risk controls that lessen the impacts of an incident and allow them to avoid paying a ransom. Companies that offer cyber insurance are also taking active approaches to helping policyholders by regularly scanning their clients’ digital footprint for vulnerabilities and other weaknesses. But despite some improvements, attackers maintain an asymmetric advantage over their targets. This blog will examine notable ransomware events in 2024 and how this landscape is shifting, with the appearance of new ransomware variants and four ransomware/data extortion groups — Kill Security aka KillSec, Nitrogen, Sarcoma and Funksec — that may pose a threat to organizations.
By the numbers
We reported 4,205 ransomware and extortion-related breach events in 2024 compared to 4,429 in 2023. The LockBit group stood out as the most prevalent, impacting 407 victims, followed by RansomHub, a RaaS affiliate program, which impacted 395 victims. The next most impactful ransomware variants in descending order were Play, Akira and Hunters International. The U.S. was the most-impacted country at 51.69% of ransomware events, followed by Canada at 5.8% and the U.K. at 4.92%. North America was the most-targeted region with the most victims on a monthly basis, followed by Europe — continuing the trend observed in the previous year. The top three sectors most impacted by these offers in descending order were consumer and industrial products, professional services and consulting, and manufacturing.
A snapshot of ransomware in 2024.
LockBit’s fall
In early 2024, the LockBit RaaS affiliate program was disrupted by Operation Cronos, which led to the takeover of the group’s victim-shaming and data leak blog. The operation was not simply a one-off, however: authorities continued to investigate, infiltrate and embarrass the group throughout the year. This occurred in tandem with a series of indictments and arrests of key LockBit affiliates, including an unsealed indictment against the Russian national Дмитрий Юрьевич Хорошев (Eng. Dmitry Yuryevich Khoroshev), an alleged leader of the program. Authorities in Poland, France, the U.K. and Spain arrested six people allegedly associated with the gang. Additionally, the U.K. sanctioned 16 individuals involved in the Evil Corp hacking group’s criminal activities, which had links to LockBit, while the U.S. sanctioned six individuals and Australia targeted two.
Despite the ongoing operation, LockBit relaunched its blog and became the most impactful collective in 2024 with 407 breaches. This was a significant drop compared to the 940 alleged victims during 2023. However, the legitimacy of the post-disruption victim claims remains questionable, with the U.K. National Crime Agency (NCA) stating that up to two-thirds of the high-profile victims were fabricated and the remaining third could not be verified as victims. This significant downturn was almost certainly driven by reputational damages and the loss of capable affiliates. The group claimed only four victims in the fourth quarter of 2024, suggesting it likely is approaching its demise.
Operation Cronos proved broader in scope than initially suggested and the highly public nature with which it was conducted further amplified the impact. The slow drip of information was further evidence of this method and likely cultivated additional anxiety among LockBit affiliates who possibly lost faith in the RaaS. The episodic nature of Operation Cronos likely contributed to its success, as it prolonged the time the disruption was covered by the media. Given the massive reputational damage, additional arrests and further disruption to associated enablers, it is highly likely LockBit ceases activity altogether in the coming months. However, we cannot rule out the possibility of a rebrand in the future, of which the success would be uncertain.
Rise of RansomHub
The RansomHub RaaS affiliate program has been among the most active groups since its emergence in early February 2024 with 409 breaches in 2024. The program’s spike in activity in the first half of 2024 may be explained largely by its favorable terms, including a 90% share of ransoms for affiliates, advanced techniques and success in recruiting experienced affiliates, such as the actors n3on and notchy. The actor notchy is a former ALPHV RaaS affiliate who was responsible for the attack against the U.S.-based health care technology company Change Healthcare Inc. Moreover, the collective allegedly attracted members of the Scattered Spider intrusion cluster to its affiliate base in June 2024, which likely allowed RansomHub to use the group’s experience and tool set to further enhance its capabilities and maintain a consistently high breach count throughout the year. New additions to the group and the increased law enforcement scrutiny surrounding LockBit and the demise of ALPHV only bolstered the group's position as the leader of the ransomware market.
The RansomHub group claimed victims across a multitude of industries and demonstrated a clear preference for entities in Europe and the U.S. while also forbidding affiliates from targeting users in China, Cuba, North Korea, Romania and Commonwealth of Independent States (CIS) countries. Most of RansomHub’s victims were low-profile entities with low or undisclosed revenues, which suggests the group prioritizes targets that may be easier to attack but likely will pay a minimal ransom. However, RansomHub also claimed to compromise at least 29 organizations with revenues of more than US $500 million in 2024, which suggests the group includes experienced ransomware operators capable of conducting attacks against high-profile targets who are likely more willing to pay higher ransoms to avoid operational disruptions and sensitive data leaks. Additionally, the group allegedly attacked at least 47 entities in the life sciences and health care sector, becoming the most impactful group targeting the sector in 2024.
New ransomware variants
One sign of the shifting dynamics of ransomware is the number of variants in circulation. This figure is interesting because it shows how threat actors are trying to diversify. While some of these variants may not be technically impressive, it perhaps indicates a desire to stay away from high-profile RaaS programs that may be under scrutiny. In 2024, we identified 101 ransomware variants, an increase of 31 variants compared to 2023. The section below the graphic discusses four groups/variants that may pose a threat in 2025.
The image depicts new ransomware variants observed and variants not observed in 2024.
Kill Security
The Kill Security aka KillSec ransomware group was among the top five most-impactful groups in the second half of 2024 with 94 breaches. Although the group allegedly emerged in 2023, it launched its data leak blog in mid-March 2024 and claimed 101 victims at the time of this report, with about 50% of entities located in Asia. The group's ransom demands ranged from several thousand dollars to much larger amounts with clusters at 10,000 euros (about US $10,829) or from US $5,000 to US $25,000. The perpetrators primarily sought ransom in euros, which is not a common practice among ransomware operators. Group members are not allowed to attack entities from CIS countries and critical infrastructure including health care facilities and pipelines unless an administrator grants permission, however, affiliates could attack government entities.
