Key ransomware threats in 2024

In June, we wrote about Akira – a ransomware group using double extortion techniques to coerce victims after stealing and encrypting their sensitive data. In Q1 2024, Akira accounted for 27% of ransomware attacks (according to insights from Knoll); but it’s not the only ransomware group causing damage this year. 

As we hit the midpoint of 2024, we look at the key ransomware threats that organisations and cybersecurity professionals need to be aware of. 

LockBit remains active

In Q1, LockBit accounted for 15% of ransomware cases. Research from BlackFog notes that LockBit doesn’t have a preference for specific industries, and doesn’t always opt for big hunt targets – and a continuous evolution of tactics makes the group hard to pin down. 

LockBit’s infrastructure was seized by international law enforcement in February this year, with related arrests made. But less than a week after this, the threat group relaunched – and continues to conduct effective cyber attacks. May was a prolific month for LockBit, and its targets are diverse – ranging from oil and gas providers in India to property developers in the US, and many countries and industries in between. 

The group is known for its ability to rapidly regroup and recover after law enforcement disruption. In early June, the FBI reported that it has more than 7,000 LockBit decryption keys in its possession – enabling victims to recover their encrypted data. But although LockBit’s impact has taken a hit this year, it’s still very much active; and its leaders are adept at pivoting strategy and launching new attacks.

8Base is damaging victims with a name-and-shame strategy

On its leak site, 8Base ransomware claims to target organisations that “have neglected the privacy and importance of the data of their employees and customers.” It names and shames its victims, causing significant damage to their reputations along with demanding financial remuneration. 

The group positions itself as ‘simple penetration testers’ teaching businesses a lesson by exposing their vulnerabilities, but it profits from victims that are often small and medium sized enterprises. 8Base activity was first detected in March 2022, and it’s particularly active in the manufacturing industry – with the technology industry coming in at a close second. 

Claiming to be penetration testers is a move that sparks frustration among the genuine cybersecurity community – because it’s evident that the ransomware group’s attacks are not a public service, and absolutely have the purpose of extorting and profiting from victims. 

Phobos has been named as ‘formidable’ 

TrendMicro used the word ‘formidable’ to describe Phobos – a ransomware group that peaked in March with 240 detections. Named after the Greek god of fear, Phobos was first detected in 2018. It exploits incorrectly configured Remote Desktop Protocols (RDPs), and also conducts phishing campaigns to steal account information or deceive victims so they open malicious attachments. 

Phobos often operates through ransomware as a service (RaaS) tools to enable inexperienced hackers to launch attacks. You don’t need a high level skill level to launch an effective attack using Phobos, and once installed it begins a continuous scan that locates files and network shares, and monitors for new files that can be encrypted. 

This list is not exhaustive – and ransomware trends are evolving all the time 

Other ransomware threats gaining traction this year include StopCrypt, TargetCompany, and more. Join us in Riyadh this November for Black Hat MEA 2024 to gain insider insights into the latest ransomware threats – and learn how to protect your organisation. 

If you want to immerse yourself in the future of cybersecurity, join us in Riyadh for Black Hat MEA 2024.