Dive Brief:
- Ransomware activity jumped in the second quarter as threat groups listed 1,237 organizations on data leak sites during the period, marking a 20% increase from Q1, Reliaquest said in a Tuesday report.
- May was an especially active month due to a spike in posts from the ransomware group LockBit, which accounted for 36% of the month’s alleged victims, the report found. Yet, an abnormally slow June dragged the total count of alleged ransomware victims down 13% year over year, according to Reliaquest.
- U.S.-based businesses bore the brunt of ransomware attacks during Q2, composing more than half of all claimed ransomware victims listed on data leak sites during the period. Sectors targeted most heavily by cybercriminals during the quarter included manufacturing and professional, scientific and technical services, the report found.
Dive Insight:
The May surge in claimed attacks followed by a June slowdown is attributed to LockBit’s attempt to recover from an international law enforcement takedown of the group’s infrastructure.
“Announcing 179 affected organizations in May alone, the group likely tried to regain notoriety and disprove law enforcement’s statements regarding the group’s takedown,” Reliaquest’s Threat Research Team said in the report.
The most active ransomware groups during Q2 typically gained initial access to victim networks by exploiting unpatched VPNs, remote desktop protocol tools or social engineering campaigns, according to Reliaquest.
Marketplace listings in cybercriminal forums featuring data harvested by infostealers also jumped 30%, according to Reliaquest.
A wave of attacks targeting more than 100 Snowflake customer environments during Q2 underscored the increased use of legitimate credentials for initial access.
“Credentials obtained by infostealer malware, which covertly infiltrates systems and collects sensitive information, serve as an initial point of entry and can affect software ranging from authentication applications to cloud data services like Snowflake,” Reliaquest said in the report. “We predict that, as the use of infostealers continues to grow, so will the use of exposed credentials in ransomware attacks.”
Reliaquest expects ransomware activity to rise steadily in the short term, despite disruptions to the ransomware as a service ecosystem, and return to peak levels by the end of 2024.