The image depicts a screenshot of a KillSec ransom note.
Nitrogen
The Nitrogen ransomware and data extortion group emerged in late September 2024. The group likely is led by Russian-speaking threat actors with extensive backgrounds in ransomware operations and uses Nitrogen ransomware, which reportedly shares similarities with the LukaLocker ransomware previously attributed to members of the Volcano Demon ransomware group that has been active since at least mid-2024. Cybersecurity researchers also linked Nitrogen group members “to various ransomware attacks, including those involving the BlackCat/ALPHV ransomware” and they likely used malicious advertising (malvertising) or compromised software downloads to penetrate at least one network.
Sarcoma
The actor SARCOMA aka Sarcoma initially joined RAMP, a forum specializing in ransomware and initial access brokering, in March 2024 and demonstrated limited activity. In early October 2024, we discovered a new Tor-based victim shaming and data leak blog operated by the Sarcoma data extortion group, and it was one of the most active groups in the last quarter of 2024. The blog listed more than 50 victim organizations from multiple industries. Group members described themselves as security experts, appeared to target companies opportunistically and welcomed IABs and “aggrieved employees” to join the collective.
A screenshot of the “About Us” information from Sarcoma’s data leak site.
Funksec
This RaaS group arrived with a significant amount of fanfare and breaches. On Jan. 9, 2025, the actor el_farado at the BreachForums cybercrime forum announced the launch of a new cybercrime forum dubbed Funkforum. The forum focuses on ransomware, general malware and hacking content and also acts as the group’s data leak site. The group told one interviewer that it uses artificial intelligence for some of its development work, a claim that Check Point Research concluded was likely accurate. The Funksec threat actors appear to have financial- and political-based motivations, targeting U.S. resources that support Israel. As of Jan. 21, 2025, Intel 471 has issued 88 Breach Alerts related to breaches claimed by Funksec. Check Point Research some data sets leaked by the group had already been leaked in other hacktivist campaigns.
A screenshot of a banner on FunkForum’s Tor site advising visitors on the forum’s user guidelines.
Summary
The popularity of ransomware and associated affiliate programs has allowed it to maintain its rank as one of the top threats last year. However, we observed a slight decline in ransomware attacks in 2024 compared to 2023. The decline is unlikely to be indicative of a longer-term trend. The fall was likely due to uncertainty in the ransomware landscape left from law enforcement disruption against LockBit. The vacant spot was quickly occupied by RansomHub, who consistently claimed victims throughout the year, successfully attracted high-profile threat actors and became the most active ransomware group by the end of 2024.
We observed a slight increase in ransomware variants in 2024 compared to the previous year. This may be an indication of a more threatening trend where new or rebranded ransomware strains consistently flood the underground, making the ransomware market more versatile and thus providing threat actors with more diversity to their malicious operations. Despite successful law enforcement operations conducted against high-profile ransomware programs in the past few years, the number of new ransomware groups continues to rise, and we likely will observe them employing robust operational security (OPSEC) measures to increase resilience as well as using more sophisticated tactics, techniques and procedures (TTPs) in an attempt to keep up with the sustained success of well-established RaaS programs.
How can organizations defend themselves? Information security is difficult in the sense that attackers need to only find one fault that allows them access. There are a variety of types of threat intelligence that can help give organizations prior warning they may be at risk of an impending ransomware or data extortion attack:
Understanding the attack surface: Ransomware groups and affiliates often buy or gain access to organizations through low-hanging fruit: open remote desktop protocol (RDP) ports and software vulnerabilities in network-edge devices and appliances such as gateways and virtual private networks (VPNs). Intel 471’s Attack Surface Protection can help organizations discover what software assets and systems are exposed and help in reducing risk.
Patching priorities: This is one of the most difficult tasks for organizations due to the diversity of software systems, time and resource constraints as well as challenges in assessing which systems need attention before they’re exploited. There’s often a time gap between when a vulnerability becomes public and an exploit is developed. If threat actors in the underground show an interest in buying proof-of-concept (PoC) code for a flaw, that can be a strong indication that future attacks may occur. Intel 471’s Vulnerability Intelligence focuses on this flow by analyzing what vulnerabilities threat actors are interested in. This gives organizations a better idea where to allocate mitigation and patching resources.
Stolen credentials: One of the primary ways organizations become compromised is through the theft and replay of login credentials. This can be mitigated somewhat by multifactor authentication (MFA). However, information-stealing malware aka infostealers can also collect session cookies, which can bypass MFA. Login credentials are sold in bulk on underground marketplaces. Intel 471 monitors these marketplaces with our Credential Intelligence module, allowing organizations to get advance warning if access or login credentials have been exposed or are up for sale. This gives security teams a chance to reset accounts before the credentials are used by threat actors.
Threat hunting: If an organization is breached, there is usually a “dwell time” between when access is gained and when attackers probe deeper into systems. This is an opportunity for threat hunting, which is the process of looking for behaviors and artifacts that could indicate a compromise. HUNTER471, our threat hunting platform, contains pre-written queries developed by our analysts. These hunt packages are verified by our experts to identify advanced behaviors, threats and TTPs that have bypassed reactive detection methods. Hunters can deploy these hunt packages within minutes on most major endpoint detection and response (EDR), network detection and response (NDR) and security information and event management (SIEM) platforms. By threat hunting, organizations can potentially detect a compromise and begin rolling incident response before attackers launch a full-blown ransomware attack.
